CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Fourth Spyware Campaign Targeting French Apple Users in 2025

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.

Timeline

  1. 12.09.2025 17:49 πŸ“° 2 articles Β· ⏱ 5d ago

    Apple Warns French Users of Fourth Spyware Campaign in 2025

    The notifications are sent to individual users and not made public, making it difficult to track the timing and scope of the attacks. The spyware programs involved include Pegasus, Predator, Graphite, and Triangulation. The time between the compromise attempt and the receipt of the notification can be several months. The notifications result in the receipt of an iMessage, an alert email from Apple, and an alert displayed when logging into the iCloud account.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Remote Code Execution Vulnerability in Samsung Devices Exploited in Zero-Day Attacks

Samsung has patched a critical remote code execution vulnerability (CVE-2025-21043) affecting Android devices running Android 13 or later. The flaw was exploited in zero-day attacks targeting Samsung devices. The vulnerability resides in libimagecodec.quram.so, a closed-source image parsing library developed by Quramsoft. The flaw allows for out-of-bounds write, enabling remote attackers to execute arbitrary code. The exploit was reported by Meta and WhatsApp, who discovered it during an investigation into a highly targeted exploit over the summer. The vulnerability impacts devices using the vulnerable image parsing library, potentially affecting other instant messengers as well.

Open in new tab

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Open in new tab

Apple introduces Memory Integrity Enforcement in iPhone 17 and iPhone Air

Apple has introduced a new security feature called Memory Integrity Enforcement (MIE) in its latest iPhone models, the iPhone 17 and iPhone Air. This feature is designed to provide continuous memory safety protection across critical attack surfaces, including the kernel and over 70 userland processes. MIE aims to prevent memory corruption vulnerabilities that mercenary spyware actors could exploit. The technology leverages Enhanced Memory Tagging Extension (EMTE) and Tag Confidentiality Enforcement (TCE) to enhance security without sacrificing device performance. The A19 and A19 Pro chips in these new iPhone models are specifically designed to support MIE. This feature transforms the Memory Tagging Extension (MTE) from a debugging tool into a robust security measure, protecting against buffer overflows and use-after-free bugs. Apple's implementation also addresses vulnerabilities in the original MTE specification, making it harder for attackers to exploit memory corruption bugs.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Open in new tab

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

Open in new tab