A sophisticated digital espionage campaign is sweeping across the Middle East and North Africa, driven not by elite state agencies, but by private “hack-for-hire” firms. Recent investigations reveal that these mercenaries are targeting journalists, activists, and high-ranking government officials. This trend highlights a growing shift toward outsourcing surveillance to commercial entities, providing government clients with both lower costs and plausible deniability.
Strategic Exploits: iOS and Android Under Fire
The attackers utilized a two-pronged strategy to compromise their targets, focusing on the most vulnerable points of mobile ecosystems.
iCloud and Phishing
For iPhone users, the group employed deceptive phishing tactics to steal Apple ID credentials. By gaining access to iCloud backups, the hackers could effectively bypass the physical security of the device, gaining access to the victim’s messages, photos, and personal data without needing to deploy expensive, high-end spyware.
The ProSpy Malware
Android users were targeted with a specialized spyware known as ProSpy. The malware was disguised as legitimate communication tools, including WhatsApp, Zoom, and Signal, as well as regional apps like ToTok and Botim. Beyond simple data theft, the hackers attempted to link their own hardware to victims’ Signal accounts—a technique previously associated with state-sponsored Russian intelligence operations.
Identifying the Architects
Collaborative research from Lookout, Access Now, and SMEX suggests the group is linked to BITTER APT, a hacking collective suspected of having ties to the Indian government.
Industry experts believe the operation may be an offshoot of the defunct Indian startup Appin. A specific firm, RebSec, has emerged as a primary suspect, though the company has recently scrubbed its online presence.
A Global Footprint
While the campaign heavily targeted Egyptian and Lebanese journalists, its reach was surprisingly broad. Evidence shows the group also pursued officials within the governments of Bahrain, the UAE, Saudi Arabia, and the United Kingdom. There are further indications that the campaign may have extended to targets within the United States or alumni of American universities, proving that the hack-for-hire industry is a borderless threat.
