Graphite
Graphite is a spyware platform sold by Israel-based Paragon Solutions, founded in 2019. The content describes it as mercenary/commercial spyware marketed to government agencies for crime and national security investigations, but repeatedly linked to targeting of journalists, civil society members, and migrant-rights activists. Reported government users or customers in the content include Italian intelligence agencies AISE and AISI, with additional reporting indicating use or contracts involving U.S. agencies including ICE and previously the DEA; Citizen Lab also identified suspected customer deployments in Australia, Canada, Cyprus, Denmark, Israel, and Singapore, and reported infrastructure suggesting possible use by the Ontario Provincial Police.
Capabilities described in the content include zero-click compromise of smartphones, including iPhones and Android devices, with access to messages, calls, geolocation, microphones, and cameras. Citizen Lab reported high-confidence forensic confirmation of Graphite infections or targeting in multiple Italy-linked cases, including Android artifacts named BIGPRETZEL associated with Paragon infections and iPhone targeting via a sophisticated zero-click iMessage exploit mitigated in iOS 18.3.1 and assigned CVE-2025-43200 by Apple. WhatsApp identified, mitigated, and attributed an active Paragon zero-click exploit and notified about 90 targeted accounts on January 31, 2025. The content also states that Graphite was described as no-click spyware and that one reported WhatsApp delivery method involved targets being added to group chats without permission and receiving malicious PDFs.
The content links Graphite to campaigns against journalists Francesco Cancellato and Ciro Pellegrino of Fanpage.it, an unnamed prominent European journalist, and activists associated with Mediterranea Saving Humans, including Luca Casarini and Giuseppe Caccia. COPASIR confirmed Italian government use of Graphite against Casarini and Caccia and stated AISE and AISI were Paragon customers. Multiple reports cited in the content say Paragon later suspended or terminated Italian government access to Graphite after disputes over alleged misuse and investigation of journalist targeting.
Separately, the content also references a different malware family named Graphite discovered by Symantec in January 2022. That malware used the Microsoft Graph API and a OneDrive account as command-and-control infrastructure, was deployed against governments in Europe and Asia, and was linked in the content to the Russian Swallowtail/APT28/Fancy Bear espionage group. Its infection chain reportedly began with spear-phishing emails delivering an Excel downloader exploiting CVE-2021-40444, followed by a second-stage downloader, Graphite, and then PowerShell Empire. Because the provided content uses the same name for both Paragon’s spyware platform and this separate Graph API-based malware, the name is ambiguous in source reporting; however, the dominant usage in the content refers to Paragon’s Graphite spyware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In January 2022, Symantec found the discovery of Graphite—malware that used the Graph API to communicate with a OneDrive account that was acting as a C&C server. | Graphite was deployed in a campaign against several governments in Europe and Asia. Attacks began with spear-phishing emails that delivered an Excel downloader containing a remote code execution exploit (CVE-2021-40444). This led to the installation of a second-stage downloader, followed by Graphite and a secondary payload—PowerShell Empire.
Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200. | Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist ... and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In January 2022, Symantec found the discovery of Graphite—malware that used the Graph API to communicate with a OneDrive account that was acting as a C&C server.
Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist ... and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.
“Graphite” is the name of their product. Citizen Lab caught them spying on multiple European journalists with a zero-click iOS exploit... both ... were targeted with Paragon’s Graphite mercenary spyware.
“...only a few exceptions, such as the Graphite malware documented by Trellix in 2021...”
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesThe researchers analyzed the unnamed journalist’s devices and found that one of them was infected with Graphite, based on forensic evidence showing that the spyware communicated with a server that the researchers had previously established with “high confidence” was part of Paragon’s infrastructure.
Freedom of information requests... revealed that the 5th Floor had by January 2015 met with what was then the U.S. arm of the controversial, then-Israeli cellphone spyware manufacturer NSO Group... Reporting from the New York Times in 2022... noted that the DEA was combating drug trafficking through usage of the Graphite spyware product...
Initial Access
5 techniquesCOPASIR said it verified that to use Paragon’s spyware, an operator has to log in with a username and password, and each deployment of the spyware leaves detailed logs.
WhatsApp discovered and mitigated an active Paragon zero-click exploit... We found clear indications that spyware had been loaded into WhatsApp, as well as other apps on their devices.
Graphite can start monitoring a phone — including encrypted messages — just by sending a message to the number. The user doesn't have to click on a link or a message.
Attacks began with spear-phishing emails that delivered an Excel downloader containing a remote code execution exploit (CVE-2021-40444).
Paragon’s spyware was allegedly delivered to targets who were placed on group chats without their permission, and sent malware through PDFs in the group chat.
Execution
6 techniqueslogs on the device indicated that it made a series of requests to a server that, during the same time period, matched our published Fingerprint P1.
This led to the installation of a second-stage downloader, followed by Graphite and a secondary payload—PowerShell Empire.
"GoGra ... uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services..."; "Grager ... used the Graph API to communicate with a C&C server hosted on Microsoft OneDrive"; "Onedrivetools ... authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive... fetching the new commands to execute from a file called cmd"
Paragon makes no-click spyware, which means users do not have to click on any link or attachment to be infected; it is simply delivered to the phone.
Paragon’s spyware was allegedly delivered to targets who were placed on group chats without their permission, and sent malware through PDFs in the group chat.
Persistence
1 techniquePrivilege Escalation
2 techniquesThe Citizen Lab reported “a growing ecosystem of spyware capability” among Ontario police services, after identifying server infrastructure that indicated potential use of Paragon Solutions’ Graphite spyware by the Ontario Provincial Police.
Stealth
5 techniquesParagon appears to silently load their spyware into the device’s existing legitimate apps and processes, which serve as the spyware’s unwitting hosts.
The Citizen Lab reported “a growing ecosystem of spyware capability” among Ontario police services, after identifying server infrastructure that indicated potential use of Paragon Solutions’ Graphite spyware by the Ontario Provincial Police.
due to the fact that Android has limited logs, as well as “efforts by Paragon to delete traces of the infection,” it may be impossible to confirm that.
Credential Access
2 techniquesФСБ России объявила об обнаружении масштабной операции иностранных спецслужб, которые использовали вредоносное ПО для слежки за российскими высокопоставленными служащими через мобильные устройства.
AISE targeted an “extremely limited” but unspecified number of phone users and accessed both real-time and stored communications sent over end-to-end encrypted apps.
Collection
6 techniquesФСБ России объявила об обнаружении масштабной операции иностранных спецслужб, которые использовали вредоносное ПО для слежки за российскими высокопоставленными служащими через мобильные устройства.
The 5th Floor has been most widely criticized for its telephone surveillance programs — particularly its cross-border USTO and AT&T-based domestic Hemisphere/Data Analytical Services programs... Reporting from The Intercept... revealed that the SOD’s bilateral wiretapping arrangements with foreign governments were serving as cover for large-scale NSA wiretapping operations, including full-take audio surveillance... through a program known as MYSTIC.
вести скрытое аудио- и видеонаблюдение рядом с устройствами
Commercial spyware, developed by private companies like NSO Group’s Pegasus and Paragon’s Graphite, often relies on exploiting security flaws in phone and computer software to break into the devices and steal the data within.
Command and Control
4 techniquesThe researchers analyzed the unnamed journalist’s devices and found that one of them was infected with Graphite, based on forensic evidence showing that the spyware communicated with a server that the researchers had previously established with “high confidence” was part of Paragon’s infrastructure.
The infrastructure appears to be consistent with a dedicated command and control infrastructure (“Tier 1”)... Pivoting to Tier 2: Paragon and Customer Endpoints... we suspected that they might be run directly from Paragon and customer premises.
Analysis of the BirdyClient malware (Trojan.BirdyClient) revealed that its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it.
acting ICE Director Todd Lyons wrote that he had authorized the use of “cutting-edge technological tools” to help the Homeland Security Investigations division fight fentanyl, particularly against organizations using encrypted communications.
Exfiltration
2 techniquesAISI used Graphite in a small but undisclosed number of cases related to acquiring real-time communications, while the cases are “a little more numerous” when it comes to exfiltrating chat messages stored on a target’s devices.
"It uses the legitimate cloud storage service Icedrive for command-and-control (C2)." / "...abuses the Filen cloud storage service for C2..." / "...used pCloud... and Koofr..." / "...Graphite... employed OneDrive for C2"
Other
1 techniqueIOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
53 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Commercial spyware attributed to Paragon Solutions; the content describes potential use by Ontario Provincial Police based on identified server infrastructure.
Commercial spyware attributed to Paragon Solutions; the content describes it as potentially used by Ontario police services based on identified server infrastructure.
Commercial mobile spyware that can compromise smartphones without user interaction and access messages, calls, geolocation, microphone, and camera.
Commercial spyware attributed here to Paragon Solutions, used in zero-click attacks against iOS users, giving operators covert access to victims’ devices and data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.