Apple has launched a new wave of threat notifications to individuals targeted in sophisticated spyware campaigns, warning users of attempted device compromises using mercenary-grade surveillance tools such as Pegasus, Predator, Graphite, and Triangulation.
These alerts, observed by France's national cybersecurity agency CERT-FR, signal an ongoing and persistent targeting of high-risk individuals across multiple sectors.
According to CERT-FR, Apple has been sending these alerts since 2021, with the most recent known batches dispatched on March 5, April 29, June 25, and September 3 of this year. The notifications are issued when Apple detects that a user's device, associated with an iCloud account, may have been targeted in a state-sponsored or mercenary spyware attack. Alerts are sent via email and iMessage, and are also displayed when affected users log into their Apple ID.
These attacks typically exploit zero-day vulnerabilities and do not require user interaction, allowing spyware to be installed silently. Victims are usually selected for their professional roles or public visibility, such as journalists, activists, lawyers, political figures, and executives in strategic sectors. CERT-FR stresses that receiving such a notification indicates a serious threat and potential compromise of at least one Apple device associated with the user's account.
Apple's threat notification campaign follows a string of emergency patches in August 2025 addressing a zero-day vulnerability in the Image I/O framework (CVE-2025-43300). This flaw, which Apple classified as part of an “extremely sophisticated attack,” allowed malicious code execution via specially crafted image files. The bug was particularly dangerous because it affected all major Apple platforms and could be triggered with no user action.
Security researchers later discovered that CVE-2025-43300 had been chained with a WhatsApp zero-click flaw (CVE-2025-55177), uncovered internally by Meta's security team. This vulnerability stemmed from improper authorization checks in WhatsApp's multi-device sync mechanism, enabling attackers to deliver malicious payloads via background content fetches. Citizen Lab researcher Bill Marczak confirmed that the two bugs were used in tandem to deliver spyware to civil society targets, including journalists and human rights defenders.
Earlier this week, Apple debuted a major security upgrade on the latest iPhone 17 line, called Memory Integrity Enforcement (MIE), aimed at blocking entire classes of memory corruption vulnerabilities leveraged by mercenary spyware.
Apple users who receive threat notifications are urged to take immediate action. The company advises enabling Lockdown Mode, a hardened security profile introduced to mitigate spyware attacks, and seeking help from Access Now's Digital Security Helpline, which offers rapid-response support to at-risk individuals. Meanwhile, WhatsApp has instructed affected users to perform a factory reset and ensure that their apps and operating systems are fully updated.
CERT-FR warns against taking immediate technical action, such as resetting the device or uninstalling apps, before consulting with experts, as these steps could interfere with forensic investigations. Users are instead advised to retain the original Apple notification email, avoid modifying the device, and reach out to security teams for proper handling.
Leave a Reply