The hacking-for-hire campaign, believed to be orchestrated by attackers with suspected ties to the Indian government, targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to an investigation by Access Now, Lookout, and SMEX.
Targets included prominent Egyptian journalists and government commentators Mostafa Al-Assal and Ahmed Eltantawi, who were victims of a series of spear-phishing attacks in October 2023 and January 2024 that attempted to compromise their Apple and Google accounts by redirecting them to a fake page where they entered credentials and two-factor authentication (2FA) codes.
“The attacks took place between 2023 and 2024, and both targets were prominent critics of the Egyptian government who had faced political imprisonment in the past, and one had previously been targeted by spyware,” Access Now’s digital security helpline said in a statement.
An anonymous Lebanese journalist was also named as part of these efforts and received a phishing message via the Apple Messages app and WhatsApp in May 2025 that contained a malicious link that, when clicked, tricked users into entering their account credentials as part of a supposed verification step from Apple.
“The phishing campaign included sustained attacks via iMessage/Apple Messenger and WhatsApp apps. […] “While the primary focus of this campaign appears to be Apple’s services, there is evidence that other messaging platforms were also targeted, namely Telegram and Signal,” said SMEX, a digital rights nonprofit in the West Asia and North Africa (WANA) region, which was “impersonating Apple Support.”
In Al-A’sar’s case, the spear-phishing attack aimed at compromising her Google account began with a LinkedIn message from a sock puppet persona named “Haifa Kareem” who offered her a job opportunity. After the journalist shared his mobile phone number and email address with a LinkedIn user, he received an email from the user on January 24, 2024, instructing him to join a Zoom call by clicking on a shortened link using Rebrandly.
This URL has been assessed as a consent-based phishing attack that leverages Google’s OAuth 2.0 and grants the attacker unauthorized access to the victim’s account through a malicious web application named ‘en-account.info’.
“Unlike previous attacks in which the attackers spoofed Apple account logins and used fake domains, this attack leveraged OAuth consent to leverage legitimate Google assets to trick targets into providing their credentials,” Access Now said.
“If the targeted user is not logged in to Google, they are prompted to enter their credentials (username and password). More commonly, if the user is already logged in, they are prompted to grant permissions to the attacker-controlled application using a third-party sign-in feature that is familiar to most Google users.”
Some of the domains used in these phishing attacks are listed below.
Sign in-apple.com-en-uk[.]co id-apple.com-ja[.]io facetime.com-jp[.]io secure-signal.com-ja[.]io telegram.com-ja[.]io verify-apple.com-ae[.]net join-facetime.com-ae[.]net android.com-ae[.]net encryption-plugin-signal.com-ae[.]net
Interestingly, the use of the domain “com-ae”[.]net” overlaps with an Android spyware campaign documented by Slovak cybersecurity firm ESET in October 2025, highlighting the use of deceptive websites masquerading as Signal, ToTok, and Botim to deploy ProSpy and ToSpy to unspecified targets in the United Arab Emirates.
Specifically, the domain “encryption-plug-in-signal.com-ae”[.]net” claimed to be a non-existent encryption plugin for Signal and was used as an initial access vector for ProSpy. This spyware has the ability to extract sensitive data such as contacts, SMS messages, device metadata, and local files.
Neither Egyptian journalist’s account was ultimately compromised. However, SMEX revealed that the first attack, which targeted a Lebanese journalist on May 19, 2025, resulted in a complete compromise of Apple accounts and the addition of virtual devices to the accounts to gain permanent access to the victims’ data. The second wave of attacks ended in failure.
Although there is no evidence that the three journalists were targeted by spyware, evidence indicates that attackers could use the techniques and infrastructure involved in the attack to deliver malicious payloads and exfiltrate sensitive data.
“This suggests that the operations we identified may be part of a broader regional surveillance operation aimed at monitoring communications and collecting personal data,” Access Now said.
In its own analysis of these campaigns, Lookout attributes this disparate effort to hacking efforts associated with Bitter, a threat cluster assessed to be tasked with gathering intelligence for the benefit of the Indian government. Espionage operations have been in place since at least 2022.
Based on observed phishing domains and ProSpy malware decoys, this campaign appears to be targeting victims in Bahrain, the UAE, Saudi Arabia, the United Kingdom, Egypt, and possibly the United States or university graduates in the United States, indicating that the attack extends beyond civil society members in Egypt and Lebanon.
“This operation features a combination of targeted spear phishing conducted through fake social media accounts and a messaging application utilizing sustained social engineering efforts, which may result in the distribution of Android spyware depending on the targeted device,” the cybersecurity firm said.
The connection between this campaign and Bitter comes from the infrastructure connection between “com-ae.”[.]net” and “youtube premium app”[.]com’ domain was flagged as linked to Bitter by Cyble and Meta in August 2022 in connection with an espionage campaign that used fake sites imitating trusted services such as YouTube, Signal, Telegram, and WhatsApp to distribute Android malware called Dracarys.
Lookout’s analysis also reveals similarities between Dracarys and ProSpy. Even though the latter was developed using Kotlin instead of Java several years later. “Both families use worker logic to process tasks, have similar names for their worker classes, and both use numbered C2 commands,” the company added. “ProSpy extracts data to ‘v3’ or later server endpoints, while Dracarys extracts data to ‘r3’ or later server endpoints. ”
Despite these connections, what makes this campaign unusual is that Bitter has never been involved in espionage activities targeting members of civil society. This gives rise to two possibilities. Either it is the work of a hacking operation associated with Bitter, or the threat actor itself is behind it. In that case, it may indicate an expansion of target range.
“We don’t know if this indicates an expanded role for Bitter or an overlap between Bitter and unknown hacking-for-hire groups,” Lookout added. “What we do know is that mobile malware continues to be the primary means of spying on civil society, whether purchased through commercial surveillance vendors, outsourced to hacking organizations, or deployed directly by nation states.”
Source link
