Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Paragon

Paragon is spyware produced by an Israel-based company and described in the content as a commercial or mercenary surveillance tool intended for use on criminals. In January 2025, WhatsApp notified approximately 90 users in about two dozen countries that they had been targeted with Paragon spyware, including journalists and members of civil society; seven of the notified victims were in Italy. The content links Paragon to a broader pattern of targeted surveillance against activists and journalists in Italy, including Luca Casarini and Francesco Cancellato, whom WhatsApp told the spyware used against them had been made by Paragon. The company reportedly suspended or canceled its relationship with Italy in 2025 after allegations involving spyware use against a journalist and after the Italian government declined to assist an investigation. The content further states that Paragon spyware attacks exposed in 2025 targeted dozens of users through exploitation of WhatsApp and third-party component vulnerabilities. Mentioned indicators in the content are limited to victim notifications and contextual reporting; no specific technical IOCs such as domains, hashes, or filenames are provided.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

As commercial spyware relies on zero-day exploits for deployment, Insikt Group previously assessed that, in addition to posing serious human rights concerns, its misuse threatens the broader cyber ecosystem by enabling the proliferation of critical vulnerabilities.

Command and Control

2 techniques
T1219Remote Access ToolsEvidence1

immigration officials have a 'growing surveillance arsenal' of tools at their disposal, including those from Paragon that allow 'ICE or any government customer to remotely break into most likely fully up-to-date mobile phones.'

T1573Encrypted ChannelEvidence1

acting ICE Director Todd Lyons wrote that he had authorized the use of “cutting-edge technological tools” to help the Homeland Security Investigations division fight fentanyl, particularly against organizations using encrypted communications.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
recorded future blogNews
Jun 17, 2026
State Digital Surveillance Risk Landscape

Commercial spyware implicated in targeting journalists and civil society members across multiple countries.

Read more
citizenlabNews
Nov 11, 2025
Why a Lot of People are Getting Hacked by Government Spyware - The Citizen Lab

Commercial spyware referenced in the context of targeted surveillance and reported infections (e.g., in Italy).

Read more
theguardianNews
Apr 29, 2025
Italian priest close to pope told he was target of surveillance tool used by a government | Surveillance | The Guardian

Government-grade spyware described as military-grade and intended for use on criminals; it was reportedly used to target activists and a journalist in Italy.

Read more
security weekNews
Jan 5, 2026
Researcher Spotlights WhatsApp Metadata Leak as Meta Begins Rolling Out Fixes

Commercial spyware used to target users by exploiting zero-day vulnerabilities, particularly for surveillance and data exfiltration.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.

Paragon | Mallory