Bitter APT’s Hack-for-Hire Campaign Targets MENA Journalists
A sophisticated hack-for-hire operation, attributed to the Bitter Advanced Persistent Threat (APT) group, has been actively targeting journalists, activists, and government officials across the Middle East and North Africa (MENA) region. This campaign, believed to have ties to the Indian government, has been meticulously documented by cybersecurity organizations including Access Now, Lookout, and SMEX.
Targeted Individuals and Attack Methods
Among the primary targets were Egyptian journalists and government critics Mostafa Al-A’sar and Ahmed Eltantawy. Between October 2023 and January 2024, they were subjected to spear-phishing attacks designed to compromise their Apple and Google accounts. These attacks involved directing the journalists to counterfeit login pages, deceiving them into entering their credentials and two-factor authentication (2FA) codes.
Access Now’s Digital Security Helpline highlighted the significance of these attacks, noting that both journalists are prominent critics of the Egyptian government and have previously faced political imprisonment. One of them had also been targeted with spyware in the past.
In May 2025, an anonymous Lebanese journalist became another victim of this campaign. They received phishing messages via Apple Messages and WhatsApp, containing malicious links that impersonated Apple Support. These links led to fake verification steps, tricking the journalist into divulging their Apple account credentials.
SMEX, a digital rights non-profit in the West Asia and North Africa region, reported that while the primary focus appeared to be on Apple services, evidence suggested that other messaging platforms, including Telegram and Signal, were also targeted.
Detailed Attack Techniques
The attack on Mostafa Al-A’sar began with a LinkedIn message from a fabricated persona named Haifa Kareem, who presented a job opportunity. After Al-A’sar shared his contact information, he received an email on January 24, 2024, instructing him to join a Zoom call via a link shortened using Rebrandly.
This link was part of a consent-based phishing attack leveraging Google’s OAuth 2.0. The attacker used a malicious web application named en-account.info to gain unauthorized access to the victim’s Google account. Access Now explained that this method deceives targets into granting permissions to an attacker-controlled application, exploiting the familiarity of Google’s third-party sign-in feature.
The campaign utilized several deceptive domains to execute these phishing attacks, including:
– signin-apple.com-en-uk[.]co
– id-apple.com-en[.]io
– facetime.com-en[.]io
– secure-signal.com-en[.]io
– telegram.com-en[.]io
– verify-apple.com-ae[.]net
– join-facetime.com-ae[.]net
– android.com-ae[.]net
– encryption-plug-in-signal.com-ae[.]net
Notably, the domain encryption-plug-in-signal.com-ae[.]net was previously associated with an Android spyware campaign documented by ESET in October 2025. This campaign involved deceptive websites impersonating Signal, ToTok, and Botim to deploy spyware like ProSpy and ToSpy to targets in the U.A.E.
Impact and Implications
While the accounts of the Egyptian journalists were not ultimately compromised, the initial attack on the Lebanese journalist on May 19, 2025, resulted in the complete compromise of their Apple account. The attackers added a virtual device to the account, gaining persistent access to the victim’s data. A subsequent wave of attacks was unsuccessful.
Although there is no direct evidence that the three journalists were targeted with spyware, the methods and infrastructure used in these attacks indicate the potential for delivering malicious payloads and exfiltrating sensitive data. Access Now suggested that this operation might be part of a broader regional surveillance effort aimed at monitoring communications and harvesting personal data.
Attribution to Bitter APT
Lookout’s analysis attributed these campaigns to a hack-for-hire operation with ties to Bitter, a threat cluster believed to conduct intelligence-gathering efforts on behalf of the Indian government. Bitter has been operational since at least 2022 and has previously targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh.
The campaign’s links to Bitter are supported by infrastructure connections between the domain com-ae[.]net and youtubepremiumapp[.]com, a domain previously linked to Bitter in relation to an espionage effort that used fake sites mimicking trusted services like YouTube, Signal, Telegram, and WhatsApp to distribute Android malware dubbed Dracarys.
Lookout’s analysis also uncovered similarities between Dracarys and ProSpy, despite the latter being developed years later using Kotlin instead of Java. Both malware families use worker logic to handle tasks and have similarly named worker classes. They also both use numbered command-and-control (C2) commands, with ProSpy exfiltrating data to server endpoints starting with v3, while Dracarys uses r3.
Unusual Targeting and Broader Implications
Historically, Bitter has not been associated with espionage campaigns targeting civil society members. This raises two possibilities: either it’s the work of a hack-for-hire operation with ties to Bitter, or the threat actor itself is behind it, indicating a potential expansion of its targeting scope.
Lookout noted that mobile malware continues to be a primary means of spying on civil society, whether purchased through a commercial surveillance vendor, outsourced to a hack-for-hire organization, or deployed directly by a nation-state.
Conclusion
The Bitter APT’s hack-for-hire campaign underscores the evolving landscape of cyber threats targeting journalists and activists in the MENA region. The use of sophisticated phishing techniques, coupled with the potential deployment of spyware, highlights the need for heightened vigilance and robust cybersecurity measures among at-risk individuals and organizations.
