Mobile security firm iVerify has detected a sophisticated zero-click attack campaign targeting iPhones of individuals in political campaigns, media, AI companies, and governments across the UK, US and EU. This marks the first systematic observation of such advanced exploitation in these regions.
During late 2024 and early 2025, iVerify found unusual crashes on iPhones, a sign of advanced ‘zero-click’ attacks via iMessage. These attacks require no user interaction. Forensic analysis revealed a new vulnerability in Apple’s ‘imagent’ process, which has since been patched in iOS 18.3. This vulnerability, dubbed ‘NICKNAME,’ could give attackers a critical entry point.
Though full proof of exploitation in every case is ongoing, strong evidence points to successful attacks as recently as March. Apple sent threat notifications to an EU official’s device showing these rare crashes. Another device showed ‘cleaning’ behaviour – iMessage attachments rapidly created and deleted after a crash – a sign of successful exploitation.
These extremely rare crashes were only found on iPhones of very high-value targets, representing a tiny fraction (0.0001%) of all crash logs.
iVerify warns that if a device is compromised, even ‘secure’ apps like Signal or Gmail can be breached. This means organisations must urgently upgrade their mobile security. Independent experts, including Patrick Wardle, confirm these mobile compromises are real and happening now.
Six devices are believed to be targeted, with four showing clear NICKNAME signatures and two showing signs of successful exploitation. Interestingly, all victims had either been targeted by the Chinese Communist Party (CCP) before, were involved in business against the CCP, or were anti-CCP activists. While not definitive, this circumstantial evidence could suggest CCP involvement.
The vulnerability likely works by sending rapid nickname updates to iMessage, causing memory corruption. This makes NICKNAME a strong candidate for use in a larger exploit chain.
While the vulnerability in ‘imagent’ is patched in iOS 18.3.1, iVerify stresses that it could be just one part of an ongoing attack. Other elements of the exploit chain might still be active. iVerify will provide a full technical analysis and more findings as the investigation continues.
A statement released by iVerify, said: “In the course of our investigation, we discovered evidence suggesting – but not definitively proving – this vulnerability was exploited in targeted attacks as recently as March of this year. Specifically, we learned that Apple sent Threat Notifications to at least one device belonging to a senior government official in the EU on which we saw the highly anomalous crashes.”
The statement concluded: “Differential analysis reveals the vulnerability was patched in the iOS 18.3.1 release; however, NICKNAME could be one link in a larger exploit chain. It is possible that there are other elements of the exploit chain that are still active, which is why we’re only speaking about the link in the chain that has definitively been patched.”
