The attack in question was reportedly in 2022, and while we can imagine there's a plausible way they might have figured this out (via analysis of published Operation Triangulation infrastructure from Kaspersky), there are (seemingly) unfortunately no IOCs available at this time

We were also able to identify a second (unpublished) iOS threat actor (not NSO) who likely used the same persistence exploit *code* (shared strings), and a third (unpublished) iOS threat actor who likely used the same telemetry-disablement *code* as both.

Watch the video to learn about @droethlisberger.bsky.social's hard-core reverse engineering: he essentially wrote an emulator for a significant chunk of iOS 10 internals to reveal the exploit's secrets!

Of course, there's ~no capital-P persistence on iOS (i.e., you can't "just launch" your malicious binary on reboot), so the game is reinfect-on-reboot, either by pushing a remote exploit, or by causing the phone to pull/process an exploit on reboot.

WhatsApp just announced they patched a very fun zero-click bug (CVE-2025-55177)! WhatsApp assesses that it was used partially in conjunction with the iOS RawCamera DNG vulnerability (CVE-2025-43300). www.whatsapp.com/security/adv...

Excited to talk today at @reconmtl.bsky.social with @droethlisberger.bsky.social about a 2017 iOS persistence exploit used by NSO's Pegasus (and, interestingly, other threat actors too)! 10:00AM in the Grand Salon cfp.recon.cx/recon-2025/t...

We found the ATTACKER1 account present on the second journalist’s phone, i.e., the phone of Fanpage.it journalist Ciro Pellegrino. The steps of our attribution argument are outlined in our diagram:

Anyhoo, around the same time this same phone was making these requests, it was silently communicating with an iMessage account (which we redact as "ATTACKER1"). We conclude that ATTACKER1 deployed a sophisticated zero-click attack against the device. Apple (silently) mitigated it in iOS 18.3.1:

And there’s a clear chain of shared behavior leading from Fingerprint P1 back to other IPs that previously returned pages entitled "Paragon" and a TLS certificate with the terms "Graphite" and "installerserver".

Basically, one of the phones sent multiple requests to IP 46.183.184[.]91, an IP that we linked with high confidence to Paragon’s Graphite spyware infrastructure. We were able to make this link because 46.183.184[.]91 matched our Fingerprint P1 (seen here in Censys search syntax)

Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) support.apple.com/en-us/122174

One interesting detail about our guy Rinson Jose in the new NYTimes article on the pager operation: Israel pressured the US to let Jose flee (though unclear anyone would have stopped him). Still no word on to what extent Jose was aware of the operation.

Another interesting case of leveraging petty crime for OPSEC (perhaps unintentional this time tho?) Reminds me of how the Hacking Team hacker used a drug addict to buy Bitcoin gift cards to rent servers