Spyware Surge: Apple Sends Fourth Security Alert to French Users

CERT-FR and Apple warn of sophisticated spyware targeting iCloud-linked devices via zero-click exploits; high-profile individuals at risk.

Apple and France’s CERT-FR have issued a fourth spyware notification in 2025, alerting users to potential compromise of iCloud-linked devices through highly sophisticated zero-click attacks. Targets include journalists, activists, politicians, and officials. Authorities urge urgent updates, lockdown measures, and enhanced defenses amid rising mercenary spyware risks.

PARIS — Apple has issued its fourth notification of the year to French users, warning that at least one device linked to their iCloud account could have been compromised in a sophisticated spyware campaign, authorities confirmed Friday.

• On September 3, 2025, Apple alerted users in France via iMessage, email, and iCloud notifications that their devices may have been targeted by spyware. The Hacker News+1
• This marks the fourth such advisory this year, with prior alerts issued on March 5, April 29, and June 25. The Hacker News+1
• According to France’s Computer Emergency Response Team (CERT-FR), the threats are highly targeted, aimed at individuals based on status or function, including journalists, lawyers, activists, politicians, senior officials, and those connected to strategic sectors. The Hacker News+1
• CERT-FR clarified: “Receiving a notification means that at least one of the devices linked to the iCloud account has been targeted and is potentially compromised.” Dark Reading
• The alerts often arrive several months after compromise attempts, and the time lag is variable. Dark Reading
• Known spyware implicated in similar campaigns includes Pegasus, Predator, Graphite, and Triangulation—tools described by CERT-FR as “particularly sophisticated and difficult to detect.” Dark Reading+1

Historical or Geopolitical Context:

• CERT-FR has been issuing these notifications since November 2021 but has intensified alerts in 2025 with four documented campaigns in France alone. The Hacker News+1
• Globally, mercenary spyware campaigns against civil society figures and officials have drawn scrutiny for their use of zero-click and zero-day vulnerabilities. TechRadar+1

1. CERT-FR (France’s national cybersecurity agency): “Receiving a notification means that at least one of the devices linked to the iCloud account has been targeted and is potentially compromised.” Dark Reading
2. Security researcher interviewed by Dark Reading (paraphrased): “Spyware programs like Pegasus, Predator, Graphite, and Triangulation are particularly sophisticated and difficult to detect.” Dark Reading
3. El Mostafa Ouchen, international cybersecurity adviser and author, added: “This pattern of repeated, stealthy attacks underscores the importance of proactive device defenses. When high-profile individuals are targeted, detection must coincide with rapid response protocols—regular updates, lockdown modes, and separation of sensitive from general-use environments aren’t optional; they’re essential.”

Technical Analysis

How the Incident Occurred & Possible Attack Vectors:

• The attacks largely exploit zero-click vulnerabilities, which allow spyware to be delivered and activated on a device without any interaction from the user. Dark Reading
• Zero-day flaws—previously unknown and unpatched security vulnerabilities—are used as entry points, including flaws in the ImageIO framework (e.g., CVE-2025-43300) and WebKit. Dark Reading+1
• iCloud-linked devices, including iPhones, iPads, and Macs, are susceptible due to their integration with account syncing and messaging services (iMessage, iCloud). TechRadar+1

Affected Systems:

• Devices tied to impacted Apple IDs—even those not actively in use—may be exposed if they remain connected via iCloud.
• Alerts are triggered when Apple identifies indicators of compromise tied to known spyware chains.

Mitigations and Remediations:

• Users are urged to update their devices immediately, enabling automatic updates to ensure timely patching of zero-day vulnerabilities. Dark Reading
• CERT-FR recommends enabling Lockdown Mode, a feature that restricts many device functionalities to mitigate spyware risk. Dark Reading
• Regular device restarts also aid detection and disrupt latent malware activity. Dark Reading

Impact & Respons

Who Is Affected:

• Individuals in France (and possibly elsewhere) whose devices are linked to compromised Apple IDs, spanning prominent roles in journalism, politics, law, and activism. The Hacker News+1

Actions Taken:

• Apple is dispatching notifications and sending alerts via email, iMessage, and iCloud logins.
• CERT-FR has issued official advisories and security guidance.
• Apple patched at least seven zero-day vulnerabilities this year, including those in ImageIO and WebKit. TechRadar

Possible Long-Term Implications:

• Continued exploitation of zero-click spyware may accelerate regulatory pressure on mercenary spyware firms and drive policy changes.
• Public trust in mobile device security may erode unless transparency and mitigation improve.
• Surveillance of high-profile individuals raises concerns about privacy, democratic integrity, and misuse of advanced spyware.
• France is among several countries where Apple has stepped up threat notifications tied to sophisticated spyware campaigns.
• The use of mercenary spyware—commercially sold surveillance tools used by governments, including NSO Group’s Pegasus—has been a global concern over the past several years.
• Zero-click attacks have been notably difficult to detect, and have been implicated in espionage of journalists, dissidents, and government officials in multiple regions.

The revelation that Apple users in France are now facing a fourth spyware alert in 2025 signals an escalation in stealthy, targeted cyber intrusions. As attackers rely on elusive zero-click and zero-day exploits, rapid technological and policy responses are essential. Continued vigilance, device hygiene, and legislative action may be needed to shield democracy’s key voices from such pervasive threats.