Francesco Nicodemo, a prominent political communications strategist and former Democratic Party communications director, has been identified as a new target in the expanding Paragon spyware surveillance campaign.
The revelation marks a concerning escalation in the scope of sophisticated digital espionage operations targeting political figures in Italy.
Nicodemo, who currently leads the communications agency Lievito, discovered the breach on January 31, 2025, when he received a suspicious WhatsApp message while traveling in Vienna.
The agency has managed thirteen election campaigns throughout 2024, including successful center-left victories in Perugia, Liguria, and Umbria.
The spyware infection remained active on Nicodemo’s Android device even after he switched to an iPhone, with the compromised phone sitting unused at his residence.
Fanpage security researchers identified the attack pattern after cross-referencing similar incidents involving journalists and activists.
The timing of the surveillance coincided with several high-profile regional elections, raising questions about potential espionage targeting opposition political strategies and communications.
John Scott Railton from Citizen Lab, a cybersecurity watchdog organization, contacted Nicodemo multiple times through international calls before confirming the breach.
The researcher emphasized the severity of the attack, noting that only a small number of Italian targets were selected for this particular espionage operation.
The compromised device potentially exposed sensitive communications with Democratic Party parliamentarians, election candidates, and senior party officials.
Infection Vector and Delivery Mechanism
The Paragon Graphite spyware utilizes a sophisticated multi-stage infection process that begins with a deceptive WhatsApp message appearing to originate from legitimate WhatsApp Support infrastructure.
Unlike traditional phishing attacks that require user interaction with malicious links, this spyware variant can establish persistence through zero-click exploitation techniques.
The malware leverages vulnerabilities in messaging protocols to deploy surveillance modules capable of extracting messages, call logs, and location data from both active and inactive devices.
Security experts note that the spyware maintains operational capability even when the target device is powered down, suggesting advanced firmware-level compromise techniques that bypass standard operating system security controls.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
