 [Nate Nelson, Contributing Writer](/author/nate-nelson)March 21, 2025 4 Min Read  Source: Ascannio via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections)[](https://www.reddit.com/submit?url=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections&title=Nation-State%20’Paragon’%20Spyware%20Infections%20Target%20Civil%20Society)[](mailto:?subject=Nation-State ‘Paragon’ Spyware Infections Target Civil Society&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Nation-State%20’Paragon’%20Spyware%20Infections%20Target%20Civil%20Society%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fapplication-security%2Fnation-state-paragon-spyware-infections) Researchers are beginning to unravel global surveillance operations targeting journalists, humanitarian aid workers, and other civilians via messaging apps.On Jan. 31, WhatsApp contacted more than 90 individuals whom it believed had been targeted with spyware developed by Israel-based ‘Paragon Solutions.’ Working with three of those victims, and a tip from a collaborator, cyber research organization Citizen Lab has since uncovered [more detail about how these spyware operations worked](https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/), and homed in on the locations of at least some of its customers, which spread across at least four continents. ‘Real governments are in fact using both Android and iOS spyware against both their citizens and foreign citizens,’ warns Censys senior security researcher Aidan Holland, who took part in the investigation. ‘It’s a crazy time to be alive.’What is the Paragon Mobile Spyware Group?—————————————–Paragon Solutions was co-founded in 2019 by a former [Israeli Defense Forces (IDF) Unit 8200 commander](https://www.darkreading.com/threat-intelligence/what-israel-s-elite-defense-force-unit-8200-can-teach-security-about-diversity) and former Israeli prime minister Ehud Barak. In 2021 it established a US arm staffed in part by former government employees, including veterans of the Central Intelligence Agency and the US Navy. Paragon’s Android malware, ‘Graphite,’ worked a tad differently than [typical spyware](https://www.darkreading.com/threat-intelligence/houthi-aligned-apt-targets-middle-east-militaries-spyware). Instead of loading itself as a hidden app or process on a device, it latched onto existing legitimate messaging apps users already likely had downloaded. This tactic left behind less forensic evidence on the device itself, but brought app developers into the fold. Related:[University Competition Focuses on Solving Generative AI Challenges](/application-security/university-competition-solving-generative-ai-challenges)In recent cases, attackers would first use a unique, as yet undisclosed means of adding their targets to a particular WhatsApp group. Once added, they’d send the target a PDF file. The target’s device would automatically parse the PDF, allowing the payload to exploit a zero-day exploit in WhatsApp itself. Without need for user interaction, Graphite would load into the app and then escape its sandbox, allowing it to spread to other apps as well. Citizen Lab analyzed one phone in which Graphite had spread to two other apps, including ‘a popular messaging app.’WhatsApp discovered and fixed this zero-click exploit late last year. WhatsApp parent company Meta told Bleeping Computer that [the fix was applied entirely on the server side](https://www.bleepingcomputer.com/news/security/whatsapp-patched-zero-day-flaw-used-in-paragon-spyware-attacks/) of things — without any need for users to update — and thus the company did not assign it a CVE-ID. While its malware is just as pernicious, Paragon markets itself as a more ethical alternative to the infamous [NSO Group](https://www.darkreading.com/endpoint-security/whatsapp-nso-group-operates-pegasus-spyware). It won’t contract with maniacal autocrats so, the logic goes, you can trust that its mission is sound. Meta and Citizen Lab have discovered, however, that Paragon’s malware has regularly been deployed against harmless civilians.Related:[Enterprises Gain Control Over LLM Oversharing With Prompt Security’s GenAI Authorization](/application-security/control-over-llm-oversharing-genai-authorization)Among the latest round of 90 identified targets, for example, three from Italy have now been publicly named: an editor-in-chief of an investigative news outlet and the co-founders of an organization that rescues migrants traveling over the Mediterranean Sea.Mapping Out Spyware Infrastructure———————————-[Italy has a storied history with spyware](https://www.darkreading.com/threat-intelligence/meta-disrupts-8-spyware-firms-3-fake-news-networks). To find out where else Paragon’s fingerprints could be found, Citizen Lab worked with Censys, a company that maintains somewhere around 4 petabytes (1,000 terabytes) worth of data on Internet-facing assets across the planet.Starting with just a tip from a collaborator, the researchers extrapolated to discover a range of infrastructure tied to Paragon’s developers and customers.The job is easiest, Holland explains, when naive customers unwittingly expose their surveillance infrastructure. For example, ‘If NSO Group sold to the Mexican government, the Mexican government would then deploy the software,’ he says. ‘Then it’s on the people deploying the software to deploy it the correct way and hide the indicators that would point to NSO Group. So they’re trusting a random government employee to properly hide spyware. That’s not in their job description.’ Related:[OAuth Attacks Target Microsoft 365, GitHub](/application-security/oauth-attacks-target-microsoft-365-github)In all, the analysts managed to identify Paragon deployments in Australia, Canada, Cyprus, Denmark, Israel, and Singapore.Canada proved particularly interesting. The researchers inferred that the connections it found there led to the Ontario Provincial Police, and with further digging, they came across other spyware cases before Ontario courts involving the province’s York Regional Police Service, Hamilton Police Service, and Peel Regional Police Service.Paragon’s OpSec Slip-Ups————————Paragon itself has not always been so careful in concealing its online presence.’We went back to the 2021-2022 time frame, when they had yet to hide themselves,’ Holland recalls. At one point, when the researchers examined a specific range of suspicious Israeli IP addresses, they were met with webpages titled, simply ‘Paragon.’ Giggling, Holland wonders ‘What type of spyware company advertises their website like that?’He notes, though, ‘Truthfully, we see this all the time with malware. -[A server will announce to us-], ‘Hey, I’m Cobalt Strike.’ Why would you tell me this? Now I can find [all the other Cobalt strike servers in existence](https://www.darkreading.com/threat-intelligence/cybercrime-cobalt-strike-use-plummets-worldwide).’In recent years, Paragon has apparently corrected its errors. ‘I looked for other instances of -[Paragon-branded domains-], and there are none in current Internet scanning, at least from our perspective. Mind you, it would have been a perfectly valid technique for Paragon to block Censys so that its stuff wouldn’t be indexed, or hide behind a web application firewall (WAF),’ he says.Looking on the bright side, he adds, ‘This does leave a little bit of room to further investigate them as they evolve.’ [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections)[](https://www.reddit.com/submit?url=https://www.darkreading.com/application-security/nation-state-paragon-spyware-infections&title=Nation-State%20’Paragon’%20Spyware%20Infections%20Target%20Civil%20Society)[](mailto:?subject=Nation-State ‘Paragon’ Spyware Infections Target Civil Society&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Nation-State%20’Paragon’%20Spyware%20Infections%20Target%20Civil%20Society%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fapplication-security%2Fnation-state-paragon-spyware-infections) About the Author—————- [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote ‘Malicious Life,’ an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts ‘The Industrial Security Podcast.’ [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [Beyond Replication -& Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr137&ch=SBX&cid=_upcoming_webinars_8.500001541&_mc=_upcoming_webinars_8.500001541)Mar 25, 2025* [What is the Right Role for Identity and Access Management in Your Enterprise?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dels15&ch=SBX&cid=_upcoming_webinars_8.500001529&_mc=_upcoming_webinars_8.500001529)Mar 26, 2025* [Today’s Top Cloud Security Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza63&ch=SBX&cid=_upcoming_webinars_8.500001530&_mc=_upcoming_webinars_8.500001530)Apr 1, 2025* [Memory Safety -& Exploit Management: Real-World Attacks -& Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7921&ch=SBX&cid=_upcoming_webinars_8.500001534&_mc=_upcoming_webinars_8.500001534)Apr 3, 2025* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025* [-[Conference-] Black Hat Asia – April 1-4 – Learn More](https://www.blackhat.com/asia-25/?_mc=we_bhas25_drcuration&cid=_session_16.500329)Apr 1, 2025* [-[Dark Reading Virtual Event-] Cybersecurity’s Most Promising New and Emerging Technologies](https://ve.informaengage.com/virtual-events/cybersecuritys-most-promising-new-and-emerging-technologies/?ch=SBX&cid=_session_16.500328&_mc=_session_16.500328)Mar 20, 2025[More Events](/events)You May Also Like*** ** * ** ***
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 51 – Information
NAICS: 928 – National Security And International Affairs
Cobalt Strike
Blog: Dark Reading
Associated Indicators: