Apple warned users of a spyware campaign; France’s cyber agency confirmed targeted iCloud-linked devices may be compromised.
Apple warned customers last week about new spyware attacks, the French national Computer Emergency Response Team (CERT-FR) said. The agency confirmed at least four such alerts since early 2025.
Apple sent spyware alerts on March 5, April 29, June 25, and September 3 via email, phone, and account.apple.com, where warnings also appear after the login.
“Receiving a notification means that at least one of the devices linked to the iCloud account has been targeted and is potentially compromised. The notification results in the receipt of an iMessage and an alert email sent by Apple (from threat-notifications[at]email.apple.com or threat-notifications[at]apple.com). When logging into the iCloud account, an alert is displayed. The time between the compromise attempt and the receipt of the notification is several months, but remains variable.” reads the report published by CERT-FR. “The notifications sent report highly sophisticated attacks, most of which employ zero-day vulnerabilities or require no user interaction at all.”
Since 2021, Apple has notified people targeted by spyware like Pegasus, Predator, Graphite, or Triangulation. These attacks hit high-risk groups such as journalists, lawyers, activists, politicians, and executives in strategic sectors. A notification signals that at least one iCloud-linked device faced compromise. Apple delivers alerts via iMessage, email, and iCloud login, often months after the attempt. CERT-FR tracks known campaigns, but the list is not exhaustive.
If you get an Apple alert, contact CERT-FR, keep the email, and don’t alter the device to preserve evidence. To reduce spyware risks, update devices, enable automatic updates, separate personal and work use, use Isolation Mode, and restart daily. Practice good IT hygiene: avoid suspicious links, use strong codes, enable 2FA, and avoid untrusted apps.
CERT-FR didn’t share technical details about the attacks that targeted Apple users.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)