Apple has issued another round of threat notifications warning users about attempts to compromise devices with mercenary-grade spyware. According to France’s national incident response team CERT-FR, at least four notification waves were observed in 2025—on 5 March, 29 April, 25 June, and 3 September. Alerts were sent to phone numbers and email addresses linked to Apple IDs and appeared at the top of the account dashboard after sign-in at account.apple.com.
Targeted surveillance of high-risk users
CERT-FR attributes these alerts to highly targeted operations that rely on zero-day and zero-click exploits—attacks that may require no user interaction. Typical targets include journalists, human rights defenders, lawyers, policymakers, public officials, and executives in strategic sectors. Receiving an Apple notification signals that at least one device tied to the iCloud account was selected as a target and may have been compromised.
Technical background: zero-day and zero-click chains
In August and September, Apple shipped out-of-band security updates addressing the zero-day CVE-2025-43300. Researchers report that this vulnerability was paired with a WhatsApp zero-click vector, CVE-2025-55177, enabling stealthy device compromise without clicking links or opening attachments. Such exploit chains are consistent with techniques seen in prior mercenary spyware campaigns—historically exemplified by tools like Pegasus—documented by independent labs and referenced by Apple’s support guidance on “mercenary spyware.”
Apple’s notification process and limits on technical details
Apple delivers notifications via SMS, email, and within the Apple ID portal. The company intentionally withholds specific indicators of compromise to avoid aiding spyware operators in evasion. Based on previous cycles, false positives are rare, and Apple’s guidance is tailored to individuals at elevated risk.
Immediate steps for affected Apple users
Users who receive a threat notification should act quickly. Apple advises a full factory reset, then updating iOS/iPadOS/macOS and all critical apps—specifically including WhatsApp—to the latest versions. Enabling Lockdown Mode is strongly recommended; this hardened profile restricts message parsing, web attack surface, and certain system services to reduce exposure to zero-days and zero-click exploits.
For rapid assistance, Apple directs victims to the Access Now Digital Security Helpline, a 24/7 resource for civil society. Additional support should include national CERTs and trusted NGOs, as well as independent device verification by specialists experienced in mobile forensics and incident response.
Organizational defenses against mobile spyware
Organizations with elevated risk profiles should formalize a defense-in-depth program: enforce centralized and timely patching, provision separate devices for highly sensitive communications, minimize installed apps, restrict configuration profiles, and use MDM for rapid response. Routine mobile incident response exercises, least-privilege access, and adoption of secure, verification-capable communication channels (with identity and encryption key validation) materially reduce exposure.
Why speed and isolation matter
Zero-click operations leave few artifacts, and adversaries swiftly rotate infrastructure and techniques after disclosure. Speed of response is critical: patch immediately, rotate keys and tokens, consider eSIM reissuance, and audit installed applications. In parallel, risk separation—isolating work and personal accounts/devices—limits blast radius if a single endpoint is compromised.
The 2025 notification series tracked by CERT-FR underscores sustained activity by mercenary spyware operators focused on high-risk users. Those alerted by Apple should move without delay: reset and update devices, enable Lockdown Mode, seek expert assistance, and revisit their threat model. Even when technical details are scarce, prompt, layered mitigation significantly lowers the chance of successful compromise and helps preserve the confidentiality and integrity of sensitive communications. For broader context and best practices, consult Apple’s published guidance on threat notifications and Lockdown Mode, CERT advisories, and independent research from organizations such as Citizen Lab and Access Now.
