Since 2021, Apple has been notifying its users when spyware attempts to compromise their iCloud devices, a threat impacting journalists, lawyers, and strategic decision-makers.
The notifications Apple has sent since 2021 relate to attacks carried out through sophisticated spyware such as Pegasus, Predator, Graphite, or Triangulation. These tools, designed to target sensitive profiles such as journalists, activists, politicians, or executives in key sectors, are difficult to detect and endanger the security of private communications. When a user receives an Apple alert, it means that at least one device linked to their iCloud account has been the subject of a compromise attempt. The information often arrives several months after the initial attack. Since March 2025, CERT-FR has recorded several waves of notifications, confirming the growing scale of cyberthreats aimed at strategic individuals.
A new type of notification mechanism
Apple has implemented a specific process to inform potential victims. The alert comes in the form of an iMessage and an official email sent from “[email protected]” or “[email protected].” A notification also appears when logging into the iCloud account. The company does not disclose the precise origin of the attacks but stresses that they are carried out by actors with significant technical and financial resources, generally linked to state surveillance operations. The delay between the intrusion attempt and the notification varies greatly, limiting immediate response, but the alert remains a critical signal.
The spyware used in these attacks belongs to the “zero-click” category, able to install without user interaction. Pegasus, developed by NSO Group, Predator, Graphite, or Triangulation are used to remotely monitor communications, access files, and activate microphones or cameras. Their use targets individuals whose activities carry political, economic, or security interest. The most frequently targeted profiles are investigative journalists, lawyers engaged in sensitive cases, civil society activists, senior officials, as well as executives of companies operating in strategic sectors such as energy or telecommunications. For intelligence services, these infections provide an invisible window into the digital life of their targets.
Campaigns identified in 2025
Since March 5, 2025, CERT-FR has identified several waves of notifications sent by Apple. These alerts were transmitted on March 5, April 29, June 25, and September 3, 2025. The agency notes that this list is not exhaustive, as it only includes officially reported campaigns. Each of these waves illustrates the persistence of actors able to deploy extremely costly spyware, reserved for targeted operations. The continuation of these campaigns confirms the resilience and adaptability of attackers despite media coverage and increased vigilance among potential victims.
The attacks mentioned often rely on so-called “zero-day” vulnerabilities, sometimes exploitable without any user action. To face this threat, Apple recommends several measures to limit exposure.
Promptly updating devices with the latest iOS or macOS versions is a first defense, as these updates frequently include patches for vulnerabilities exploited by spyware. Enabling automatic security updates further strengthens this protection. Separating personal and professional use, or even using different devices, reduces the risk of cross-compromise. Activating “Lockdown Mode” on iPhones and iPads blocks certain functions that advanced attacks can exploit. Finally, a simple daily restart of the device can temporarily neutralize some stealth infections.
On a broader level, adopting good digital hygiene practices remains essential. Not opening suspicious links or attachments, choosing a unique and strong passcode, enabling two-factor authentication, and avoiding apps from unofficial sources are all key precautions.
In a professional setting, vigilance must be heightened. Providing dedicated devices for professional use, checking the origin of received messages—especially those sent from Apple’s threat notification addresses—and banning electronic devices during sensitive meetings are crucial measures. When systematically applied, these rules reduce exposure to well-equipped attackers.
Apple threat notifications should not be ignored. They signal some of the most sophisticated attacks, carried out by actors with state-level or state-affiliated resources. While the vast majority of users will never be targeted, exposed profiles must apply the recommended security measures without delay. The question remains: can today’s protection tools truly contain digital offensives that cost several million dollars and focus on a small but strategic set of victims? [ZATAZ News English version]
