An obvious hack-for-hire marketing campaign seemingly orchestrated by a menace actor with suspected ties to the Indian authorities focused journalists, activists, and authorities officers throughout the Center East and North Africa (MENA), in keeping with findings from Entry Now, Lookout, and SMEX.
Two of the targets included outstanding Egyptian journalists and authorities critics, Mostafa Al-A’sar and Ahmed Eltantawy, who had been on the receiving finish of a collection of spear-phishing assaults that sought to compromise their Apple and Google accounts in October 2023 and January 2024 by directing them to faux pages that tricked them into getting into their credentials and two-factor authentication (2FA) codes.
“The attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted with spyware,” Entry Now’s Digital Safety Helpline mentioned.
Additionally singled out as a part of these efforts was an nameless Lebanese journalist, who obtained phishing messages in Could 2025 via the Apple Messages app and WhatsApp containing malicious hyperlinks that, when clicked, tricked customers into getting into their account credentials as a part of a supposed verification step from Apple.
“The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app, […] impersonating Apple Support,” SMEX, a digital rights non-profit within the West Asia and North Africa (WANA) area, mentioned. “While the main focus of this campaign appears to be Apple services, evidence suggests that other messaging platforms, namely Telegram and Signal, were also targeted.”
In the case of Al-A’sar, the spear-phishing assault geared toward compromising his Google account started with a LinkedIn message from a sock puppet persona named “Haifa Kareem,” who approached him with a job alternative. After the journalist shared their cellular quantity and electronic mail deal with with the LinkedIn person, he obtained an electronic mail from the latter on January 24, 2024, instructing him to hitch a Zoom name by clicking on a hyperlink shortened utilizing Rebrandly.
The URL is assessed to be a consent-based phishing assault that leverages Google’s OAuth 2.0 to grant the attacker unauthorized entry to the sufferer’s account via a malicious internet software named “en-account.info.”
“Unlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to leverage legitimate Google assets to deceive targets into providing their credentials,” Entry Now mentioned.
“If the targeted user is not logged in to Google, they are prompted to enter their credentials (username and password). More commonly, if the user is already logged in, they are prompted to grant permission to an application that the attacker controls, using a third-party sign-in feature that is familiar to most Google users.”
A few of the domains utilized in these phishing assaults are listed beneath –
- signin-apple.com-en-uk[.]co
- id-apple.com-en[.]io
- facetime.com-en[.]io
- secure-signal.com-en[.]io
- telegram.com-en[.]io
- verify-apple.com-ae[.]internet
- join-facetime.com-ae[.]internet
- android.com-ae[.]internet
- encryption-plug-in-signal.com-ae[.]internet
Apparently, using the area “com-ae[.]net” overlaps with an Android adware marketing campaign that Slovakian cybersecurity firm ESET documented in October 2025, highlighting the use of misleading web sites impersonating Sign, ToTok, and Botim to deploy ProSpy and ToSpy to unspecified targets within the U.A.E.
Particularly, the area “encryption-plug-in-signal.com-ae[.]net” was used as an preliminary entry vector for ProSpy by claiming to be a non-existent encryption plugin for Sign.The adware comes fitted with capabilities to exfiltrate delicate knowledge like contacts, SMS messages, machine metadata, and native recordsdata.
Neither of the Egyptian journalists’ accounts was in the end infiltrated. Nonetheless, SMEX revealed that the preliminary assault that focused the Lebanese journalist on Could 19, 2025, fully compromised their Apple Account and resulted within the addition of a digital machine to the account to achieve persistent entry to the sufferer’s knowledge. The second wave of assaults was unsuccessful.
Whereas there isn’t any proof that the three journalists had been focused with adware, the proof reveals that menace actors can use the strategies and infrastructure related to the assaults to ship malicious payloads and exfiltrate delicate knowledge.
“This suggests that the operation we identified may be part of a broader regional surveillance effort aimed at monitoring communications and harvesting personal data,” Entry Now mentioned.
Lookout, in its personal evaluation of those campaigns, attributed the disparate efforts to a hack-for-hire operation with ties to Bitter, a menace cluster that is assessed to be tasked with intelligence gathering efforts within the pursuits of the Indian authorities. The espionage marketing campaign has been operational since not less than 2022.
Based mostly on the phishing domains noticed and ProSpy malware lures, the marketing campaign has seemingly focused victims in Bahrain, the U.A.E., Saudi Arabia, the U.Ok., Egypt, and probably the U.S., or alumni of U.S. universities, indicating the assaults transcend members of Egyptian and Lebanese civil society.
“The operation features a combination of targeted spear-phishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target’s device,” the cybersecurity firm mentioned.
The marketing campaign’s hyperlinks to Bitter stem from infrastructure connections between “com-ae[.]net” and “youtubepremiumapp[.]com,” a website flagged by Cyble and Meta in August 2022 as linked to Bitter in relation to an espionage effort that used faux websites mimicking trusted providers like YouTube, Sign, Telegram, and WhatsApp to distribute an Android malware dubbed Dracarys.
Lookout’s evaluation has additionally uncovered similarities between Dracarys and ProSpy, regardless of the latter being developed years later utilizing Kotlin as a substitute of Java. “Both families use worker logic to handle tasks, and they name the worker classes similarly. They also both use numbered C2 commands,” the corporate added. “While ProSpy exfiltrates data to server endpoints starting with ‘v3,’ Dracarys exfiltrates data to server endpoints starting with ‘r3.'”
These connections however, what makes the marketing campaign uncommon is that Bitter has by no means been attributed to espionage campaigns focusing on civil society members. This has raised two potentialities: both it is the work of a hack-for-hire operation with ties to Bitter or the menace actor itself is behind it, during which case it might point out an enlargement of its focusing on scope.
“We do not know whether this represents an expansion of Bitter’s role, or if it is an indication of overlap between Bitter and an unknown hack-for-hire group,” Lookout added. “What we do know is that mobile malware continues to be a primary means of spying on civil society, whether it is purchased through a commercial surveillance vendor, outsourced to a hack-for-hire organization, or deployed directly by a nation state.”
