Hack-for-Hire Campaign Targets Journalists in MENA Using Phishing and Spyware

Severity: High (Score: 75.5)

Sources: Newsbytesapp, Ground.News, Therecord.Media, Cpj, Scoop.Co.Nz

Summary

A hack-for-hire operation has been uncovered targeting journalists and activists across the Middle East and North Africa, particularly focusing on Egyptian and Lebanese individuals. The campaign, attributed to a group known as BITTER, employed sophisticated spear-phishing attacks to compromise iCloud and Signal accounts, as well as deploying Android spyware disguised as legitimate applications. The attacks were documented by Access Now, Lookout, and SMEX, revealing a timeline of incidents from 2023 to 2025. Notable victims include Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy, both of whom have faced political repression. The malware used, identified as ProSpy, allows attackers to extract sensitive data from compromised devices. The operation is suspected to be linked to the Indian government, highlighting a trend of governments outsourcing cyber operations to private firms. Current status indicates ongoing risks for targeted individuals, with calls for improved digital security practices among at-risk communities. Key Points: • Hack-for-hire group BITTER targeted journalists in MENA using phishing and spyware. • Victims included prominent Egyptian journalists with histories of political repression. • The operation is suspected to be linked to the Indian government, indicating state involvement.

Key Entities

• Bitter (apt_group)
• Bitter APT (apt_group)
• Malware (attack_type)
• Phishing (attack_type)
• Bahrain (country)
• Egypt (country)
• India (country)
• Iran (country)
• Israel (country)
• oilprice.com (domain)
• Government (industry)
• ProSpy (campaign)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Android (platform)
• Botim (platform)
• ICloud (platform)
• IPhone (platform)
• ToTok (platform)
• Signal (company)