- Apple issued four waves of alerts in 2025 warning users of spyware attacks targeting high-profile individuals
- CERT-FR confirmed the use of advanced tools like Pegasus and Predator, exploiting zero-day and zero-click flaws
- Apple notified compromised users via device and iCloud, while patching at least seven critical vulnerabilities
From early March 2025 Apple[1] has, on four separate occasions, alerted its users about an ongoing spyware[2] attack.
The attacks are sophisticated and dangerous, often targeting individuals of specific interests to different nation-states and governments.
This is according to the French National Computer Emergency Response Team (CERT-FR). In a new security advisory, the agency said threat actors are using advanced spyware, such as Pegasus, Predator, Graphite, or Triangulation, which is “particularly sophisticated and difficult to detect”.
Four waves of notifications
To deploy the spyware, the attackers would often abuse zero-day vulnerabilities, or even zero-click flaws (bugs that require no interaction from the victim whatsoever which are, as such, extremely dangerous).
The targets are high-profile individuals: journalists, lawyers, activists, politicians, senior civil servants, members of management committees of strategic sectors, and similar.
Apple has been notifying the targets directly on their devices, as well as through a notification in their iCloud[3] account. CERT-FR also said that Apple’s only been notifying accounts that were most likely already compromised: “Receiving a notification means that at least one of the devices linked to the iCloud account has been targeted and would potentially be compromised,” the announcement reads.
“The time between the attempted compromise and the receipt of the notification is several months but remains variable.”
The four waves of alerts happened on March 5, April 29, June 25, and September 3.
CERT-FR did not discuss which flaws the threat actors were targeting, but we do know that Apple patched at least seven zero-day flaws this year:
- CVE-2025-24085 (use-after-free bug)
- CVE-2025-24200 (privilege escalation)
- CVE-2025-24201 (privilege escalation)
- CVE-2025-31200 (memory corruption)
- CVE-2025-31201 (local privilege escalation)
- CVE-2025-43200 (logic flaw)
- CVE-2025-4330 (ImageIO flaw)
One of the spyware mentioned in the report is Pegasus, designed by an Israeli cybersecurity company called NGO Group. It was blacklisted by the US in early November 2021 for actions contrary to US national security and foreign policy interests.