A recent hack-for-hire campaign suspected to have links to the Indian government has targeted journalists, activists, and officials across the Middle East and North Africa (MENA). The findings were reported by cybersecurity organizations Access Now, Lookout, and SMEX, highlighting the complex nature of these cyber threats.
Targeted Journalists and Phishing Tactics
Among the targets were Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy, both known for their critical stance against the Egyptian government. They faced a series of spear-phishing attacks from late 2023 to early 2024 aimed at compromising their Apple and Google accounts by luring them into entering credentials on fake login pages.
Another case involved an anonymous Lebanese journalist, who in May 2025, received phishing messages through Apple Messages and WhatsApp. These messages impersonated Apple Support, tricking users into sharing account credentials. The campaign primarily focused on Apple services but also extended to other platforms like Telegram and Signal.
Sophisticated Attack Methods
In Al-A’sar’s case, the attack began with a LinkedIn message from a fake persona offering a job opportunity. This led to an email instructing him to join a Zoom call via a malicious link. The attackers used Google’s OAuth 2.0 to gain unauthorized access, demonstrating a sophisticated phishing technique that exploited legitimate services.
The attackers utilized several deceptive domains, such as ‘signin-apple.com-en-uk[.]co’ and ‘secure-signal.com-en[.]io’. Interestingly, the domain ‘com-ae[.]net’ was previously associated with an Android spyware campaign documented by ESET, indicating a broader regional espionage effort.
Impact and Broader Implications
While the attacks on the Egyptian journalists were thwarted, the Lebanese journalist’s Apple account was compromised, allowing attackers persistent access to the victim’s data. This highlights the potential for these methods to be used in broader surveillance efforts across the region.
Lookout’s analysis attributes these efforts to a threat cluster named Bitter, believed to be involved in intelligence gathering for the Indian government since 2022. The campaign’s reach potentially extends beyond the MENA region to include targets in countries like Bahrain, the U.K., and possibly the U.S.
Conclusion and Future Outlook
The campaign’s ties to the Bitter group, confirmed through shared infrastructure with domains like ‘youtubepremiumapp[.]com’, suggest a well-coordinated espionage operation. While Bitter is not traditionally linked to targeting civil society, this development raises concerns about its evolving scope.
The continuous use of mobile malware in espionage underscores the need for enhanced cybersecurity measures to protect vulnerable groups. Whether this campaign signifies an expansion of Bitter’s activities or involvement of a new hack-for-hire entity remains uncertain. However, the persistent threat of cyber espionage in the MENA region is undeniable.
