Bill Marczak
@billmarczak.org
š¤ 11946
š„ 174
š 42
senior researcher at
@citizenlab.ca
Now this is (perhaps) interesting, it seems like China's MSS believes that some CN Gov folks were targeted w/ a (presumably) zero-click exploit through a "foreign" messaging app. They attribute to US NSA (though no mention of why they attribute this way)
loading . . .
China accuses US of cyber breaches at national time centre
The ministry said it found evidence tracing stolen data and credentials as far back as 2022.
https://www.reuters.com/world/china/china-accuses-us-cyber-breaches-national-time-centre-2025-10-19/
3 months ago
2
6
3
The video of
@droethlisberger.bsky.social
and my
@reconmtl.bsky.social
2025 talk, "A Trip to Ancient BABYLON", is now online! It's a fun story about a 2017-era iOS persistence exploit that we found in a Pegasus sample -- on VT (!!)
loading . . .
Recon 2025 - A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit
YouTube video by Recon Conference
https://www.youtube.com/watch?v=ZlopMtjsVRw
3 months ago
1
6
3
reposted by
Bill Marczak
Daniel Roethlisberger
3 months ago
Recording of our REcon talk about a 2017 iOS persistence exploit used by NSO's Pegasusāand other threat actors tooāis out.
@billmarczak.org
and me of
@citizenlab.ca
at
@reconmtl.bsky.social
.
youtu.be/ZlopMtjsVRw
loading . . .
Recon 2025 - A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit
YouTube video by Recon Conference
https://youtu.be/ZlopMtjsVRw
0
3
3
reposted by
Bill Marczak
eileen chengyin chow
4 months ago
The South Korean Ministry of Defense has awarded medals of merit to 11 officers for disobeying direct orders of superiors during the martial law fiasco, orders that they deemed to be contrary to the constitution and endangerment to democracy.
www.chosun.com/english/nati...
loading . . .
National Defense Ministry Honors 11 Soldiers for Refusing Illegal Orders
National Defense Ministry Honors 11 Soldiers for Refusing Illegal Orders Honored for rejecting illegal orders during martial law, Marine death probe
https://www.chosun.com/english/national-en/2025/09/23/B3ZEYVBMNBDMRHJL5SP7SJOLAI/?fbclid=IwY2xjawNFD0pleHRuA2FlbQIxMQBicmlkETEwTXFDWlNHMW53b1JYeWtRAR6V8x5LAZN5dVoEgFMldFSwOPLYQINc6MHEyd8gXuMn6rzGrGz5N173OUUIvg_aem_w2CmH92vGXbEx2Q9Pac4-g
398
19972
7027
WhatsApp just announced they patched a very fun zero-click bug (CVE-2025-55177)! WhatsApp assesses that it was used partially in conjunction with the iOS RawCamera DNG vulnerability (CVE-2025-43300).
www.whatsapp.com/security/adv...
5 months ago
1
10
3
Excited to talk today at
@reconmtl.bsky.social
with
@droethlisberger.bsky.social
about a 2017 iOS persistence exploit used by NSO's Pegasus (and, interestingly, other threat actors too)! 10:00AM in the Grand Salon
cfp.recon.cx/recon-2025/t...
7 months ago
0
11
5
Remember when Meta published about an ITW FreeType OOB write vuln (CVE-2025-27363) in March? Turns out, Meta links this vuln to an exploit from spyware vendor Paragon
www.securityweek.com/freetype-zer...
loading . . .
FreeType Zero-Day Found by Meta Exploited in Paragon Spyware Attacks
WhatsApp told SecurityWeek that it linked the exploited FreeType vulnerability CVE-2025-27363 to a Paragon exploit.
https://www.securityweek.com/freetype-zero-day-found-by-meta-exploited-in-paragon-spyware-attacks/
7 months ago
0
9
11
reposted by
Bill Marczak
Julian-Ferdinand Vƶgele
8 months ago
Today weāre publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Hereās what we found š§µ
www.recordedfuture.com/research/pre...
loading . . .
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...
https://www.recordedfuture.com/research/predator-still-active-new-links-identified
1
20
16
ICYMI, yesterday we released a report providing a first look at how we found traces of spyware on two journalists' iPhones, traces which we can attribute with high confidence to Paragon's Graphite spyware:
loading . . .
Graphite Caught: First Forensic Confirmation of Paragonās iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of the...
https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/
7 months ago
2
47
27
reposted by
Bill Marczak
Raph Levien
10 months ago
New blog post up on the Rust font loader now shipping in Chrome. I only had a small part in this personally but am proud of the team's work.
developer.chrome.com/blog/memory-...
loading . . .
Memory safety for web fonts Ā |Ā Blog Ā |Ā Chrome for Developers
Learn how and why the Chrome team has replaced FreeType with Skrifa.
https://developer.chrome.com/blog/memory-safety-fonts
3
108
28
Check out our new
@citizenlab.ca
report today on Paragon! We got a tip from a collaborator, used it to map out Paragon's infrastructure, and shared with Meta. WhatsApp was able to capture & burn a zero-click, and sent out notifications to targets
citizenlab.ca/2025/03/a-fi...
loading . . .
Virtue or Vice? A First Look at Paragonās Proliferating Spyware Operations - The Citizen Lab
In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across t...
https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
10 months ago
0
12
5
Nice work by Amnesty Security Lab & Google TAG patching three vulnerabilities in Android/Linux kernel USB device drivers that Cellebrite was using to unlock Android devices. Also, it's *scandalous* that Android doesn't have a USB restricted mode like iPhone...
securitylab.amnesty.org/latest/2025/...
loading . . .
Cellebrite zero-day exploit used to target phone of Serbian student activist - Amnesty International Security Lab
Amnesty Internationalās Security Lab uncovers sophisticated Cellebrite zero-day exploit, impacting billions of Android devices.
https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/
11 months ago
0
20
6
Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility)
support.apple.com/en-us/122174
12 months ago
3
57
39
President Yoon arrested for masterminding martial law plot
loading . . .
President Yoon arrested for masterminding martial law plot
The Corruption Investigation Office for High-ranking Officials (CIO) on Wednesday arrested impeached President Yoon Suk Yeol, marking the first time a sitting president has been arrested in Korean his...
https://koreajoongangdaily.joins.com/news/2025-01-15/national/politics/President-Yoon-arrested-for-masterminding-martial-law-plot/2222596
about 1 year ago
2
22
4
Excellent
@eff.org
piece on how data brokers get ads-related data to sell (to spyware vendors, etc.) This is something that always mystified me, but after reading this I finally get it!
loading . . .
Online Behavioral Ads Fuel the Surveillance IndustryāHereās How
Each time you see a targeted ad, your personal information is exposed to thousands of advertisers and data brokers through a process called āreal-time biddingā (RTB). This process does more than deliv...
https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how
about 1 year ago
0
41
24
reposted by
Bill Marczak
Vas Panagiotopoulos
about 1 year ago
NSO Group co-founder & owner Omri Lavie speaks about the recent US judge's WhatsApp ruling, the acquisition of competitor Paragon Solutions by AE Industrial Partners & the US-blacklisting of Pegasus spyware maker, amidst shifting šŗšøpolicy under Trump. š
vaspanagiotopoulos.substack.com/p/nso-group-...
loading . . .
NSO Group owner: āWe will appeal, justice was not served.ā
NSO Group co-founder and majority owner Omri Lavie breaks silence amid legal battles and anticipated US policy shift under Trump.
https://vaspanagiotopoulos.substack.com/p/nso-group-owner-we-will-appeal-justice
1
8
4
Rinson Jose's uncle says Jose emailed his family, claiming to be back in Norway, and with a new job.
loading . . .
'Am fine': Kerala-born Norwegian contacts kin after pager blasts probe | India News - Times of India
India News: A Norwegian citizen from Kerala, Rinson Jose, has been cleared by Norwegian police of any involvement in the September 2024 pager blasts in Lebanon. J
https://timesofindia.indiatimes.com/india/am-fine-kerala-born-norwegian-contacts-kin-after-pager-blasts-probe/articleshow/116864886.cms
about 1 year ago
0
1
0
One interesting detail about our guy Rinson Jose in the new NYTimes article on the pager operation: Israel pressured the US to let Jose flee (though unclear anyone would have stopped him). Still no word on to what extent Jose was aware of the operation.
about 1 year ago
1
3
1
reposted by
Bill Marczak
The Washington Post
about 1 year ago
Tesla is deeply reliant on China, both for manufacturing and sales. But now that its CEO has an official role in the Trump administration, things could get tricky.
loading . . .
China loves Elon Musk and his hustle ā but Trump could complicate that
Tesla is deeply reliant on China, both for manufacturing and sales. But now that its CEO has an official role in the Trump administration, things could get tricky.
https://www.washingtonpost.com/world/2024/12/21/elon-musk-tesla-china-trump/?utm_campaign=wp_main&utm_medium=social&utm_source=bluesky
43
290
100
reposted by
Bill Marczak
Kirsten Han é©äæé¢
about 1 year ago
Happy holidays to me, I guess
5
45
18
Not many new tangible facts in this CBS News report about the exploding pagers operation. But it was interesting to see that Mossad gave Lesley Stahl an AR-924 pager (or at least the outer casing) -- presumably minus the explosive battery.
loading . . .
How Israel's Mossad tricked Hezbollah into buying explosive pagers | 60 Minutes
Pagers exploded across Lebanon in September. Retired Mossad agents, key to the operation, tell 60 Minutes Israel's plot started years ago with getting Hezbollah terrorists to buy walkie-talkies.
https://www.cbsnews.com/video/israel-mossad-hezbollah-pager-plot-60-minutes-video-2024-12-22/
about 1 year ago
1
9
1
Summary judgement for WhatsApp in the NSO "missed call hack" case! The judge found NSO did not meet discovery obligations (in part b/c they did not suitably produce code for their custom WhatsApp client used in the hacks). Thus, a number of key evidentiary questions were resolved in WhatsApp's favor
loading . . .
Order on Administrative Motion to Consider Whether Another Partys Material Should Be Sealed AND Order on Discovery Letter Brief AND Order on Discovery Letter Brief AND Order on Discovery Letter Brief ...
ORDER by Judge Hamilton re 397 Motion for Summary Judgment; 401 Motion for Summary Judgment; 406 Motion for Sanctions. (pjhlc3, COURT STAFF) (Filed on 12/20/2024) (Entered: 12/20/2024)
https://www.courtlistener.com/docket/16395340/494/whatsapp-inc-v-nso-group-technologies-limited/
about 1 year ago
0
20
12
Everything old is new again š
add a skeleton here at some point
about 1 year ago
0
4
0
Pretty clever tactic by Serbian police - apparently they rolled their own very simple Android spyware (NoviSpy), then confiscated and unlocked phones (sometimes using Cellebrite's forensics product) and manually sideloaded the spyware APK onto the devices!
loading . . .
Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists
Serbian authorities are using spyware and Cellebrite forensic extraction tools to hack journalists and activists in a surveillance campaign.
https://www.amnesty.org/en/latest/news/2024/12/serbia-authorities-using-spyware-and-cellebrite-forensic-extraction-tools-to-hack-journalists-and-activists/
about 1 year ago
2
18
9
Interesting! Though this is going to drive up BigQuery costs for Certificate Transparency queries š
letsencrypt.org/2024/12/11/e...
loading . . .
A Note from our Executive Director
This letter was originally published in our 2024 Annual Report. The past year at ISRG has been a great one and I couldnāt be more proud of our staff, community, funders, and other partners that made i...
https://letsencrypt.org/2024/12/11/eoy-letter-2024/
about 1 year ago
0
2
1
Another interesting case of leveraging petty crime for OPSEC (perhaps unintentional this time tho?) Reminds me of how the Hacking Team hacker used a drug addict to buy Bitcoin gift cards to rent servers
about 1 year ago
0
4
0
reposted by
Bill Marczak
The Citizen Lab
about 1 year ago
NEW REPORT: In a joint investigation with The First Department, we uncovered spyware covertly implanted on the phone of a Russian programmer following his release from Russian custody.
citizenlab.ca/2024/12/devi...
loading . . .
Something to Remember Us By: Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware Installed - The Citizen Lab
In a joint investigation with The First Department, The Citizen Lab uncovered spyware covertly implanted on the phone of a Russian programmer following his release from Russian custody. The Monokle-li...
https://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/
3
47
27
reposted by
Bill Marczak
The Citizen Lab
about 1 year ago
NEW REPORT: We investigate the rising trend of gender-based digital transnational repression by drawing on the lived experiences of 85 women human rights defenders living in exile across the globe. Read the full report:
citizenlab.ca/2024/12/the-...
loading . . .
No Escape: The Weaponization of Gender for the Purposes of Digital Transnational Repression - The Citizen Lab
Building upon our prior research and the contributions of other scholars to this field, the aim of this novel study is to understand the security risks and harms caused by digital transnational repres...
https://citizenlab.ca/2024/12/the-weaponization-of-gender-for-the-purposes-of-digital-transnational-repression/
4
172
112
Very cool! This will save threat hunters a lot of time.
add a skeleton here at some point
about 1 year ago
0
7
2
reposted by
Bill Marczak
Zakir Durumeric
about 1 year ago
Last week at CSCW, Catherine Han presented our work on journalists' unmet needs for protecting against harassment online. While the work targeted Twitter/X, it surfaces several nuances in users' needs that span future platforms as well (e.g., not wanting to filter out threats or visibly block users)
loading . . .
https://zakird.com/papers/pressprotect.pdf
2
30
11
Even though I knew most of what was coming next, I still felt like I was on the edge of my seat. Would recommend this documentary for those with an HBO/Max subscription
add a skeleton here at some point
about 1 year ago
0
23
1
Make Pegasus Great Again?
www.intelligenceonline.com/surveillance...
loading . . .
Israel/United States : NSO Group's gamble on a Republican win comes up trumps
The Israeli spyware firm tasked Chartwell Strategy Group with lobbying Republican lawmakers in recent weeks. It is banking on a Donald Trump victory to help get it off the Bureau of Industry and
https://www.intelligenceonline.com/surveillance--interception/2024/11/14/nso-group-s-gamble-on-a-republican-win-comes-up-trumps,110339447-eve
about 1 year ago
1
11
6
reposted by
Bill Marczak
John Scott-Railton
over 2 years ago
Heard of Kaspersky "becoming aware" of an iOS hack? Or the FSB being paranoid Apple deliberately left bugs? Well, colleague
@billmarczak.org
has a spicy take on the Triangulation Group saga.
https://medium.com/@billmarczak/triangulation-did-the-nsa-fail-to-learn-the-lessons-of-nso-5f36d251d02e
loading . . .
Triangulation: Did āthe NSAā fail to learn the lessons of NSO?
The 1st of June 2023 saw perhaps the most exciting development in the targeted spyware research space in recent memory.
https://medium.com/@billmarczak/triangulation-did-the-nsa-fail-to-learn-the-lessons-of-nso-5f36d251d02e
0
9
9
you reached the end!!
feeds!
log in
