Bitter-Linked Hack-for-Hire Campaign Compromises Journalists Across MENA Region
A sophisticated hack-for-hire operation, believed to be linked to a threat actor with connections to the Indian government, has targeted journalists, activists, and government officials throughout the Middle East and North Africa (MENA). This alarming development has been detailed in findings from cybersecurity organizations including Access Now, Lookout, and SMEX.
Targeted Attacks on Journalists
Among the notable targets were prominent Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy. They faced a series of spear-phishing attacks aimed at compromising their Apple and Google accounts between October 2023 and January 2024. These attacks directed them to fraudulent pages designed to capture their login credentials and two-factor authentication (2FA) codes.
Access Now’s Digital Security Helpline noted that both individuals are vocal critics of the Egyptian government and have previously experienced political imprisonment. One of them had also been targeted with spyware in the past.
In addition, an anonymous Lebanese journalist was targeted in May 2025 through phishing messages sent via the Apple Messages app and WhatsApp. These messages contained malicious links that misled users into entering their account credentials under the guise of an Apple verification process.
Phishing Techniques and Methods
The phishing campaign employed persistent tactics through iMessage and WhatsApp, impersonating Apple Support. SMEX highlighted that while the primary focus was on Apple services, evidence indicated that other messaging platforms, such as Telegram and Signal, were also potential targets.
In Al-A’sar’s case, the spear-phishing attack began with a LinkedIn message from a fictitious persona named “Haifa Kareem,” who presented a job opportunity. After sharing his mobile number and email address, Al-A’sar received an email on January 24, 2024, prompting him to join a Zoom call via a shortened link.
The URL utilized in this attack was identified as a consent-based phishing scheme leveraging Google’s OAuth 2.0 framework. This method allowed the attacker to gain unauthorized access to the victim’s account through a malicious web application named “en-account.info.”
Access Now explained that unlike previous attacks that impersonated Apple account logins, this approach utilized OAuth consent to exploit legitimate Google assets, tricking targets into providing their credentials.
Phishing Domains and Malware Connections
A variety of domains were employed in these phishing attacks, including:
- signin-apple.com-en-uk[.]co
- id-apple.com-en[.]io
- facetime.com-en[.]io
- secure-signal.com-en[.]io
- telegram.com-en[.]io
- verify-apple.com-ae[.]net
- join-facetime.com-ae[.]net
- android.com-ae[.]net
- encryption-plug-in-signal.com-ae[.]net
Notably, the domain “com-ae[.]net” has been associated with an Android spyware campaign documented by Slovakian cybersecurity firm ESET in October 2025. This campaign involved deceptive websites impersonating Signal, ToTok, and Botim to deploy malware such as ProSpy and ToSpy against unspecified targets in the U.A.E.
The domain “encryption-plug-in-signal.com-ae[.]net” was specifically used as an initial access vector for ProSpy, masquerading as a non-existent encryption plugin for Signal. This spyware is capable of exfiltrating sensitive data, including contacts, SMS messages, device metadata, and local files.
While neither of the Egyptian journalists’ accounts was ultimately compromised, SMEX reported that the Lebanese journalist’s Apple account was fully breached on May 19, 2025, leading to the addition of a virtual device for persistent access to their data. Subsequent attacks against this journalist were unsuccessful.
Broader Implications of the Campaign
The lack of evidence indicating that the three journalists were specifically targeted with spyware does not diminish the seriousness of the situation. The methods and infrastructure used in these attacks suggest a broader regional surveillance effort aimed at monitoring communications and harvesting personal data.
Lookout attributed these activities to a hack-for-hire operation linked to Bitter, a threat cluster believed to be involved in intelligence-gathering efforts on behalf of the Indian government. This espionage campaign has reportedly been active since at least 2022.
The phishing domains and ProSpy malware lures indicate that the campaign has likely targeted victims in Bahrain, the U.A.E., Saudi Arabia, the U.K., Egypt, and potentially the U.S., including alumni of U.S. universities. This indicates that the attacks extend beyond just members of Egyptian and Lebanese civil society.
The operation combines targeted spear-phishing delivered through fake social media accounts and messaging applications, utilizing persistent social engineering techniques. Depending on the target’s device, this may result in the delivery of Android spyware.
Technical Connections and Malware Similarities
The campaign’s ties to Bitter are supported by infrastructure connections between domains such as “com-ae[.]net” and “youtubepremiumapp[.]com.” The latter was flagged by Cyble and Meta in August 2022 as being associated with Bitter in relation to an espionage effort that distributed Android malware dubbed Dracarys.
Lookout’s analysis revealed similarities between Dracarys and ProSpy, despite the latter being developed later using Kotlin instead of Java. Both malware families utilize worker logic for task management and share similar naming conventions for worker classes. They also employ numbered command-and-control (C2) commands.
The unusual aspect of this campaign is that Bitter has not previously been linked to espionage efforts targeting civil society members. This raises questions about whether this represents an expansion of Bitter’s operational scope or if it indicates an overlap with an unknown hack-for-hire group.
Mobile malware remains a primary tool for surveillance on civil society, whether acquired through commercial surveillance vendors, outsourced to hack-for-hire organizations, or deployed directly by nation-states.
For further details on this ongoing situation, visit thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
