Key Findings

• A coordinated hack-for-hire campaign targeting journalists and activists across the Middle East and North Africa has been active since at least 2022, with operations continuing into 2025

• The campaign is attributed to Bitter, a threat actor with suspected ties to the Indian government, operating as a likely contracted espionage service

• Two Egyptian journalists and critics of their government, Mostafa Al-A'sar and Ahmed Eltantawy, were targeted with sophisticated spear-phishing attacks in 2023 and 2024

• A Lebanese journalist's Apple Account was completely compromised in May 2025 through phishing, allowing attackers to install a persistent virtual device

• Attack infrastructure overlaps with Android spyware campaigns deploying ProSpy and ToSpy malware, suggesting broader regional surveillance efforts

• The campaign employed OAuth consent attacks, fake social media job offers, and persistent messaging app phishing across iMessage, WhatsApp, Telegram, and Signal

Background

Access Now, Lookout, and SMEX collaborated on this investigation after receiving reports through Access Now's Digital Security Helpline about suspicious activity targeting journalists. The three organizations combined their expertise to map a wider campaign than initially apparent, discovering shared infrastructure and attack patterns across multiple victims in the MENA region. The targets were primarily civil society members and government critics with histories of political imprisonment and previous spyware targeting.

Initial Attack Vectors and Methods

The attackers employed multiple social engineering tactics tailored to their victims. In Al-A'sar's case, someone using the LinkedIn persona "Haifa Kareem" approached him with a job opportunity. After he shared his contact information, he received an email on January 24, 2024 with a Rebrandly-shortened link to a fake Zoom call. Clicking the link led to a malicious Google OAuth consent screen designed to trick him into granting unauthorized access to his account.

The Lebanese journalist faced a different approach through Apple Messages and WhatsApp in May 2025, receiving phishing links that mimicked Apple Support verification requests. The attacker successfully compromised this journalist's Apple Account and added a virtual device for persistent access, though a second wave of attacks failed.

The campaign also targeted messaging platforms beyond Apple services, with evidence suggesting Telegram and Signal were leveraged in similar phishing attempts. The attackers registered numerous deceptive domains mimicking legitimate services like FaceTime, Signal, Telegram, and Android services.

Infrastructure and Technical Overlap

The phishing domains used shared particular patterns, including the use of "com-ae[.]net" as a top-level domain variant. This specific infrastructure overlaps with Android spyware campaigns documented by ESET in October 2025, which deployed ProSpy and ToSpy malware to targets in the United Arab Emirates. The domain "encryption-plug-in-signal.com-ae[.]net" was used as an entry point for ProSpy by impersonating a non-existent Signal encryption plugin.

The sophisticated OAuth-based attacks differed from simpler credential harvesting approaches. Rather than just creating fake login pages, attackers leveraged legitimate Google infrastructure to make their phishing appear more credible, exploiting the familiarity users have with third-party sign-in features.

Broader Implications and Attribution

While neither Egyptian journalist's account was ultimately compromised, the successful breach of the Lebanese journalist's Apple Account demonstrated the real danger these tactics pose. Researchers found no evidence that the journalists were infected with spyware, but the attack infrastructure suggests capability to deliver malicious payloads and exfiltrate sensitive data at any point.

Lookout's analysis attributed the disparate campaigns to Bitter, a threat cluster assessed to operate on behalf of the Indian government. Bitter primarily targets government, military, diplomatic, and critical infrastructure sectors across South Asia, but this campaign represents an expansion into MENA region civil society targeting.

Access Now noted it lacked sufficient information for independent attribution but acknowledged the evidence pointed toward a coordinated operation designed to monitor communications and harvest personal data across the region.

Victim Impact and Ongoing Threats

Al-A'sar described feeling continuously threatened despite living in exile, noting that targeted individuals worry not only about their own safety but also about their family members, friends, and journalistic sources. He had previously experienced targeting during his 2018 arrest in Egypt, making the renewed attacks particularly concerning.

The Committee to Protect Journalists condemned the campaign, emphasizing that surveillance of journalists often precedes broader patterns of intimidation and attacks. The organization called on regional authorities to stop weaponizing technology and financial resources for journalist surveillance.

Sources

• https://thehackernews.com/2026/04/bitter-linked-hack-for-hire-campaign.html

• https://cyberscoop.com/hack-for-hire-spyware-campaign-targets-journalists-in-middle-east-north-africa/

• https://www.gblock.app/articles/mena-hack-for-hire-bitter-journalists-egypt