Home/Threat Actor/Paragon Solutions / Graphite
Threat Actor

Paragon Solutions / Graphite

paragon_solutions_graphite · israel_commercial_cyber_mercenary · active since 2019

Paragon Solutions / Graphite (canonical company naming "Paragon Solutions" founded 2019 in Israel by Ehud Barak former Prime Minister of Israel + former Israeli Defense Minister + former Chief of General Staff of Israel Defense Forces, alongside former Israeli intelligence official and other Unit 8200 alumni founders.

primary spyware product "Graphite") is an Israeli private offensive cyber operations contractor / commercial spyware vendor, operationally the most-recently- emerged major cyber-mercenary vendor in publicly-tracked industry analysis with active publicly since January 2025 (WhatsApp 90-user notification campaign first widespread public exposure)

signature "responsible cyber-mercenary" market positioning per Citizen Lab March 2025: "The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for" (though Citizen Lab + WhatsApp + Italian COPASIR investigations have documented Graphite targeting of journalists + sea-rescue NGO activists, operationally undermining stated safeguards claims)

signature operational tradecraft is Graphite mobile spyware (cluster-defining sophisticated commercial spyware targeting iOS + Android devices) with signature messaging-app-focused architecture rather than full device takeover (operationally distinct from NSO Pegasus model per Citizen Lab June 2025: Graphite operates within existing applications reducing forensic artifacts and limiting detection, extracts messages from encrypted applications WhatsApp + Signal + Telegram before encryption or after decryption)

signature CVE-2025-43200 iOS zero-click exploit chain (iOS 18.2.1 zero-click logic issue processing maliciously crafted photo or video shared via iCloud Link, Apple mitigated iOS 18.3.1) + WhatsApp zero-click vector patched late 2024 by Meta following Citizen Lab cooperation.

WhatsApp 90-user notification campaign January 31, 2025 operationally established first widespread public exposure of Paragon deployments.

signature BIGPRETZEL Android forensic artifact + Fingerprint P1 server attribution (Citizen Lab) + ATTACKER1 single iMessage operator account dedicated- per-customer infrastructure pattern.

Italian government confirmed Paragon customer (Italian Minister for Relations with Parliament + AISE external intelligence service director confirmed February 12, 2025.

COPASIR Italian parliamentary committee June 5, 2025 report confirmed Italian government Graphite use against Luca Casarini + Giuseppe "Beppe" Caccia migration sea-rescue NGO activists.

Italian DIS rejected Paragon investigation offer June 2025 citing national security concerns) + Italian Fanpage.it journalist Ciro Pellegrino + anonymous prominent European journalist targeted per Citizen Lab Report No. 186 June 12, 2025 iOS forensic confirmation; US ICE Graphite contract January 2025 (Trump administration publicly acknowledged DHS + ICE Graphite contracts operationally establishing US Government as Paragon customer, operationally distinct from sibling cyber-mercenary clusters in this corpus where US Government has been regulator/sanctioner rather than customer)

documented government customer footprint Australia + Canada (Ontario Provincial Police) + Cyprus + Denmark + Israel + Singapore + Italy + United States (operationally significant footprint includes Israel as customer, operationally distinct from sibling Israeli cyber-mercenary vendors NSO + Candiru which restrict Israeli targeting)

EDIS Global VPS provider hosting infrastructure.

February 11, 2026 LinkedIn OPSEC fail (Paragon general counsel posted Graphite surveillance dashboard screenshot including Czech phone number labeled "Valentina" + active interception logs dated February 10, 2026 + WhatsApp encrypted-app monitoring interfaces, per Citizen Lab John Scott-Railton "epic OPSEC fail")

fills the 4th cyber-mercenary / private-offensive-actor cell in the curated corpus following nso_group_pegasus (1st) + candiru_sourgum (2nd) + intellexa_predator (3rd) all curated separately, operationally significant as the most-recently-emerged major cyber-mercenary vendor and the only cyber-mercenary cluster in this corpus where the US Government is a customer (via ICE) rather than a regulator/sanctioner.

israel_commercial_cyber_mercenary confidence: high 14 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited1

Profile

Paragon Solutions / Graphite (canonical company naming "Paragon Solutions" founded 2019 in Israel by Ehud Barak former Prime Minister of Israel (1999-2001) + former Israeli Defense Minister + former Chief of General Staff of Israel Defense Forces, alongside former Israeli intelligence official and other Unit 8200 alumni founders; primary spyware product "Graphite") is an Israeli private offensive cyber operations contractor / commercial spyware vendor, operationally the most-recently-emerged major cyber-mercenary vendor in publicly-tracked industry analysis. Active publicly since January 2025 (WhatsApp 90-user notification campaign first widespread public exposure) with primary operational mission objectives of commercial spyware sales to government clients via signature messaging-app-focused architecture rather than full device takeover (operationally distinct from NSO Pegasus model). Signature "responsible cyber-mercenary" market positioning: per Citizen Lab March 2025: "Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite.

The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for." This positioning operationally distinguishes Paragon from sibling vendors in marketing, though Citizen Lab + WhatsApp + Italian COPASIR investigations have documented Graphite targeting of journalists + sea-rescue NGO activists, operationally undermining stated safeguards claims. Operational phases: (1) CORPORATE EMERGENCE (2019). Founded by Ehud Barak + former Unit 8200 official + other Unit 8200 alumni.

(2) UNDER-RADAR OPERATIONAL PERIOD (2019-2024). Limited public visibility. (3) WHATSAPP META BLOCK (Late 2024).

Zero-click WhatsApp vulnerability detected and blocked by Meta. (4) WHATSAPP 90-USER NOTIFICATION CAMPAIGN (January 31, 2025). First widespread public exposure of Paragon deployments.

(5) US ICE GRAPHITE CONTRACT (January 2025). Trump administration publicly acknowledged ICE Graphite contract. (6) ITALIAN GOVERNMENT CUSTOMER CONFIRMATION (February 12, 2025).

Italian Minister for Relations with Parliament + AISE director publicly confirmed Italian government Paragon customer status. (7) CITIZEN LAB CANONICAL DISCLOSURE (March 19, 2025). Research Report No. 183 documented 6-country deployment footprint + BIGPRETZEL forensic artifact + Canadian OPP potential customer.

(8) COPASIR ITALIAN PARLIAMENTARY REPORT (June 5, 2025). Confirmed Italian government Graphite use against Casarini + Caccia sea-rescue NGO activists. (9) CITIZEN LAB iOS FORENSIC CONFIRMATION (June 12, 2025).

Report No. 186 first iOS forensic confirmation, CVE-2025-43200 zero-click + ATTACKER1 iMessage operator + Fanpage.it journalist Ciro Pellegrino + anonymous European journalist. (10) LINKEDIN OPSEC FAIL (February 11, 2026). Graphite surveillance dashboard exposed via Paragon general counsel LinkedIn post.

Signature operational tradecraft
  • Graphite mobile spyware (cluster-defining): sophisticated commercial spyware targeting iOS + Android devices. Signature architecture focuses on access inside messaging applications rather than full device takeover. Operates within existing applications reducing forensic artifacts and limiting detection through traditional forensic methods. Extracts messages from encrypted applications (WhatsApp + Signal + Telegram) before encryption or after decryption + accesses stored data + monitors live communications.
  • CVE-2025-43200 iOS zero-click exploit chain: signature iOS 18.2.1 zero-click vulnerability, logic issue processing maliciously crafted photo or video shared via iCloud Link. Apple mitigated in iOS 18.3.1.
  • WhatsApp zero-click vector (patched late 2024 by Meta following Citizen Lab cooperation).
  • iMessage zero-click delivery via iCloud Link sharing: signature delivery mechanism for CVE-2025-43200.
  • BIGPRETZEL Android forensic artifact: signature Citizen Lab forensic indicator uniquely identifying Graphite Android infections.
  • Fingerprint P1 server attribution: signature Citizen Lab attribution mechanism for Paragon server infrastructure.
  • ATTACKER1 single iMessage operator account: signature operator infrastructure pattern, each Graphite customer operationally uses dedicated infrastructure.
  • 6+ confirmed government customer footprint: Australia + Canada (Ontario Provincial Police) + Cyprus + Denmark + Israel + Singapore + Italy + United States (ICE + DHS). Operationally significant footprint includes Israel as customer (operationally distinct from sibling Israeli cyber-mercenary vendors NSO + Candiru which restrict Israeli targeting).
  • EDIS Global VPS provider infrastructure: signature hosting infrastructure used by Graphite operator servers.
  • Messaging-app-focused architecture differentiator: operationally distinct from NSO Pegasus full-device- takeover model, Citizen Lab June 2025: "the distinction may be less clear. Citizen Lab's findings show that infections can still result in broad access to communications and app data once the spyware is deployed." The cluster fills the 4th cyber-mercenary / private- offensive-actor cell in this curated corpus following nso_group_pegasus (1st) + candiru_sourgum (2nd) + intellexa_predator (3rd), all curated separately. Operationally significant as the most-recently-emerged major cyber-mercenary vendor and the only cyber-mercenary cluster in this corpus where the US Government is a customer (via ICE) rather than a regulator/sanctioner.

Aliases

14
paragon_solutionsparagon solutionsparagongraphitegraphite spywaregraphite_spywareparagon graphitebigpretzelsmallpretzelbig pretzelsmall pretzelparagon_solutions_graphiteparagon_graphiteparagon spyware operator attacker1

Notable Campaigns

11
2026Paragon LinkedIn Surveillance Dashboard OPSEC Fail (February 11, 2026)
2025-2026Continued Operations Through 2025-2026
2025WhatsApp 90-User Zero-Click Notification Campaign (January 31, 2025)
2025Italian Government Paragon Customer Confirmation (February 12, 2025)
2025US ICE Graphite Contract (January 2025)
2025Citizen Lab Canonical Paragon Disclosure (March 19, 2025)
2025COPASIR Italian Parliamentary Committee Report (June 5, 2025)
2025Citizen Lab iOS Forensic Confirmation, First Graphite iOS Confirmation (June 12, 2025)
2025Paragon-Italy Contract Termination Dispute (June 2025)
2024WhatsApp Zero-Click Vector, Meta Block (Late 2024)
2019Paragon Solutions Corporate Emergence (2019)

Attribution & Reporting

Attributed by
Citizen Lab (Bill Marczak + John Scott-Railton, canonical March 2025 + June 2025 disclosures)Meta / WhatsApp (January 31 2025 zero-click notification campaign to ~90 users)Censys (collaboration partner on Citizen Lab Paragon infrastructure analysis)Italian DIS Department of Security Intelligence (Italian government Paragon customer confirmation February 2025)Italian AISE external intelligence serviceItalian COPASIR Parliamentary committee oversight intelligence services (June 5, 2025 report)Apple Security Research (CVE-2025-43200 mitigation iOS 18.3.1)Amnesty International (December 2025 European deployments analysis)Trump administration US Government (ICE Graphite contract acknowledgment January 2025)EurActiv + European media coverage 2025+Haaretz (Israeli media coverage June 2025)Microsoft Threat Intelligence CenterMandiant / Google Threat Intelligence GroupSymantec / Broadcom Threat Hunter TeamRecorded Future Insikt GroupJurre van Bergen (cybersecurity researcher who spotted LinkedIn OPSEC fail February 11, 2026)
Key reporting
reportCitizen Lab Research Report No. 183 (Bill Marczak + John Scott-Railton + others): Virtue or Vice? A First Look at Paragon's Proliferating Spyware Operations (March 19, 2025), canonical Paragon Solutions disclosure
reportCitizen Lab Research Report No. 186 (Bill Marczak + John Scott-Railton): Graphite Caught, First Forensic Confirmation of Paragon's iOS Mercenary Spyware Finds Journalists Targeted (June 12, 2025), canonical iOS forensic confirmation
reportMeta / WhatsApp: WhatsApp 90-user zero-click notification campaign (January 31, 2025), first widespread Paragon public exposure
reportItalian COPASIR Parliamentary Committee Report (June 5, 2025), Italian government Graphite deployment confirmation against Casarini + Caccia
reportItalian DIS Department of Security Intelligence: Paragon offer rejection (June 2025)
reportItalian AISE External Intelligence Service: Paragon Graphite deployment classified hearing testimony (February 2025)
reportApple Security Research: CVE-2025-43200 iOS zero-click mitigation iOS 18.3.1
reportAmnesty International: Paragon European deployments analysis + civil society liberties advocacy
reportCensys: Collaboration partner on Citizen Lab Paragon infrastructure analysis
reportRecorded Future: Paragon adjacent tracking
reportJurre van Bergen (cybersecurity researcher): LinkedIn OPSEC fail Graphite surveillance dashboard exposure (February 11, 2026)
reportEuropean Federation of Journalists: Three European Journalists Targeted with Paragon Solutions Spyware (June 12, 2025)
reportTrump Administration / DHS / ICE: Graphite contract acknowledgment (January 2025)
reportAI Incident Database (Incident 1069): Graphite Spyware Deployed Against Journalists and Civil Society Workers
reportMalpedia Actor Profile: Paragon Solutions

Operational

State sponsor

Israeli private offensive cyber operations contractor / commercial spyware vendor founded in Israel in 2019 by: (a) Ehud Barak, former Prime Minister of Israel (1999-2001) + former Israeli Defense Minister + former Chief of General Staff of Israel Defense Forces, providing high-profile political founding leadership.

(b) a former Israeli intelligence official (per industry reporting); and (c) other Unit 8200 alumni founders. The Ehud Barak founding involvement operationally distinguishes Paragon from sibling Israeli cyber-mercenary vendors (NSO Group, Candiru) by providing direct former-head-of-state-level political credibility to the company's commercial offering. Workforce drawn from Unit 8200, Israel's signals intelligence military unit, per Citizen Lab + Hacker Wire industry analysis: "Public reporting and research describe the company as being founded by former members of Unit 8200, Israel's military intelligence unit." Per Citizen Lab Research Report No. 183 (March 19, 2025) canonical disclosure: "Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for." This signature "responsible cyber-mercenary" market positioning operationally distinguishes Paragon from sibling vendors in marketing, though Citizen Lab + WhatsApp + multiple forensic investigations have documented Graphite targeting of journalists and civil society, operationally undermining the company's stated safeguards claims. Operational capability + commercial business model attribution at high confidence per multiple convergent sources: (a) Citizen Lab Research Report No. 183 (March 19, 2025), canonical Paragon Solutions infrastructure analysis + first comprehensive disclosure. Citizen Lab mapped server infrastructure attributed to Paragon's Graphite tool. Identified BIGPRETZEL Android forensic artifact uniquely identifying Graphite infections. Identified subset of suspected Paragon deployments including in Australia + Canada + Cyprus + Denmark + Israel + Singapore. Found potential links to Canadian Ontario Provincial Police as suspected Paragon customer. (b) WhatsApp zero-click notification campaign January 31, 2025: WhatsApp sent notifications to approximately 90 WhatsApp accounts believed to be targeted with Paragon's Graphite spyware, including journalists and members of civil society. Notifications followed Citizen Lab cooperation with Meta on Paragon infrastructure mapping that enabled WhatsApp to identify, mitigate, and attribute a Paragon zero-click exploit. WhatsApp confirmed BIGPRETZEL forensic artifact attribution to Paragon. (c) Italian Government confirmed Paragon customer (February 12, 2025): Italian Minister for Relations with Parliament publicly confirmed that the Italian government was a Paragon customer. Italian Department of Security Intelligence (DIS) director and external intelligence service (AISE) director confirmed deployment. February 14, 2025: Italian government and Paragon jointly suspended deployment pending investigation. Italian parliamentary committee COPASIR published report June 5, 2025 confirming Italian government use of Graphite against Luca Casarini and Giuseppe "Beppe" Caccia (migration sea-rescue NGO activists). (d) Citizen Lab Report No. 186 (June 12, 2025) canonical iOS forensic confirmation: by Bill Marczak + John Scott-Railton, first forensic confirmation of Paragon's iOS mercenary spyware. Forensic analysis confirmed with high confidence that two journalists were targeted with Graphite iOS zero-click attack: (1) unnamed prominent European journalist.

(2) Italian journalist Ciro Pellegrino (Fanpage.it Naples newsroom head). Both targeted via single ATTACKER1 iMessage account operationally indicating shared Paragon customer operator. CVE-2025-43200 iOS zero-click vulnerability exploited via maliciously crafted photo or video shared via iCloud Link, Apple mitigated in iOS 18.3.1. (e) US Government client documented (January 2025): per Citizen Lab + Hacker Wire + Türkiye Today + Al Mayadeen: the Trump administration publicly acknowledged US government purchases of Graphite to support Immigration and Customs Enforcement (ICE) operations. US public procurement records show US immigration enforcement agencies have engaged with Paragon technology, including contracts with the Department of Homeland Security and ICE. (f) Italian government client signature operational events: Italian DIS rejected Paragon's offer to investigate Cancellato case per Haaretz June 9 2025 (Italian DIS cited national security concerns about exposing activities to Paragon). Paragon claimed unilateral termination of Italy contracts.

Italian government denied unilateral termination characterization. (g) Paragon LinkedIn OPSEC fail (February 11, 2026): cybersecurity researcher Jurre van Bergen spotted a LinkedIn post by Paragon's general counsel revealing Graphite surveillance dashboard image including Czech phone number labeled "Valentina" + active interception logs dated February 10, 2026 + interfaces for monitoring encrypted applications like WhatsApp through zero-click exploits. Citizen Lab senior researcher John Scott- Railton described disclosure as "epic OPSEC fail." Documented government clients via Citizen Lab + WhatsApp + Italian official confirmation + ongoing infrastructure analysis: Australia + Canada (Ontario Provincial Police + Canadian provincial police adjacent) + Cyprus (Greek Cyprus) + Denmark + Israel (signature, Israel operates Paragon spyware on Israeli citizens per Citizen Lab infrastructure mapping, operationally distinct from NSO Group + Candiru which restrict Israeli targeting) + Singapore + Italy (confirmed government client targeting Italian Fanpage.it journalists + sea-rescue NGO activists) + United States (ICE contract January 2025) + others. December 2025 ICIJ-linked reporting on Paragon infrastructure indicated potential additional EU member-state customers. The cluster fills the 4th cyber-mercenary / private- offensive-actor cell in this curated corpus following nso_group_pegasus (1st) + candiru_sourgum (2nd) + intellexa_predator (3rd), all curated separately.

Motivations
commercial_spyware_sales_to_government_clients, private_offensive_cyber_operations_for_government_clients, mobile_messaging_app_focused_compromise_capability, responsible_cyber_mercenary_market_positioning_differentiation, signal_whatsapp_telegram_encrypted_messaging_compromise_capability, government_intelligence_collection_via_commercial_capability, high_value_individual_targeting_journalists_activists_politicians_dissidents, civil_society_surveillance_per_documented_abuse_patterns, us_immigration_enforcement_ice_targeting_capability
Sectors
journalistssea_rescue_ngo_activistsmigration_humanitarian_activistscivil_society_membershuman_rights_defendersimmigration_enforcement_targetscanadian_activistsprominent_european_journalists
Regions
italyaustraliacanadacyprus_greek_cyprusdenmarkisraelsingaporeunited_states_ice_dhseuropean_union_multiple_countries

Techniques Used

60
T1003T1005T1010T1016T1020T1027T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.005T1059.006T1059.007T1068T1070T1070.004T1071T1071.001T1074T1078T1082T1083T1087T1090T1090.001T1106T1113T1114T1114.001T1119T1123T1125T1129T1133T1140T1190T1203T1213T1218T1430T1497T1543T1543.001T1543.004T1547T1548T1552T1555T1555.001T1557T1559

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)9/60 · 15%
File / malware (YARA)1/60 · 1%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MESSAGING-APP FOCUSED NOT FULL DEVICE TAKEOVERSMALLPRETZEL NETWORK ARTIFACT

CVEs Exploited

1
CVECVE-2025-43200
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin