At least one member of the Ukrainian armed forces
March 16, 2026
•[ espionage, spyware, phishing ]
The Record reported researchers attributed a new espionage campaign targeting Ukrainian organizations to the Russia-linked group Laundry Bear (Void Blizzard), active since at least 2024. The campaign used spyware embedded in documents themed around Starlink satellite terminals and a well-known Ukrainian charity. The article is campaign reporting (multiple targets) and does not provide a single named victim incident with bounded impact metrics.
Undisclosed Israeli individual smartphone
March 1, 2026
•[ malware, phishing, spyware ]
A trojanized fake Red Alert app delivered through spoofed SMS messages targeted Israeli users and, when installed, enabled theft of messages, contacts, location data, and other device information from affected smartphones.
At least one use of GhostChat
February 2, 2026
•[ spyware, phishing, mobile malware ]
A fake Android dating app (GhostChat) identified by researchers as spyware. The app lures victims with locked profiles and fake access codes, then redirects them to WhatsApp and abuses permissions to extract data from victims phones.
Undisclosed Ukrainian Regional News outlet
November 1, 2025
•[ iPhone hacking, DarkSword, UNC6353 ]
The Record reported Lookout researchers attributed an advanced iPhone hacking tool dubbed DarkSword to a likely Russia-linked actor tracked as UNC6353. The campaign has been active since at least late 2025 and continued through March 2026, primarily targeting Ukrainians via watering-hole attacks on compromised Ukrainian websites. Lookout said DarkSword can break into iPhones with little to no user interaction, extract sensitive data within minutes, and then erase traces of intrusion. The article is campaign-level reporting rather than a single named-victim incident, but it describes successful device compromise and data theft capability against targeted Ukrainian users.
Francesco Gaetano Caltagirone
October 9, 2025
•[ spyware, espionage, government ]
Report that Graphite spyware was used to spy on the businessman; tool sold to governments.
Colombian Justice Minister Andres Idarraga
August 1, 2025
•[ spyware, Pegasus, surveillance ]
Colombias justice minister stated that forensic evidence indicates his phone was hacked using Israeli Pegasus spyware during the second half of 2025 while he was investigating alleged corruption in the military. He alleged the operation was ordered through the Defense Ministry using state counterintelligence structures and confidential funds. According to his statement, investigators found his phone was taken over more than 8,700 times and that 2.3 GB of data were downloaded, including sensitive corruption complaints, and that the camera/microphone were illicitly activated on numerous occasions. The incident is characterized as a targeted spyware intrusion against a senior government official with alleged state involvement.
Boniface Mwangi (Kenyan activist)
July 1, 2025
•[ spyware, surveillance, data extraction ]
An AFP/Digital Journal report said Kenyan activist Boniface Mwangi feared for his life after learning spyware was installed on his phone while it was in police custody following his July 2025 arrest. The article cited Citizen Lab findings that a surveillance tool linked to Cellebrite technology enabled Kenyan police to access extensive content on the device, including messages, private files, financial information, passwords, and other sensitive data. The report describes state-enabled device compromise/data extraction rather than an enterprise network breach.
Beppe Caccia
March 11, 2025
•[ spyware, targeted attack ]
Italian report described alleged surveillance using commercial spyware against a public figure.
Balkan Investigative Reporting Network Journalists
February 26, 2025
•[ spyware, phishing, targeted attack ]
Amnesty reported two Serbian journalists targeted with Pegasus spyware via one-click links.
Fanpage.it / Francesco Cancellato
January 31, 2025
•[ spyware, espionage, zero-click ]
Francesco Cancellato, editor-in-chief of Fanpage.it, was targeted with the Israeli-made Graphite spyware developed by Paragon Solutions, delivered via WhatsApp zero-click exploit. Citizen Lab and CPJ linked the campaign to a likely state client of Paragon, with political-espionage motives tied to Fanpages undercover investigation exposing neo-fascist youth elements within Italys ruling party. No confirmed infection or data exfiltration publicly reported.
At least one Russian industrial company
January 1, 2025
•[ phishing, spyware, data leak ]
Kaspersky-reported campaign uses phishing and a new spyware ('Batavia') to exfiltrate sensitive documents and system info from Russian industrial firms.
Italian Political Consultant, Francesco Nicodemo
January 1, 2025
•[ spyware, government surveillance, targeted attack ]
Italian political consultant Francesco Nicodemo, who has worked with centre-left politicians, revealed in November 2025 that he was notified by WhatsApp in January that his phone had been targeted with Paragon spyware. His case broadens an existing spyware scandal in Italy that has already affected journalists, activists and business leaders. Parliamentary committee COPASIR has acknowledged that Italian intelligence agencies used Paragon in some cases, but it is unclear who ordered surveillance on Nicodemo or whether his device was successfully infected, prompting calls from experts for greater transparency from both the government and the spyware vendor.
Teixeira Cândido (Angolan journalist) / Syndicate of Angolan Journalists context
May 3, 2024
•[ spyware, Predator, mobile infection ]
Amnesty Internationals Security Lab reported forensic confirmation that Intellexas Predator spyware successfully infected the iPhone of Angolan journalist and press freedom activist Teixeira Cndido on May 4, 2024 after he opened a malicious link sent via WhatsApp. Amnesty said the attacker could have gained wide access to device data (including messages and files) and that the infection appears to have been removed after the phone was restarted later that day. The investigation described multiple additional infection links sent afterward that did not appear to succeed. Attribution to a specific government customer was not made in the public report.
Loïc Lawson and Anani Sossou
January 16, 2024
•[ spyware, surveillance, Pegasus ]
Reporters Without Borders (RSF) announces to have found traces of spyware resembling NSO groups Pegasus surveillance tool on the phones of two journalists in Togo (Loc Lawson and Anani Sossou).
