Security researchers have identified a hack-for-hire group conducting coordinated cyberattacks against journalists, activists, and government officials across the Middle East and North Africa, using phishing, spyware, and account takeover techniques to access sensitive data.
Investigations by Access Now, Lookout, and SMEX found that the campaign targeted individuals between 2023 and 2025, including Egyptian and Lebanese journalists, with broader activity spanning multiple countries.
Targets And Geographic Scope
According to Lookout, victims included members of civil society as well as individuals linked to governments in Bahrain and Egypt, with additional targets identified in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States.
Researchers documented at least three confirmed attacks, including two against Egyptian journalists and one against a journalist in Lebanon.
Links To Hack-For-Hire Networks
Lookout concluded that the campaign is tied to a hack-for-hire vendor with connections to BITTER APT, a group suspected by cybersecurity firms to have ties to the Indian government.
Justin Albrecht, a principal researcher at Lookout, said the operation may be linked to an offshoot of the Indian startup Appin, which had previously been the subject of investigations into cyber-mercenary activities.
Albrecht suggested another entity, RebSec, as a possible participant, though the company could not be reached for comment and has removed its online presence.
Researchers said such groups provide clients with operational cover. “These operations have become cheaper and it’s possible to evade responsibility,” said Mohammed Al-Maskati of Access Now.
Attack Methods And Techniques
The attackers used a mix of phishing and spyware deployment depending on the target’s device.
For iPhone users, the group attempted to obtain Apple ID credentials through phishing, allowing access to iCloud backups containing personal data, messages, and files. Researchers described this as a lower-cost alternative to deploying advanced iOS spyware.
For Android users, attackers deployed spyware known as ProSpy, disguising it as widely used apps including Signal, WhatsApp, and Zoom, as well as regional apps ToTok and Botim.
In some cases, attackers attempted to add a device under their control to a victim’s Signal account, a technique previously used by multiple hacking groups, including state-linked actors.
Trend Toward Outsourced Cyber Operations
Researchers said the campaign reflects a broader trend of governments outsourcing cyber operations to private contractors. These arrangements can reduce costs compared to purchasing commercial spyware while providing plausible deniability for clients.
Although the tools used in this campaign were not considered the most advanced, researchers noted that the methods remained effective in compromising targets and accessing sensitive communications.
Featured image credits: PxHere.com
For more stories like it, click the +Follow button at the top of this page to follow us.