International digital rights and security groups Access Now, Lookout and SMEX have uncovered a long‑running hack‑for‑hire phishing campaign against journalists, activists and government employees across the Middle East and North Africa (MENA). The operation appears to be linked to a mercenary actor with suspected ties to Indian state interests and to the previously documented Bitter threat cluster.
Targeted phishing against journalists via Apple ID and Google accounts
The investigation details repeated spear‑phishing attacks against Egyptian journalists and government critics Mostafa Al‑A’sar and Ahmed Eltantawy between October 2023 and January 2024. The objective was to seize control of their Apple and Google accounts, which often act as a master key to emails, cloud backups, messaging apps and multi‑factor authentication (MFA) codes.
Attackers lured victims to spoofed login pages closely resembling legitimate Apple and Google sign‑in flows. These pages requested usernames, passwords and 2FA codes, enabling immediate account takeover even where strong authentication was in place.
In a separate incident, an anonymous Lebanese journalist was targeted in May 2025 via iMessage and WhatsApp messages impersonating Apple Support. The messages linked to fake “account verification” portals harvesting Apple ID credentials. According to SMEX, the broader campaign often masqueraded as Apple support and heavily focused on Apple’s ecosystem, while artefacts indicate parallel interest in compromising Telegram and Signal users.
How OAuth 2.0 consent phishing bypasses passwords and 2FA
One of the more sophisticated techniques was used against the Google account of Mostafa Al‑A’sar. The attack chain began on LinkedIn, where a fake profile named “Haifa Kareem” approached him with a job opportunity and requested contact information. On 24 January 2024 he received an email invitation to a supposed Zoom call, using a URL shortened via Rebrandly.
The link did not open Zoom. Instead, it redirected to a legitimate Google OAuth authorization screen requesting access for a suspicious web application hosted at en-account.info. This tactic, known as consent‑based OAuth phishing, does not try to steal passwords directly. Instead, it persuades the victim to grant an application access to their Google account via the standard Google interface.
If the target is not logged in, they are first asked to enter their Google username and password; if already logged in, they only see a familiar permissions dialog listing requested scopes such as access to Gmail, Contacts or Google Drive. Once the victim clicks “Allow”, the attacker receives a long‑lived OAuth access token, which can be used to read data and act on the account without ever knowing the password and often bypassing 2FA. This makes such attacks harder for users, security tools and even providers to detect and revoke promptly.
Shared infrastructure with ProSpy Android spyware operations
Researchers mapped a set of domains used throughout the campaign. Of particular interest is com-ae[.]net, previously linked to Android spyware distribution. Security vendor ESET reported that in October 2025 this infrastructure, via sites spoofing official pages for Signal, ToTok and Botim, delivered Android trojans dubbed ProSpy and ToSpy targeting users in the United Arab Emirates.
One such domain, encryption-plug-in-signal.com-ae[.]net, impersonated a non‑existent “encryption plug‑in” for Signal. Once installed, the spyware could exfiltrate contacts, SMS messages, device metadata and local files, effectively turning the phone into a covert surveillance sensor.
In the three journalist cases documented by Access Now and partners, investigators did not find direct evidence of spyware installation. However, the reuse of domain infrastructure and identical social‑engineering patterns strongly suggests the same channels could be, and likely are, used to deliver malicious Android packages and siphon data at scale.
Hack‑for‑hire links to Bitter and evolution from Dracarys to ProSpy
Lookout’s analysis concludes that the activity fits the pattern of a hack‑for‑hire operation associated with the Bitter threat cluster. Bitter is widely assessed by industry researchers as a cyber‑espionage group aligned with Indian state interests and active at least since 2022.
The domain com-ae[.]net is connected to youtubepremiumapp[.]com, previously cited by Cyble and Meta in August 2022 as infrastructure used by Bitter to spread the Android malware family Dracarys. That campaign relied on fake websites for YouTube, Signal, Telegram and WhatsApp to infect targets.
Lookout notes architectural similarities between Dracarys and the more recent ProSpy malware: both employ a comparable worker‑based task engine and numbered C2 (command‑and‑control) instructions. ProSpy is written in Kotlin while Dracarys used Java, and their server endpoints use different prefixes (“v3” versus “r3”), yet the overall command protocol and operational philosophy appear continuous.
Historically, Bitter has been linked primarily to regional geopolitical espionage rather than systematic targeting of civil society. The present campaign therefore points to two plausible scenarios: either an independent mercenary operator reusing Bitter‑associated tools and infrastructure, or a strategic expansion by Bitter itself into broader surveillance of journalists, activists and political opponents.
Why mobile phishing and spyware are especially dangerous for journalists
Public reporting from organizations such as Citizen Lab, Amnesty Tech, Google’s Threat Analysis Group and multiple commercial vendors has shown that mobile devices are now a primary entry point for state‑aligned surveillance against NGOs, journalists and human rights defenders. Smartphones consolidate personal and work communications, messaging apps, authentication tokens and document archives, making them an attractive single target.
The uncovered campaign highlights several worrying trends in contemporary mobile phishing and spyware:
1. Advanced social engineering. The use of LinkedIn for fake job offers and iMessage/WhatsApp for bogus Apple support interactions dramatically increases credibility. Even technically savvy users can be deceived by convincing pretexts that align with their professional context.
2. Abuse of legitimate cloud and identity technologies. OAuth‑based Google phishing and sign‑in flows mimicking Apple undermine traditional user advice to “check the URL” or “look for HTTPS”. The attacker is exploiting real identity infrastructure to obtain dangerous levels of access.
3. Professionalization of surveillance as a service. Hack‑for‑hire vendors allow government and private customers to outsource cyber‑operations, adding deniability while reusing infrastructure, malware families and tradecraft across multiple contracts and regions.
To reduce exposure to such threats, security practitioners recommend:
• Strengthen account protection. Enable hardware security keys or passkeys for critical Google and Apple accounts where possible, and avoid approving OAuth access for unknown apps, even when the Google screen looks legitimate.
• Audit access regularly. Periodically review signed‑in devices and third‑party application access in account settings, revoking anything unnecessary or unfamiliar.
• Treat support messages with suspicion. Be wary of unsolicited “account verification” or “security alert” messages in messaging apps and social networks. Navigate to official Apple or Google portals manually instead of clicking embedded links.
• Lock down mobile platforms. Disable installation from unknown sources on Android, scrutinize app permissions on both Android and iOS, and rely on trusted app stores only.
• Train newsrooms and NGOs. Regular, practical training on targeted phishing, including simulations that mirror LinkedIn job lures and support‑themed scams, should become standard practice for media and civil society organizations in the MENA region and beyond.
The campaign exposed by Access Now, Lookout and SMEX shows that mobile cyber‑espionage against civil society is becoming routine rather than exceptional. Sustained investment in digital security—from robust authentication and careful consent management to incident‑response playbooks for newsrooms and NGOs—is now essential to safeguard sources, protect communications and preserve space for independent journalism and activism in high‑risk environments.
