Lightnews — Scholar-powered news

LightNews

Bill Marczak

@billmarczak.org

12K followers 170 following 35 posts

senior researcher at @citizenlab.ca

Posts Media Videos Starter Packs

Reposted by Bill Marczak

eileen chengyin chow @chowleen.bsky.social · 14d

The South Korean Ministry of Defense has awarded medals of merit to 11 officers for disobeying direct orders of superiors during the martial law fiasco, orders that they deemed to be contrary to the constitution and endangerment to democracy.
www.chosun.com/english/nati...

National Defense Ministry Honors 11 Soldiers for Refusing Illegal Orders

National Defense Ministry Honors 11 Soldiers for Refusing Illegal Orders Honored for rejecting illegal orders during martial law, Marine death probe

Bill Marczak @billmarczak.org · Aug 29

Was a big mystery as to how/why CVE-2025-43300 came to be the only part of the chain that was patched on iOS. Now we know: it was actually a WhatsApp attack!

Bill Marczak @billmarczak.org · Aug 29

WhatsApp just announced they patched a very fun zero-click bug (CVE-2025-55177)! WhatsApp assesses that it was used partially in conjunction with the iOS RawCamera DNG vulnerability (CVE-2025-43300). www.whatsapp.com/security/adv...

Bill Marczak @billmarczak.org · Jun 29

Excited to talk today at @reconmtl.bsky.social with @droethlisberger.bsky.social about a 2017 iOS persistence exploit used by NSO's Pegasus (and, interestingly, other threat actors too)! 10:00AM in the Grand Salon cfp.recon.cx/recon-2025/t...

Bill Marczak @billmarczak.org · Jun 20

Remember when Meta published about an ITW FreeType OOB write vuln (CVE-2025-27363) in March? Turns out, Meta links this vuln to an exploit from spyware vendor Paragon www.securityweek.com/freetype-zer...

FreeType Zero-Day Found by Meta Exploited in Paragon Spyware Attacks

WhatsApp told SecurityWeek that it linked the exploited FreeType vulnerability CVE-2025-27363 to a Paragon exploit.

www.securityweek.com

Reposted by Bill Marczak

Julian-Ferdinand Vögele @julianferdinand.bsky.social · Jun 12

Today we’re publishing new findings on Predator spyware, still active despite global sanctions, now with a new client and ties to a Czech entity. Here’s what we found 🧵

www.recordedfuture.com/research/pre...

Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure

Despite sanctions and global scrutiny, Predator spyware operations persist. Insikt Group reveals new infrastructure links in Mozambique, Africa, and Europe, highlighting ongoing threats to civil socie...

www.recordedfuture.com

Bill Marczak @billmarczak.org · Jun 13

This means if we see two devices targeted by the same Paragon attacker account (e.g., ATTACKER1), we can surmise that both targets were targeted by the _same_ Paragon customer/operator, as in this case.

Bill Marczak @billmarczak.org · Jun 13

Based on our understanding of typical mercenary spyware operations, a spyware company (e.g., Paragon) will register the attack accounts (e.g., ATTACKER1) and distribute credentials for a given account only to infrastructure exclusive to a single customer/operator.

Bill Marczak @billmarczak.org · Jun 13

We found the ATTACKER1 account present on the second journalist’s phone, i.e., the phone of Fanpage.it journalist Ciro Pellegrino. The steps of our attribution argument are outlined in our diagram:

Bill Marczak @billmarczak.org · Jun 13

Anyhoo, around the same time this same phone was making these requests, it was silently communicating with an iMessage account (which we redact as "ATTACKER1"). We conclude that ATTACKER1 deployed a sophisticated zero-click attack against the device. Apple (silently) mitigated it in iOS 18.3.1:

Bill Marczak @billmarczak.org · Jun 13

And there’s a clear chain of shared behavior leading from Fingerprint P1 back to other IPs that previously returned pages entitled "Paragon" and a TLS certificate with the terms "Graphite" and "installerserver".

Bill Marczak @billmarczak.org · Jun 13

Basically, one of the phones sent multiple requests to IP 46.183.184[.]91, an IP that we linked with high confidence to Paragon’s Graphite spyware infrastructure. We were able to make this link because 46.183.184[.]91 matched our Fingerprint P1 (seen here in Censys search syntax)

Bill Marczak @billmarczak.org · Jun 13

ICYMI, yesterday we released a report providing a first look at how we found traces of spyware on two journalists' iPhones, traces which we can attribute with high confidence to Paragon's Graphite spyware:

Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab

On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of the...

Reposted by Bill Marczak

Raph Levien @raphlinus.bsky.social · Mar 19

New blog post up on the Rust font loader now shipping in Chrome. I only had a small part in this personally but am proud of the team's work. developer.chrome.com/blog/memory-...

Memory safety for web fonts | Blog | Chrome for Developers

Learn how and why the Chrome team has replaced FreeType with Skrifa.

developer.chrome.com

Bill Marczak @billmarczak.org · Mar 19

Check out our new @citizenlab.ca report today on Paragon! We got a tip from a collaborator, used it to map out Paragon's infrastructure, and shared with Meta. WhatsApp was able to capture & burn a zero-click, and sent out notifications to targets citizenlab.ca/2025/03/a-fi...

Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - The Citizen Lab

In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across t...

Bill Marczak @billmarczak.org · Feb 28

Nice work by Amnesty Security Lab & Google TAG patching three vulnerabilities in Android/Linux kernel USB device drivers that Cellebrite was using to unlock Android devices. Also, it's *scandalous* that Android doesn't have a USB restricted mode like iPhone... securitylab.amnesty.org/latest/2025/...

Cellebrite zero-day exploit used to target phone of Serbian student activist - Amnesty International Security Lab

Amnesty International’s Security Lab uncovers sophisticated Cellebrite zero-day exploit, impacting billions of Android devices.

securitylab.amnesty.org

Bill Marczak @billmarczak.org · Feb 10

Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) support.apple.com/en-us/122174

Bill Marczak @billmarczak.org · Jan 15

President Yoon arrested for masterminding martial law plot

President Yoon arrested for masterminding martial law plot

The Corruption Investigation Office for High-ranking Officials (CIO) on Wednesday arrested impeached President Yoon Suk Yeol, marking the first time a sitting president has been arrested in Korean his...

koreajoongangdaily.joins.com

Bill Marczak @billmarczak.org · Jan 10

Excellent @eff.org piece on how data brokers get ads-related data to sell (to spyware vendors, etc.) This is something that always mystified me, but after reading this I finally get it!

Online Behavioral Ads Fuel the Surveillance Industry—Here’s How

Each time you see a targeted ad, your personal information is exposed to thousands of advertisers and data brokers through a process called “real-time bidding” (RTB). This process does more than deliv...

Reposted by Bill Marczak

Vas Panagiotopoulos @vaspanagiotopoulos.com · Jan 8

NSO Group co-founder & owner Omri Lavie speaks about the recent US judge's WhatsApp ruling, the acquisition of competitor Paragon Solutions by AE Industrial Partners & the US-blacklisting of Pegasus spyware maker, amidst shifting 🇺🇸policy under Trump.
👇
vaspanagiotopoulos.substack.com/p/nso-group-...

NSO Group owner: “We will appeal, justice was not served.”

NSO Group co-founder and majority owner Omri Lavie breaks silence amid legal battles and anticipated US policy shift under Trump.

vaspanagiotopoulos.substack.com

Bill Marczak @billmarczak.org · Jan 4

Rinson Jose's uncle says Jose emailed his family, claiming to be back in Norway, and with a new job.

'Am fine': Kerala-born Norwegian contacts kin after pager blasts probe | India News - Times of India

India News: A Norwegian citizen from Kerala, Rinson Jose, has been cleared by Norwegian police of any involvement in the September 2024 pager blasts in Lebanon. J

timesofindia.indiatimes.com

Bill Marczak @billmarczak.org · Dec 29

The article:

Behind the Dismantling of Hezbollah: Decades of Israeli Intelligence

A Times investigation shows how extensively Israel penetrated the Lebanese militia, closely tracking the group’s commanders and culminating in the assassination of its leader, Hassan Nasrallah.

www.nytimes.com

Bill Marczak @billmarczak.org · Dec 29

One interesting detail about our guy Rinson Jose in the new NYTimes article on the pager operation: Israel pressured the US to let Jose flee (though unclear anyone would have stopped him). Still no word on to what extent Jose was aware of the operation.

Reposted by Bill Marczak

The Washington Post @washingtonpost.com · Dec 22

Tesla is deeply reliant on China, both for manufacturing and sales. But now that its CEO has an official role in the Trump administration, things could get tricky.

China loves Elon Musk and his hustle — but Trump could complicate that

Tesla is deeply reliant on China, both for manufacturing and sales. But now that its CEO has an official role in the Trump administration, things could get tricky.

www.washingtonpost.com

Reposted by Bill Marczak

Kirsten Han 韩俐颖 @kirstenhan.com · Dec 23

Happy holidays to me, I guess