-
A hire-for-hack campaign orchestrated by a threat actor who allegedly has ties to the Indian government is going after journalists in the MENA region.
-
The attack already targeted two Egyptian journalists and a Lebanese journalist, aiming to hijack their Apple and Google accounts using fake login pages and authentication tricks.
-
The operation, traced back to a threat actor called Bitter, uses infrastructure that overlaps with ProSpy spyware and the older Dracarys malware.
Hackers tried to break into journalists and critics’ phones and accounts. They used fake job offers, phony support alerts, and even bogus Zoom links to do it.
Access Now, SMEX, and Lookout reported about this hacking campaign. The operation was on for about 3 years. Targets were mostly MENA journalists, activists & government officials.
Hackers Target MENA Journalists
Mostafa Al-A’sar, an Egyptian critic, received a LinkedIn message from a fake persona named “Haifa Kareem.” The bait promised a job opportunity. After Al-A’sar shared his email address and phone number, he received an email on January 24, 2024, instructing him to join a Zoom call via a link that was shortened using Rebrandly.
That link hid a consent-based phishing attack. It abused Google’s OAuth 2.0 system. The attacker used a malicious web application called “en-account.info” to request account access.
If victims stayed logged into Google, they only saw a permission prompt, no prompt to input password. But if your Google account is logged out, you’d have to provide login credentials, username, password, even their 2FA codes.
In 2023, they also tried the same trick on an Egyptian journalist Ahmed Eltantawy. Attackers directed him to fake Apple login pages. Both men had previously gone to prison for political reasons. One even faced a spyware attack before. This time, neither man lost control of his accounts. But the attempts showed clear and persistent targeting.
However, one anonymous Lebanese journalist wasn’t as lucky as the Egyptian journalists. He received two phishing text messages that appeared to be from Apple Support last May 19; one was via Apple Messages and the other on WhatsApp.
If they clicked the link on either of those messages, they were redirected to a verification page. The attacker fully compromised the Apple account. Then they added a virtual device to it. That move gave them persistent access to the victim’s data. A second wave of attacks followed but failed.
Spyware Connections and Broader Targets
Some phishing domains looked familiar. Here are the ones researchers listed:
- signin-apple.com-en-uk[.]co
- id-apple.com-en[.]io
- facetime.com-en[.]io
- secure-signal.com-en[.]io
- telegram.com-en[.]io
- verify-apple.com-ae[.]net
- join-facetime.com-ae[.]net
- android.com-ae[.]net
- encryption-plug-in-signal.com-ae[.]net
That last domain appeared in an October 2025 Android spyware campaign documented by ESET. The campaign used fake websites impersonating Signal, ToTok, and Botim.
It deployed spyware called ProSpy and ToSpy to targets in the UAE. ProSpy can steal contacts, SMS messages, device metadata, and local files. The fake “encryption plugin for Signal” was just a lure.
Lookout connected these attacks to Bitter. That threat actor reportedly works for Indian government intelligence. The same infrastructure previously hosted “youtubepremiumapp[.]com.”
Cyble and Meta flagged that domain in August 2022 as linked to Bitter. Those fake sites mimicked YouTube, Signal, Telegram, and WhatsApp to spread Android malware named Dracarys.
ProSpy and Dracarys share similar structures. Both use worker logic to handle tasks. Both name their worker classes similarly. Both use numbered command-and-control commands. ProSpy exfiltrates data to endpoints starting with “v3.” Dracarys uses “r3.” The difference? ProSpy is newer and written in Kotlin instead of Java.
The campaign likely hit people in Bahrain, UAE, Saudi Arabia, UK, Egypt, and possibly the US. Researchers also saw lures targeting US university alumni. That suggests the operation goes beyond Egyptian and Lebanese activists.
Bitter has never targeted civil society members before. So researchers see two possibilities. Either a hack-for-hire group borrowed Bitter’s tools. Or Bitter itself expanded its mission. Either way, mobile malware remains a go-to method for spying on journalists and critics.
The Italian spyware scandal serves as a reminder that this is not just a problem in the Middle East, journalists and activists everywhere face the threat of having their devices compromised by sophisticated surveillance tools.
