A new wave of threat notifications indicated targeted spyware campaigns affecting Apple users across multiple countries.
What happened
Apple has sent out a new round of threat notifications to users targeted in advanced spyware attacks, according to an alert from France’s national Computer Emergency Response Team (CERT-FR). The agency, which monitors cybersecurity threats to main sectors, reported that four separate Apple alerts have gone out this year, on March 5, April 29, June 25, and most recently, September 3.
These notifications indicate users’ devices may have been compromised using sophisticated techniques that require no user interaction. Apple displays the alerts via email, text, and through a warning banner when users log in to their Apple account.
Going deeper
The attacks rely on zero-day vulnerabilities, flaws not yet known to the vendor, and often involve zero-click exploits, meaning users can be infected without opening a link or downloading a file. These methods are typically used in mercenary spyware operations targeting individuals based on their profession or public role.
CERT-FR says the attacks are aimed at high-profile individuals such as journalists, lawyers, human rights defenders, politicians, and senior executives in strategic sectors. Once targeted, at least one device associated with the victim's iCloud account may be compromised.
Last month, Apple released urgent patches for a zero-day flaw (CVE-2025-43300) used in combination with a WhatsApp vulnerability (CVE-2025-55177). That exploit chain allowed attackers to infect devices silently. WhatsApp, in its own advisory, urged affected users to perform a factory reset and keep systems fully updated.
What was said
Apple has reiterated that while it sends out notifications of these threats, it does not attribute the attacks to specific threat actors or nations. Since 2021, Apple has issued spyware alerts to users in over 150 countries.
In addition to updates, Apple recommends enabling Lockdown Mode for added protection and contacting Access Now’s Digital Security Helpline for emergency support.
CERT-FR stated the severity of these attacks, noting their potential to compromise sensitive data and communications without the user’s knowledge. Apple did not respond to media inquiries for additional comment.
FAQs
What is Lockdown Mode, and who should use it?
Lockdown Mode is an optional iOS/macOS feature that restricts device functions to reduce attack surfaces. It’s recommended for users at high risk of targeted spyware attacks, such as journalists, activists, or executives.
What should I do if I receive a threat notification from Apple?
Immediately update your device software, enable Lockdown Mode, and consider performing a factory reset. You can also contact Access Now’s Digital Security Helpline for confidential support.
How are zero-click attacks different from regular malware?
Zero-click attacks exploit device vulnerabilities without requiring the victim to take any action, such as clicking a link or opening a file, making them much harder to detect or prevent.
Can average users be affected by these spyware campaigns?
While most attacks target individuals in high-risk roles, any user with valuable or sensitive data could be at risk. Staying updated and practicing good digital hygiene is needed.
Does Apple know who is behind these spyware attacks?
Apple does not publicly attribute these attacks to specific actors or regions. The company’s focus is on detection, notification, and mitigation rather than attribution.
Farah Amod
