WhatsApp fixed zero-day used to deploy Paragon Graphite spyware

WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware

Pierluigi Paganini
March 20, 2025

WhatsApp fixed a zero-click, zero-day vulnerability used to install Paragon’s Graphite spyware on the devices of targeted individuals.

WhatsApp has addressed a zero-click, zero-day vulnerability exploited to install Paragon’s Graphite spyware on the devices of targeted individuals.

WhatsApp blocked a spyware campaign by Paragon targeting journalists and civil society members after reports of the Citizen Lab group from the University of Toronto. The company confirmed that the issue was fixed in December 2024 without a client-side update, and no CVE-ID was assigned.

In February, Meta announced that it had discovered and dismantled a malware campaign via WhatsApp that targeted journalists and civil society members with the Paragon spyware (aka Graphite).

The hacking campaign targeted 90 users and was disrupted in December, WhatsApp immediately alerted targeted users of a possible compromise of their devices.

The Meta-owned company linked the hacking campaign to Paragon, an Israeli commercial surveillance vendor acquired by AE Industrial Partners for $900 million in December 2024.

Meta experts said threat actors used a “zero-click” exploit to compromise target devices without user interaction. WhatsApp did not disclose the locations of the targeted individuals.

WhatsApp sent Paragon a “cease and desist” letter and announced it was exploring the possibility to start a legal action.

“WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We’ve reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately,” a company spokesperson told The Guardian.

There are no official reports about the spyware campaign, but media reports that threat actors may have used a specially crafted PDF file as bait. The file was sent to target users after they were added to group chats. John Scott-Railton of the research group Citizen Lab said they first analyzed the attacks and shared findings with WhatsApp.

“We shared our analysis of Paragon’s infrastructure with Meta, who told us that the details were pivotal to their ongoing investigation into Paragon. WhatsApp discovered and mitigated an active Paragon zero-click exploit, and later notified over 90 individuals who it believed were targeted, including civil society members in Italy.” reads the report published by Citizen Lab.

Citizen Lab mapped Paragon Solutions’ spyware infrastructure, identifying its tool “Graphite” through digital fingerprints and certificates. Researchers linked Paragon to several IP addresses hosted at local telecoms, suggesting they belong to government customers. A misconfigured digital certificate further confirmed the connection, strengthening the evidence of Paragon’s global spyware operations.

“The infrastructure we found is linked to webpages entitled “Paragon” returned by IP addresses in Israel (where Paragon is based), as well as a TLS certificate containing the organization name “Graphite”, which is the name of Paragon’s spyware, and the common name “installerserver” (Pegasus, a competitor spyware product, uses the term “Installation Server” to refer to a server designed to infect a device with spyware).” reads the report published by Citizien Labs.

The report published by Citizen Lab suggests that Australia, Canada, Cyprus, Denmark, Israel, and Singapore may be clients of Israeli spyware maker Paragon Solutions.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Paragon)