Bill Marczak
@billmarczak.org
senior researcher at @citizenlab.ca
Now this is (perhaps) interesting, it seems like China's MSS believes that some CN Gov folks were targeted w/ a (presumably) zero-click exploit through a "foreign" messaging app. They attribute to US NSA (though no mention of why they attribute this way)
China accuses US of cyber breaches at national time centre
The ministry said it found evidence tracing stolen data and credentials as far back as 2022.
www.reuters.com
October 20, 2025 at 1:32 AM
Now this is (perhaps) interesting, it seems like China's MSS believes that some CN Gov folks were targeted w/ a (presumably) zero-click exploit through a "foreign" messaging app. They attribute to US NSA (though no mention of why they attribute this way)
The video of @droethlisberger.bsky.social and my @reconmtl.bsky.social 2025 talk, "A Trip to Ancient BABYLON", is now online! It's a fun story about a 2017-era iOS persistence exploit that we found in a Pegasus sample -- on VT (!!)
Recon 2025 - A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit
YouTube video by Recon Conference
www.youtube.com
October 16, 2025 at 5:15 PM
The video of @droethlisberger.bsky.social and my @reconmtl.bsky.social 2025 talk, "A Trip to Ancient BABYLON", is now online! It's a fun story about a 2017-era iOS persistence exploit that we found in a Pegasus sample -- on VT (!!)
Reposted by Bill Marczak
Recording of our REcon talk about a 2017 iOS persistence exploit used by NSO's Pegasus—and other threat actors too—is out. @billmarczak.org and me of @citizenlab.ca at @reconmtl.bsky.social.
youtu.be/ZlopMtjsVRw
youtu.be/ZlopMtjsVRw
Recon 2025 - A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit
YouTube video by Recon Conference
youtu.be
October 16, 2025 at 2:45 PM
Recording of our REcon talk about a 2017 iOS persistence exploit used by NSO's Pegasus—and other threat actors too—is out. @billmarczak.org and me of @citizenlab.ca at @reconmtl.bsky.social.
youtu.be/ZlopMtjsVRw
youtu.be/ZlopMtjsVRw
Reposted by Bill Marczak
The South Korean Ministry of Defense has awarded medals of merit to 11 officers for disobeying direct orders of superiors during the martial law fiasco, orders that they deemed to be contrary to the constitution and endangerment to democracy.
www.chosun.com/english/nati...
www.chosun.com/english/nati...
National Defense Ministry Honors 11 Soldiers for Refusing Illegal Orders
National Defense Ministry Honors 11 Soldiers for Refusing Illegal Orders Honored for rejecting illegal orders during martial law, Marine death probe
www.chosun.com
September 27, 2025 at 6:44 PM
The South Korean Ministry of Defense has awarded medals of merit to 11 officers for disobeying direct orders of superiors during the martial law fiasco, orders that they deemed to be contrary to the constitution and endangerment to democracy.
www.chosun.com/english/nati...
www.chosun.com/english/nati...
WhatsApp just announced they patched a very fun zero-click bug (CVE-2025-55177)! WhatsApp assesses that it was used partially in conjunction with the iOS RawCamera DNG vulnerability (CVE-2025-43300). www.whatsapp.com/security/adv...
August 29, 2025 at 4:16 PM
WhatsApp just announced they patched a very fun zero-click bug (CVE-2025-55177)! WhatsApp assesses that it was used partially in conjunction with the iOS RawCamera DNG vulnerability (CVE-2025-43300). www.whatsapp.com/security/adv...
Excited to talk today at @reconmtl.bsky.social with @droethlisberger.bsky.social about a 2017 iOS persistence exploit used by NSO's Pegasus (and, interestingly, other threat actors too)! 10:00AM in the Grand Salon cfp.recon.cx/recon-2025/t...
June 29, 2025 at 1:45 PM
Excited to talk today at @reconmtl.bsky.social with @droethlisberger.bsky.social about a 2017 iOS persistence exploit used by NSO's Pegasus (and, interestingly, other threat actors too)! 10:00AM in the Grand Salon cfp.recon.cx/recon-2025/t...
Remember when Meta published about an ITW FreeType OOB write vuln (CVE-2025-27363) in March? Turns out, Meta links this vuln to an exploit from spyware vendor Paragon www.securityweek.com/freetype-zer...
FreeType Zero-Day Found by Meta Exploited in Paragon Spyware Attacks
WhatsApp told SecurityWeek that it linked the exploited FreeType vulnerability CVE-2025-27363 to a Paragon exploit.
www.securityweek.com
June 20, 2025 at 9:08 PM
Remember when Meta published about an ITW FreeType OOB write vuln (CVE-2025-27363) in March? Turns out, Meta links this vuln to an exploit from spyware vendor Paragon www.securityweek.com/freetype-zer...
Reposted by Bill Marczak
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵
www.recordedfuture.com/research/pre...
www.recordedfuture.com/research/pre...
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...
www.recordedfuture.com
June 12, 2025 at 2:23 PM
Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵
www.recordedfuture.com/research/pre...
www.recordedfuture.com/research/pre...
ICYMI, yesterday we released a report providing a first look at how we found traces of spyware on two journalists' iPhones, traces which we can attribute with high confidence to Paragon's Graphite spyware:
Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of the...
citizenlab.ca
June 13, 2025 at 4:55 PM
ICYMI, yesterday we released a report providing a first look at how we found traces of spyware on two journalists' iPhones, traces which we can attribute with high confidence to Paragon's Graphite spyware:
Reposted by Bill Marczak
New blog post up on the Rust font loader now shipping in Chrome. I only had a small part in this personally but am proud of the team's work. developer.chrome.com/blog/memory-...
Memory safety for web fonts | Blog | Chrome for Developers
Learn how and why the Chrome team has replaced FreeType with Skrifa.
developer.chrome.com
March 19, 2025 at 3:15 PM
New blog post up on the Rust font loader now shipping in Chrome. I only had a small part in this personally but am proud of the team's work. developer.chrome.com/blog/memory-...
Check out our new @citizenlab.ca report today on Paragon! We got a tip from a collaborator, used it to map out Paragon's infrastructure, and shared with Meta. WhatsApp was able to capture & burn a zero-click, and sent out notifications to targets citizenlab.ca/2025/03/a-fi...
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - The Citizen Lab
In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across t...
citizenlab.ca
March 19, 2025 at 6:08 PM
Check out our new @citizenlab.ca report today on Paragon! We got a tip from a collaborator, used it to map out Paragon's infrastructure, and shared with Meta. WhatsApp was able to capture & burn a zero-click, and sent out notifications to targets citizenlab.ca/2025/03/a-fi...
Nice work by Amnesty Security Lab & Google TAG patching three vulnerabilities in Android/Linux kernel USB device drivers that Cellebrite was using to unlock Android devices. Also, it's *scandalous* that Android doesn't have a USB restricted mode like iPhone... securitylab.amnesty.org/latest/2025/...
Cellebrite zero-day exploit used to target phone of Serbian student activist - Amnesty International Security Lab
Amnesty International’s Security Lab uncovers sophisticated Cellebrite zero-day exploit, impacting billions of Android devices.
securitylab.amnesty.org
February 28, 2025 at 12:43 PM
Nice work by Amnesty Security Lab & Google TAG patching three vulnerabilities in Android/Linux kernel USB device drivers that Cellebrite was using to unlock Android devices. Also, it's *scandalous* that Android doesn't have a USB restricted mode like iPhone... securitylab.amnesty.org/latest/2025/...
Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) support.apple.com/en-us/122174
February 10, 2025 at 6:41 PM
Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) support.apple.com/en-us/122174
President Yoon arrested for masterminding martial law plot
President Yoon arrested for masterminding martial law plot
The Corruption Investigation Office for High-ranking Officials (CIO) on Wednesday arrested impeached President Yoon Suk Yeol, marking the first time a sitting president has been arrested in Korean his...
koreajoongangdaily.joins.com
January 15, 2025 at 1:49 AM
President Yoon arrested for masterminding martial law plot
Excellent @eff.org piece on how data brokers get ads-related data to sell (to spyware vendors, etc.) This is something that always mystified me, but after reading this I finally get it!
Online Behavioral Ads Fuel the Surveillance Industry—Here’s How
Each time you see a targeted ad, your personal information is exposed to thousands of advertisers and data brokers through a process called “real-time bidding” (RTB). This process does more than deliv...
www.eff.org
January 10, 2025 at 4:47 AM
Excellent @eff.org piece on how data brokers get ads-related data to sell (to spyware vendors, etc.) This is something that always mystified me, but after reading this I finally get it!
Reposted by Bill Marczak
NSO Group co-founder & owner Omri Lavie speaks about the recent US judge's WhatsApp ruling, the acquisition of competitor Paragon Solutions by AE Industrial Partners & the US-blacklisting of Pegasus spyware maker, amidst shifting 🇺🇸policy under Trump.
👇
vaspanagiotopoulos.substack.com/p/nso-group-...
👇
vaspanagiotopoulos.substack.com/p/nso-group-...
NSO Group owner: “We will appeal, justice was not served.”
NSO Group co-founder and majority owner Omri Lavie breaks silence amid legal battles and anticipated US policy shift under Trump.
vaspanagiotopoulos.substack.com
January 8, 2025 at 12:01 PM
NSO Group co-founder & owner Omri Lavie speaks about the recent US judge's WhatsApp ruling, the acquisition of competitor Paragon Solutions by AE Industrial Partners & the US-blacklisting of Pegasus spyware maker, amidst shifting 🇺🇸policy under Trump.
👇
vaspanagiotopoulos.substack.com/p/nso-group-...
👇
vaspanagiotopoulos.substack.com/p/nso-group-...
Rinson Jose's uncle says Jose emailed his family, claiming to be back in Norway, and with a new job.
'Am fine': Kerala-born Norwegian contacts kin after pager blasts probe | India News - Times of India
India News: A Norwegian citizen from Kerala, Rinson Jose, has been cleared by Norwegian police of any involvement in the September 2024 pager blasts in Lebanon. J
timesofindia.indiatimes.com
January 4, 2025 at 10:48 PM
Rinson Jose's uncle says Jose emailed his family, claiming to be back in Norway, and with a new job.
One interesting detail about our guy Rinson Jose in the new NYTimes article on the pager operation: Israel pressured the US to let Jose flee (though unclear anyone would have stopped him). Still no word on to what extent Jose was aware of the operation.
December 29, 2024 at 10:20 PM
One interesting detail about our guy Rinson Jose in the new NYTimes article on the pager operation: Israel pressured the US to let Jose flee (though unclear anyone would have stopped him). Still no word on to what extent Jose was aware of the operation.
Reposted by Bill Marczak
Tesla is deeply reliant on China, both for manufacturing and sales. But now that its CEO has an official role in the Trump administration, things could get tricky.
China loves Elon Musk and his hustle — but Trump could complicate that
Tesla is deeply reliant on China, both for manufacturing and sales. But now that its CEO has an official role in the Trump administration, things could get tricky.
www.washingtonpost.com
December 22, 2024 at 7:35 PM
Tesla is deeply reliant on China, both for manufacturing and sales. But now that its CEO has an official role in the Trump administration, things could get tricky.
Reposted by Bill Marczak
Happy holidays to me, I guess
December 23, 2024 at 5:45 AM
Happy holidays to me, I guess
Not many new tangible facts in this CBS News report about the exploding pagers operation. But it was interesting to see that Mossad gave Lesley Stahl an AR-924 pager (or at least the outer casing) -- presumably minus the explosive battery.
How Israel's Mossad tricked Hezbollah into buying explosive pagers | 60 Minutes
Pagers exploded across Lebanon in September. Retired Mossad agents, key to the operation, tell 60 Minutes Israel's plot started years ago with getting Hezbollah terrorists to buy walkie-talkies.
www.cbsnews.com
December 23, 2024 at 5:55 AM
Not many new tangible facts in this CBS News report about the exploding pagers operation. But it was interesting to see that Mossad gave Lesley Stahl an AR-924 pager (or at least the outer casing) -- presumably minus the explosive battery.
Summary judgement for WhatsApp in the NSO "missed call hack" case! The judge found NSO did not meet discovery obligations (in part b/c they did not suitably produce code for their custom WhatsApp client used in the hacks). Thus, a number of key evidentiary questions were resolved in WhatsApp's favor
Order on Administrative Motion to Consider Whether Another Partys Material Should Be Sealed AND Order on Discovery Letter Brief AND Order on Discovery Letter Brief AND Order on Discovery Letter Brief ...
ORDER by Judge Hamilton re 397 Motion for Summary Judgment; 401 Motion for Summary Judgment; 406 Motion for Sanctions. (pjhlc3, COURT STAFF) (Filed on 12/20/2024) (Entered: 12/20/2024)
www.courtlistener.com
December 21, 2024 at 7:02 AM
Summary judgement for WhatsApp in the NSO "missed call hack" case! The judge found NSO did not meet discovery obligations (in part b/c they did not suitably produce code for their custom WhatsApp client used in the hacks). Thus, a number of key evidentiary questions were resolved in WhatsApp's favor
Everything old is new again 🙂
NEW: U.S. private equity firm AE Industrial has acquired Israeli spyware maker Paragon, which has been making inroads in the U.S. market, for ~$500 million.
The acquisition shows the spyware market is in flux after all the scandals involving NSO Group.
techcrunch.com/2024/12/16/i...
The acquisition shows the spyware market is in flux after all the scandals involving NSO Group.
techcrunch.com/2024/12/16/i...
Israeli spyware maker Paragon bought by U.S. private equity giant | TechCrunch
The company's spyware, dubbed Graphite, is capable of hacking phones and stealing private communications.
techcrunch.com
December 16, 2024 at 5:52 PM
Everything old is new again 🙂
Pretty clever tactic by Serbian police - apparently they rolled their own very simple Android spyware (NoviSpy), then confiscated and unlocked phones (sometimes using Cellebrite's forensics product) and manually sideloaded the spyware APK onto the devices!
Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists
Serbian authorities are using spyware and Cellebrite forensic extraction tools to hack journalists and activists in a surveillance campaign.
www.amnesty.org
December 16, 2024 at 4:09 PM
Pretty clever tactic by Serbian police - apparently they rolled their own very simple Android spyware (NoviSpy), then confiscated and unlocked phones (sometimes using Cellebrite's forensics product) and manually sideloaded the spyware APK onto the devices!
Interesting! Though this is going to drive up BigQuery costs for Certificate Transparency queries 🙁 letsencrypt.org/2024/12/11/e...
A Note from our Executive Director
This letter was originally published in our 2024 Annual Report.
The past year at ISRG has been a great one and I couldn’t be more proud of our staff, community, funders, and other partners that made i...
letsencrypt.org
December 15, 2024 at 7:01 PM
Interesting! Though this is going to drive up BigQuery costs for Certificate Transparency queries 🙁 letsencrypt.org/2024/12/11/e...