Middle East Hack-for-Hire Operation Linked to South Asian APT Group Targets Journalists

A sophisticated hack-for-hire operation has been uncovered in the Middle East, targeting prominent journalists and civil society figures in Egypt and Lebanon. This campaign, detected by digital rights organizations, has been traced to the Bitter advanced persistent threat (APT) group, known for its South Asian origins. The operation used spear-phishing tactics and Android malware to compromise high-profile individuals, raising alarms about the growing reach of state-sponsored cyber espionage.

How the Hack-for-Hire Operation Unfolded

In August 2025, Access Now, a global non-profit focused on digital civil rights, identified the campaign through its Digital Security Helpline. The targets included Egyptian journalists Mostafa Al‑A’sar and Ahmed Eltantawy, both vocal critics of the Egyptian government who had previously faced imprisonment. According to Access Now, the attackers launched spear-phishing attempts in October 2023 and January 2024, aiming to compromise their Apple and Google accounts.

Building on this, the attackers impersonated legitimate services and individuals, using fake profiles and messages on platforms like Signal to deliver malicious links. While Al‑A’sar entered his credentials after receiving a fake Apple notification, he avoided further engagement upon noticing a suspicious two-factor authentication alert from a distant location in Egypt. Eltantawy ignored the lures entirely, preventing any account compromise.

However, a separate attack on a Lebanese journalist, documented by the Beirut-based organization SMEX, succeeded in breaching an Apple account in 2025. The campaign began via Apple Messages and escalated through WhatsApp, using the same malicious infrastructure. Researchers noted that the attackers executed account takeovers within 30 seconds of credential submission, highlighting the speed and efficiency of this hack-for-hire operation.

ProSpy Spyware: The Tool Behind the Attacks

Mobile security firm Lookout analyzed the Android malware used in the campaign, dubbed ProSpy (also known as ToSpy by ESET). Lookout acquired 11 samples, the earliest from August 2024, revealing that ProSpy is developed in Kotlin and integrates common spyware functions like file exfiltration, contact harvesting, and microphone activation. While less sophisticated than top-tier spyware like Predator, ProSpy is actively maintained with new capabilities added over time.

The malware is distributed through two-stage attacks. First, targets are contacted via fake social media profiles or impersonated Apple Support. Then, they are tricked into clicking spear-phishing links: Apple users face fake iCloud pages, while Android users are directed to download ProSpy from deceptive domains, such as a fake ToTok app update at totok-pro[.]ai-ae[.]io. The malicious sites serve APK files in English and Arabic, using randomized URLs to evade detection.

Technical Links to the Bitter APT Group

Lookout researchers linked ProSpy to the Bitter APT group (also known as T-APT-17 and APT-C-08) through shared infrastructure and code similarities. For instance, the domain com-ae[.]net was previously tied to Bitter’s Dracarys malware. Code parallels include worker-class naming conventions and numbered command-and-control (C2) commands. Despite these links, Bitter historically targets military, energy, and government entities, not civil society. This discrepancy suggests the hack-for-hire operation may represent an expansion of Bitter’s scope or collaboration with a South Asian mercenary group, marking the first documented case of the group targeting journalists.

Broader Implications for Middle East Cyber Espionage

This campaign underscores the evolving threat landscape in the Middle East, where hack-for-hire groups increasingly target civil society. Lookout believes the operation also targeted victims in Bahrain, the UAE, Saudi Arabia, and potentially the US. For organizations and individuals, this highlights the need for robust cybersecurity measures, such as enabling two-factor authentication and verifying communication channels. Learn more about protecting against spear-phishing attacks and securing Android devices from malware.

As digital rights groups like Access Now and SMEX continue to monitor these threats, the case serves as a stark reminder of the risks faced by journalists and activists in the region. The involvement of a state-linked APT group in a hack-for-hire operation blurs the lines between state-sponsored espionage and mercenary cybercrime, demanding heightened vigilance from the international community.