Full Report
Another member of Italian civil society has gone public about being a target of Paragon spyware. Francesco Nicodemo, a prominent Italian communications executive and political advisor, is the fifth confirmed target of an ongoing spyware scandal in Italy. Citizen Lab first identified the abuse of Paragon’s Graphite spyware against Italian civil society in March 2025, […] The post John Scott-Railton on a New Paragon Infection in Italy appeared first on The Citizen Lab.
Analysis Summary
# Incident Report: Paragon Spyware Targeting Italian Civil Society
## Executive Summary
This report summarizes the ongoing targeting of Italian civil society members by the Paragon Graphite spyware. The fifth confirmed victim, communications executive and political advisor Francesco Nicodemo, adds to a growing list of compromised individuals, first identified in March 2025 by the Citizen Lab. The incidents highlight a systemic use of mercenary spyware against Italian civil society and political figures, posing a serious threat to democratic processes.
## Incident Details
- **Discovery Date:** March 2025 (Initial identification of Paragon Graphite abuse against Italian civil society).
- **Incident Date:** Ongoing, with the latest confirmation being the targeting of Francesco Nicodemo (published November 10, 2025).
- **Affected Organization:** Francesco Nicodemo (Communications Executive and Political Advisor).
- **Sector:** Civil Society / Political Consulting.
- **Geography:** Italy.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, but the overall campaign was identified starting March 2025. The specific infection of Nicodemo is not dated but was recently made public.
- **Vector:** Not explicitly detailed for Nicodemo, however, previous related incidents involved journalists, suggesting zero-click or sophisticated phishing attempts common with mercenary spyware.
- **Details:** Francesco Nicodemo was confirmed as a target of the ongoing Paragon spyware campaign.
### Lateral Movement
- *Information not available in the provided source.*
### Data Exfiltration/Impact
- **What was stolen or damaged:** The nature of the data exfiltrated is not specified, but the use of spyware implies comprehensive monitoring and collection capabilities. There is an implicit impact on the victim's privacy and political advisory role.
### Detection & Response
- **How it was discovered:** Citizen Lab initially identified the abuse in March 2025. The latest infection was confirmed and made public.
- **Response actions taken:** Italian authorities have acknowledged some of the cases, but the overall response framework is suggested to be insufficient given the "pile of unexplained Paragon Graphite spyware cases is growing," according to John Scott-Railton.
## Attack Methodology
*Note: Specific technical details regarding Nicodemo's infection are not provided. The summary reflects the nature of the identified spyware family.*
- **Initial Access:** Highly sophisticated infection techniques consistent with mercenary spyware (e.g., zero-click exploits, potentially leveraged via messaging platforms).
- **Persistence:** Assumed via the Paragon 'Graphite' spyware module.
- **Privilege Escalation:** *Information not available.*
- **Defense Evasion:** Expected capabilities of spyware designed to operate covertly against high-value targets.
- **Credential Access:** *Not specified, but typical for spyware.*
- **Discovery:** *Not specified.*
- **Lateral Movement:** *Not specified.*
- **Collection:** Full device compromise implied by the nature of the spyware.
- **Exfiltration:** *Not specified.*
- **Impact:** Surveillance, political targeting, and threat to democracy.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Compromise of sensitive communications and political advisory data is strongly implied.
- **Operational:** Disruption and compromised security for political figures and civil society actors.
- **Reputational:** Negative implications for Paragon Systems and the Italian government ("It’s a bad look for all parties, including Paragon," stated Scott-Railton).
## Indicators of Compromise
- **Network indicators - defanged:** None provided.
- **File indicators:** Use of Paragon's 'Graphite' spyware.
- **Behavioral indicators:** Targeting prominent Italian civil society members, communications executives, and political advisors.
## Response Actions
- **Containment measures:** Not detailed, though ongoing discovery implies containment efforts may be reactive or incomplete.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Not detailed.
## Lessons Learned
- Mercenary spyware, such as Paragon’s Graphite, remains a clear and active threat to democracy, particularly targeting politics and elections, regardless of vendor claims that the software is "abuse-proof."
- There is a growing number of unexplained infections within Italy, suggesting a sustained and potentially unchecked targeting campaign against high-value individuals.
## Recommendations
- Immediate and thorough forensic investigation into all confirmed and suspected Paragon Graphite infections within the Italian government and civil society sectors.
- Enhance device security measures for political advisors and executives against sophisticated, state-grade offensive tools, focusing on proactive defense against zero-day or advanced persistent threat (APT) techniques.
- Review and tighten governance and oversight mechanisms regarding the use and proliferation of mercenary surveillance tools within the country.