AnĀ apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findingsĀ from AccessĀ Now, Lookout,Ā and SMEX.
TwoĀ of the targets included prominent Egyptian journalists and government critics, Mostafa Al-A’sar and Ahmed Eltantawy, who were at the receiving end of a series of spear-phishing attacks that sought to compromise their Apple and Google accounts in October 2023 and January 2024 by directing them to fake pages that tricked them into entering their credentials and two-factor authentication (2FA)Ā codes.
“The attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targetedĀ with spyware,” Access Now’s Digital Security HelplineĀ said.
AlsoĀ singled out as part of these efforts was an anonymous Lebanese journalist, who received phishing messages in May 2025 through the Apple Messages app and WhatsApp containing malicious links that, when clicked, tricked users into entering their account credentials as part of a supposed verification step fromĀ Apple.
“The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app, […] impersonating Apple Support,” SMEX, a digital rights non-profit in the West Asia and North Africa (WANA) region, said. “While the main focus of this campaign appears to be Apple services, evidence suggests that other messaging platforms, namely Telegram and Signal, were also targeted.”
InĀ the case of Al-A’sar, the spear-phishing attack aimed at compromising his Google account began with a LinkedIn message from a sock puppet persona named “Haifa Kareem,” who approached him with a job opportunity. AfterĀ the journalist shared their mobile number and email address with the LinkedIn user, he received an email from the latter on January 24, 2024, instructing him to join a Zoom call by clicking on a link shortened using Rebrandly.
TheĀ URL is assessed to be a consent-based phishing attack that leverages Google’s OAuth 2.0Ā to grant the attacker unauthorized access to the victim’s account through a malicious web application named “en-account.info.”
“Unlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to leverage legitimate Google assets to deceive targets into providing their credentials,” Access NowĀ said.
“If the targetedĀ user is not loggedĀ in to Google, they are prompted to enter their credentials (username and password). MoreĀ commonly, if theĀ user is already loggedĀ in, they are prompted to grant permission to an application that the attacker controls, using a third-party sign-in feature that is familiar to most GoogleĀ users.”
Some of the domains used in these phishing attacks are listed belowĀ –
- signin-apple.com-en-uk[.]co
- id-apple.com-en[.]io
- facetime.com-en[.]io
- secure-signal.com-en[.]io
- telegram.com-en[.]io
- verify-apple.com-ae[.]net
- join-facetime.com-ae[.]net
- android.com-ae[.]net
- encryption-plug-in-signal.com-ae[.]net
Interestingly, the use of theĀ domainĀ “com-ae[.]net” overlaps with an Android spyware campaignĀ that Slovakian cybersecurity company ESET documented in OctoberĀ 2025, highlighting the useĀ of deceptive websites impersonating Signal, ToTok, and Botim toĀ deploy ProSpy andĀ ToSpy to unspecified targets in theĀ U.A.E.
Specifically, theĀ domainĀ “encryption-plug-in-signal.com-ae[.]net” was used as an initial access vector for ProSpy by claiming to be a non-existent encryptionĀ plugin forĀ Signal.TheĀ spyware comesĀ fitted with capabilities to exfiltrate sensitiveĀ data like contacts, SMS messages, device metadata, and localĀ files.
Neither of the Egyptian journalists’ accounts was ultimately infiltrated. However, SMEX revealed that the initial attack that targeted the Lebanese journalist on May 19, 2025, completely compromised their Apple Account and resulted in the addition of a virtual device to the account to gain persistent access toĀ the victim’s data. TheĀ second wave of attacks was unsuccessful.
WhileĀ there is no evidence that the three journalists wereĀ targeted with spyware, the evidence shows that threat actors can use the methods and infrastructure associated with the attacks to deliver malicious payloads and exfiltrate sensitiveĀ data.
“This suggests that the operation we identified may be part of a broader regional surveillance effort aimed at monitoring communications and harvesting personalĀ data,” Access NowĀ said.
Lookout, in its own analysis of these campaigns, attributed the disparate efforts to a hack-for-hire operation with tiesĀ to Bitter, a threatĀ cluster that’sĀ assessed toĀ be taskedĀ with intelligenceĀ gathering efforts in the interests of the Indian government. TheĀ espionage campaign has been operational since at leastĀ 2022.
BasedĀ on the phishing domains observed and ProSpy malware lures, the campaign has likely targeted victims in Bahrain, the U.A.E., Saudi Arabia, the U.K., Egypt, and potentially the U.S.,Ā or alumni of U.S. universities, indicating the attacks go beyond members of Egyptian and Lebanese civilĀ society.
“The operation features a combination of targeted spear-phishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending onĀ the targetāsĀ device,” the cybersecurity companyĀ said.
TheĀ campaign’s links to Bitter stemĀ from infrastructure connectionsĀ betweenĀ “com-ae[.]net” andĀ “youtubepremiumapp[.]com,” a domain flaggedĀ by CybleĀ and Meta in August 2022 as linked to Bitter in relation to an espionage effort that used fake sites mimicking trusted services like YouTube, Signal, Telegram, and WhatsApp to distribute an Android malware dubbedĀ Dracarys.
Lookout’s analysis has also uncovered similarities between Dracarys and ProSpy, despite theĀ latter beingĀ developed years later usingĀ Kotlin insteadĀ ofĀ Java.Ā “Both families use worker logic to handle tasks, and they name the worker classes similarly. TheyĀ also both use numbered C2Ā commands,” the companyĀ added.Ā “While ProSpy exfiltrates data to server endpoints startingĀ withĀ ‘v3,’ Dracarys exfiltrates data to server endpoints startingĀ withĀ ‘r3.'”
TheseĀ connections notwithstanding, what makes the campaign unusual is that Bitter hasĀ never been attributed to espionage campaigns targeting civil societyĀ members. ThisĀ has raised two possibilities:Ā either it’s the work of a hack-for-hire operation with ties to Bitter or the threat actor itself is behind it, in which case it could indicate an expansion of its targetingĀ scope.
“We do not know whether this represents an expansionĀ of Bitter’s role, or if it is an indication of overlap between Bitter and an unknown hack-for-hireĀ group,” LookoutĀ added.Ā “What we do know is that mobile malware continues to be a primary means of spying on civil society, whether it is purchased through a commercial surveillance vendor, outsourced to a hack-for-hire organization, or deployed directly by a nationĀ state.”
About The Author
Original post here
