Critical iPhone Zero-Click Vulnerability “NICKNAME” Exploited in the Wild – High-Value Targets Compromised!
Do Son 
From late 2024 through the spring of 2025, the iVerify team documented a series of anomalous incidents affecting iPhones belonging to individuals affiliated with political campaigns, media organizations, technology firms, and government institutions across the United States and the European Union. Device behavior analysis revealed highly uncommon iOS component crashes characteristic of Zero Click attacks via iMessage — a class of exploits requiring no user interaction. The emergence of such a technique on U.S. soil, previously unrecorded, marks a deeply concerning precedent.
Forensic investigation of several compromised devices uncovered a previously unknown vulnerability within the system process known as “imagent.” This component governs interactions between iMessage and other parts of the iOS ecosystem and possesses access to numerous sensitive system functions. The vulnerability, provisionally dubbed NICKNAME, opens a vector for further compromise and could serve as a foundational primitive in a full exploitation chain.
The attack mechanism appears to exploit the functionality governing nickname and avatar updates in iOS contact lists. By sending a rapid succession of nickname changes via iMessage, the system encounters a use-after-free memory error — a classic flaw that permits overwriting critical memory regions, thereby enabling arbitrary code execution. Although a complete exploit chain has yet to be reconstructed, this vulnerability provides a foothold for further malicious actions within the system.
iVerify emphasized that NICKNAME-related crashes were observed exclusively on the devices of high-value targets. Among the 50,000 iPhones examined, such anomalies appeared in only 0.0001% of telemetry logs. On one of the affected devices, researchers observed the rapid creation and deletion of iMessage attachments mere seconds after a suspicious crash — a behavioral hallmark of spyware activity. Coupled with the crash pattern, this serves as a compelling circumstantial indicator of a successful attack.
Notably, one of the implicated devices received an official Threat Notification from Apple — a move that not only signals the company’s active involvement in the investigation but also tacitly confirms the legitimacy of the threat. The alert was issued to a high-ranking official within the European Union, whose device had previously exhibited the critical anomalies associated with a potential iMessage-driven exploit.
In total, iVerify identified six devices likely targeted by adversaries. Four of these showed symptoms consistent with the NICKNAME vulnerability; two others exhibited unmistakable signs of successful compromise. All the victims shared a common thread: each had either previously been targeted by the Chinese-linked threat group Salt Typhoon, was engaged in business activities of interest to Chinese authorities, or had publicly criticized the Chinese Communist Party.
Researchers caution that while the circumstantial evidence is substantial, technical constraints prevent definitive attribution or full reconstruction of the exploitation chain. Nevertheless, the aggregate of indicators points strongly toward the involvement of entities linked to the Chinese state apparatus.
A comparative analysis of iOS versions indicates that the vulnerability was patched in iOS 18.3.1, suggesting that the exploit leveraging NICKNAME has been neutralized. However, it remains plausible that other components of the attack chain are still active and operational. Accordingly, the iVerify team has chosen to disclose only those findings backed by high confidence, while continuing its broader investigation.
Of particular note is the team’s overarching conclusion: once a device is compromised, no application — whether Signal, Gmail, or any encrypted messenger — can guarantee privacy. The incident serves as a stark reminder that securing communication channels alone is insufficient without comprehensive protection of the underlying device itself. This concern echoes the earlier SignalGate controversy, which similarly highlighted the risks of device-level intrusion over channel compromise.
iVerify’s conclusions have been independently reviewed and validated by leading experts in iOS security. Their consensus affirms that the evidence presented underscores a critical reality: mobile device compromise is no longer a theoretical threat — it is a present danger already impacting users in the U.S. and Europe.
Donate