Full Report
2025-06-12 • CitizenLab • Bill Marczak, John Scott-Railton Open article on Malpedia
Analysis Summary
# Threat Actor: Paragon (Implied Operator/Vendor) / Unnamed User of Paragon Spyware
## Attribution & Identity
The article discusses the forensic confirmation of spyware allegedly developed or sold by **Paragon**. Specific attribution of the *operator* using the spyware against journalists is not explicitly named, suggesting a likely commercial spyware vendor situation where services are sold to various, potentially governmental, clients.
## Activity Summary
The core activity described is the forensic confirmation of an **iOS mercenary spyware** previously associated with Paragon being used to target **journalists**. This implies ongoing surveillance operations leveraging sophisticated commercial-grade mobile malware.
## Tactics, Techniques & Procedures
TTPs are not explicitly detailed in this brief context snippet, but the description implies:
- Use of **iOS mercenary spyware**, suggesting zero-day exploitation capabilities or highly advanced infection methods.
- **Surveillance** of targets' mobile devices.
## Targeting
- Sectors: **Journalists**
- Geography: Not specified in the context.
- Victims: **Journalists** (Specific organizations not mentioned).
## Tools & Infrastructure
- Malware families used: **Paragon’s iOS Mercenary Spyware**
- Infrastructure (C2, domains, IPs): Not mentioned in the context.
## Implications
The confirmation of Paragon's software being deployed against journalists suggests the active use of advanced commercial surveillance tools against press freedom targets, highlighting a significant threat to privacy and media independence by Paragon's clients.
## Mitigations
No specific, actionable technical mitigations are provided in this summary context, but implicitly, defenses against zero-day mobile exploitation would be required.