New Hack-for-Hire Campaign Hits Android Devices and iCloud Backups Across the Middle East

Security researchers have uncovered a sophisticated hack-for-hire group that has been targeting journalists, activists, and government officials across the Middle East and North Africa. This campaign, active between 2023 and 2025, uses phishing attacks to access iCloud backups and deploy Android spyware, raising fresh concerns about the growing private espionage industry.

According to reports from Access Now, SMEX, and Lookout, the hackers employed a range of tactics to infiltrate devices. For iPhone users, they tricked victims into surrendering Apple ID credentials, gaining access to iCloud backups that contained the full contents of their phones. For Android users, they distributed spyware called ProSpy, disguised as popular apps like Signal, WhatsApp, and Zoom, as well as regional messaging apps ToTok and Botim.

This hack-for-hire group appears to be an offshoot of the infamous Indian startup Appin, which was exposed by Reuters in 2022 and 2023 for allegedly hacking corporate executives and government officials. Justin Albrecht, principal researcher at Lookout, noted that while Appin has since shut down, its operations have simply migrated to smaller companies like RebSec, which has since deleted its online presence.

How the Hack-for-Hire Group Operates

The campaign targeted at least three journalists—two in Egypt and one in Lebanon—but Lookout’s investigation suggests the scope is much wider. Victims include government officials in Bahrain, Egypt, the United Arab Emirates, Saudi Arabia, and even individuals in the United Kingdom and possibly the United States. The researchers linked the group to BITTER APT, a hacking collective suspected of ties to the Indian government.

One of the most alarming aspects of this hack-for-hire group is its use of “plausible deniability.” By outsourcing operations to private vendors, governments can avoid direct responsibility. “These operations have become cheaper and it’s possible to evade responsibility, especially since we won’t know who the end customer is,” said Mohammed Al-Maskati, an investigator at Access Now.

Android Spyware and Phishing Attacks: The Technical Details

For Android users, the hackers deployed ProSpy, a spyware that masquerades as legitimate apps. Victims were lured into downloading fake versions of Signal, WhatsApp, or other messaging tools, which then granted attackers full control over the device. This Android spyware could capture messages, photos, and even microphone and camera access.

For iPhone users, the approach was different but equally dangerous. Hackers used phishing emails and messages to trick targets into revealing their Apple ID credentials. Once obtained, they accessed iCloud backups, effectively bypassing iOS security without needing expensive zero-day exploits. As Access Now noted, this is “potentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware.”

Signal Account Hijacking

In some cases, the hackers attempted to register a new device—controlled by them—to the victim’s Signal account. This technique, popular among various hacking groups including Russian spies, allows attackers to intercept encrypted messages without breaking Signal’s encryption itself.

The Growing Threat of Commercial Spyware

This campaign highlights a troubling trend: the rise of commercial spyware and hack-for-hire services that are more accessible than ever. Unlike state-sponsored operations, these private groups offer lower costs and greater anonymity. “For their customers, these hack-for-hire groups are likely cheaper than purchasing commercial spyware,” Albrecht explained.

Building on this, the researchers emphasize that even less sophisticated tools can be highly effective. The hackers behind this campaign may not have the most advanced exploits, but their social engineering and phishing tactics proved sufficient to compromise high-value targets.

What This Means for Digital Security

For journalists and activists in the Middle East, this campaign serves as a stark reminder of the risks they face. As a result, experts recommend enabling two-factor authentication on all accounts, avoiding suspicious links, and regularly reviewing connected devices. For organizations, investing in security awareness training and monitoring for unusual account activity is crucial.

This discovery also underscores the need for stronger regulation of the spyware industry. While some governments have begun to address the issue, the shadowy nature of these companies makes enforcement difficult. The Indian embassy in Washington, D.C. did not respond to requests for comment.

For more insights on protecting your devices, check out our guide on securing your phone from spyware and learn about common phishing tactics.

Operation Masquerade: How US Authorities Neutralized a Massive Russian DNS Hijacking Campaign

In a decisive counter-cyber operation, United States law enforcement has successfully dismantled a significant portion of a sophisticated DNS hijacking network controlled by Russian military intelligence hackers. This campaign, attributed to the notorious group APT28, had compromised thousands of internet routers across more than 23 states, turning them into tools for credential theft and espionage.

The Anatomy of a Router Hijack

For months, the threat actors, linked to Russia’s GRU Military Unit 26165, exploited vulnerabilities in common small office and home office (SOHO) routers. Building on this, they specifically targeted devices from manufacturers like TP-Link. Their method was insidious: by gaining control, they could redirect a user’s internet traffic through malicious servers. This process, known as DNS hijacking, allowed them to intercept login credentials and sensitive data from targeted organizations without the victims’ knowledge.

A Coordinated Transatlantic Response

Therefore, the discovery of this campaign triggered a coordinated response. On April 7, the US Department of Justice and the FBI announced their operation, dubbed “Operation Masquerade,” simultaneously with detailed advisories from the UK’s National Cyber Security Centre and Microsoft Threat Intelligence. This rare public alignment underscored the scale and seriousness of the threat posed by the DNS hijacking network.

Operation Masquerade: A Surgical Takedown

Authorized by a federal court, the FBI’s operation was both technical and precise. Consequently, agents developed and deployed a series of commands to the compromised routers located within the United States. These commands served a triple purpose: to gather forensic evidence on APT28’s activities, to reset the malicious DNS settings, and to close the original vulnerability that allowed the hackers access.

In addition, the operation was tested extensively to ensure it did not damage the routers or collect data from legitimate users. As a result, the fix was designed to be non-destructive. “The court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets,” the Justice Department clarified. This approach balanced national security needs with protecting citizens’ property.

Why SOHO Routers Are a Prime Target

This incident highlights a critical vulnerability in global cyber defenses: the often-overlooked SOHO router. These devices are attractive targets for several reasons. First, they are numerous and frequently lack robust security updates from manufacturers. Second, many users and small businesses set them up and forget them, rarely applying firmware patches. Third, compromising a router provides a powerful vantage point to monitor all traffic flowing through a network, making it an ideal tool for espionage.

Brett Leatherman, Assistant Director of the FBI’s Cyber Division, framed the threat starkly: “GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough.” This statement explains why an active, technical counter-operation was deemed necessary.

Essential Steps to Secure Your Router

In the wake of this takedown, cybersecurity agencies are urging all router owners to take proactive steps. The goal is to prevent your device from becoming part of the next DNS hijacking network. Here is a critical checklist for remediation and protection:

1. Replace Outdated Hardware: Check if your router model is on the manufacturer’s end-of-support list. Older devices no longer receive security updates, leaving them perpetually vulnerable.

2. Update Firmware Immediately: Always download and install the latest firmware directly from the official manufacturer’s website. Do not ignore update notifications.

3. Verify and Secure DNS Settings: Log into your router’s admin panel and ensure the DNS server settings point to legitimate providers like your ISP or a trusted service like Cloudflare or Google DNS. This is a key defense against hijacking.

4. Disable Remote Management: Unless you have a specific, essential need, turn off features that allow you to manage your router from outside your home network. This closes a common attack vector.

5. Follow Official Hardening Guides: Consult the security documentation from your router’s brand (e.g., TP-Link) for specific instructions on changing default passwords and enabling firewalls.

If you suspect your router was compromised, the DOJ advises contacting your local FBI field office or filing a report with the Internet Crime Complaint Center (IC3). For more general guidance on securing your home network, you can read our internal guide on home cybersecurity basics.

A Persistent Threat and a Firm Response

This operation sends a clear message about the evolving nature of state-sponsored cyber threats. Adversaries are increasingly targeting the soft underbelly of network infrastructure—consumer-grade devices—to launch sophisticated attacks. John A. Eisenberg, Assistant Attorney General for National Security, labeled the Russian campaign “a serious and persistent threat,” vowing to “use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our nation’s networks.”

Ultimately, the dismantling of this DNS hijacking network is a significant victory for defensive cyber operations. However, it also serves as a powerful reminder. Cybersecurity is a shared responsibility. While government agencies can disrupt large-scale campaigns, individual users and businesses must secure their own digital gateways. As the FBI emphasized, defending our collective networks truly requires all of us. For a deeper look at how nation-state actors operate, explore our analysis on advanced persistent threat tactics.

Fortinet Issues Emergency Fix for Actively Exploited FortiClient EMS Vulnerability

Organizations using Fortinet‘s endpoint management platform are under immediate pressure to apply a critical security update. This follows the discovery of a severe vulnerability in FortiClient Enterprise Management Server (EMS) that attackers are already using in real-world attacks. The flaw allows complete bypass of security controls, putting entire device fleets at risk.

Understanding the FortiClient EMS Security Threat

The vulnerability, tracked as CVE-2026-35616, carries a critical CVSS score of 9.1. It stems from an improper access control mechanism within the EMS API. Consequently, an attacker without any login credentials can send specially crafted network requests to the server. This action bypasses all authentication and authorization checks, granting the attacker the ability to execute arbitrary code or commands on the compromised system.

Fortinet’s advisory was unequivocal: the company has observed active exploitation. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix,” the statement read. The emergency patch covers versions 7.4.5 and 7.4.6, with a permanent fix also slated for the upcoming 7.4.7 release.

A Pattern of Critical Endpoint Vulnerabilities

This incident is not isolated. In fact, it represents the second critical flaw discovered in the FortiClient EMS platform within a single week. The previous vulnerability, CVE-2026-21643, was an SQL injection flaw with a staggering CVSS score of 9.8. Similarly, it allowed unauthenticated attackers to execute code via crafted HTTP requests.

Building on this, the implications are severe. By compromising an organization’s endpoint management server, threat actors gain a powerful foothold. They can potentially push malicious software updates to every managed computer, laptop, and server. This access becomes a launchpad for deeper network penetration, data theft for espionage, or the deployment of ransomware payloads. For more context on the critical nature of such flaws, see our analysis on endpoint management security risks.

Why Endpoint Management Servers Are Prime Targets

Endpoint management solutions like FortiClient EMS are coveted targets for cybercriminals. The reason is straightforward: they offer centralized, privileged control over a company’s entire device ecosystem. Therefore, breaching this single point of control is far more efficient than attacking individual endpoints. A successful compromise effectively hands over the keys to the digital kingdom.

Immediate Actions and Mitigation Steps

For the specific CVE-2026-35616 flaw, the required action is clear. Affected organizations running FortiClient EMS 7.4.5 or 7.4.6 must apply the provided hotfix immediately. This patch is sufficient to close the security gap entirely until version 7.4.7 is formally released.

Regarding the earlier SQL injection vulnerability (CVE-2026-21643), the guidance differs. Fortinet advised customers to upgrade to version 7.4.5 or later. As a temporary workaround, if an immediate upgrade isn’t possible, administrators should disconnect the EMS administrative web interface from the internet to block external attack vectors.

Recognizing Signs of a Compromise

Vigilance is crucial. Security teams should monitor their systems for specific Indicators of Compromise (IoCs) associated with these attacks. Key warning signs include HTTP 500 error messages on the `/api/v1/init_consts` endpoint, unusual database error entries within PostgreSQL logs, and the unexpected presence of unauthorized remote management tools on the server.

This recent activity echoes a concerning trend. In 2024, Fortinet was forced to patch another critical SQL injection flaw in FortiClientEMS that threatened remote code execution. The repeated appearance of such severe vulnerabilities underscores the intense scrutiny these management platforms face. For a deeper dive into vulnerability management strategies, consider reading our guide on effective patch management.

The Imperative of Proactive Security Posture

The discovery of these flaws, notably by cybersecurity firm Defused, highlights the value of external security research. Defused reported witnessing zero-day exploitation of CVE-2026-35616 and responsibly disclosed their findings to Fortinet, triggering the rapid patch development.

Ultimately, this event serves as a stark reminder. In today’s threat landscape, critical infrastructure software is in the crosshairs. Organizations cannot afford to delay applying security patches, especially those labeled as “emergency” and “exploited in the wild.” Proactive monitoring, rapid patch deployment, and a defense-in-depth strategy are no longer optional; they are fundamental requirements for operational resilience.