New Hack-for-Hire Campaign Hits Android Devices and iCloud Backups Across the Middle East

Security researchers have uncovered a sophisticated hack-for-hire group that has been targeting journalists, activists, and government officials across the Middle East and North Africa. This campaign, active between 2023 and 2025, uses phishing attacks to access iCloud backups and deploy Android spyware, raising fresh concerns about the growing private espionage industry.

According to reports from Access Now, SMEX, and Lookout, the hackers employed a range of tactics to infiltrate devices. For iPhone users, they tricked victims into surrendering Apple ID credentials, gaining access to iCloud backups that contained the full contents of their phones. For Android users, they distributed spyware called ProSpy, disguised as popular apps like Signal, WhatsApp, and Zoom, as well as regional messaging apps ToTok and Botim.

This hack-for-hire group appears to be an offshoot of the infamous Indian startup Appin, which was exposed by Reuters in 2022 and 2023 for allegedly hacking corporate executives and government officials. Justin Albrecht, principal researcher at Lookout, noted that while Appin has since shut down, its operations have simply migrated to smaller companies like RebSec, which has since deleted its online presence.

How the Hack-for-Hire Group Operates

The campaign targeted at least three journalists—two in Egypt and one in Lebanon—but Lookout’s investigation suggests the scope is much wider. Victims include government officials in Bahrain, Egypt, the United Arab Emirates, Saudi Arabia, and even individuals in the United Kingdom and possibly the United States. The researchers linked the group to BITTER APT, a hacking collective suspected of ties to the Indian government.

One of the most alarming aspects of this hack-for-hire group is its use of “plausible deniability.” By outsourcing operations to private vendors, governments can avoid direct responsibility. “These operations have become cheaper and it’s possible to evade responsibility, especially since we won’t know who the end customer is,” said Mohammed Al-Maskati, an investigator at Access Now.

Android Spyware and Phishing Attacks: The Technical Details

For Android users, the hackers deployed ProSpy, a spyware that masquerades as legitimate apps. Victims were lured into downloading fake versions of Signal, WhatsApp, or other messaging tools, which then granted attackers full control over the device. This Android spyware could capture messages, photos, and even microphone and camera access.

For iPhone users, the approach was different but equally dangerous. Hackers used phishing emails and messages to trick targets into revealing their Apple ID credentials. Once obtained, they accessed iCloud backups, effectively bypassing iOS security without needing expensive zero-day exploits. As Access Now noted, this is “potentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware.”

Signal Account Hijacking

In some cases, the hackers attempted to register a new device—controlled by them—to the victim’s Signal account. This technique, popular among various hacking groups including Russian spies, allows attackers to intercept encrypted messages without breaking Signal’s encryption itself.

The Growing Threat of Commercial Spyware

This campaign highlights a troubling trend: the rise of commercial spyware and hack-for-hire services that are more accessible than ever. Unlike state-sponsored operations, these private groups offer lower costs and greater anonymity. “For their customers, these hack-for-hire groups are likely cheaper than purchasing commercial spyware,” Albrecht explained.

Building on this, the researchers emphasize that even less sophisticated tools can be highly effective. The hackers behind this campaign may not have the most advanced exploits, but their social engineering and phishing tactics proved sufficient to compromise high-value targets.

What This Means for Digital Security

For journalists and activists in the Middle East, this campaign serves as a stark reminder of the risks they face. As a result, experts recommend enabling two-factor authentication on all accounts, avoiding suspicious links, and regularly reviewing connected devices. For organizations, investing in security awareness training and monitoring for unusual account activity is crucial.

This discovery also underscores the need for stronger regulation of the spyware industry. While some governments have begun to address the issue, the shadowy nature of these companies makes enforcement difficult. The Indian embassy in Washington, D.C. did not respond to requests for comment.

For more insights on protecting your devices, check out our guide on securing your phone from spyware and learn about common phishing tactics.

Fortinet Issues Emergency Fix for Actively Exploited FortiClient EMS Vulnerability

Organizations using Fortinet‘s endpoint management platform are under immediate pressure to apply a critical security update. This follows the discovery of a severe vulnerability in FortiClient Enterprise Management Server (EMS) that attackers are already using in real-world attacks. The flaw allows complete bypass of security controls, putting entire device fleets at risk.

Understanding the FortiClient EMS Security Threat

The vulnerability, tracked as CVE-2026-35616, carries a critical CVSS score of 9.1. It stems from an improper access control mechanism within the EMS API. Consequently, an attacker without any login credentials can send specially crafted network requests to the server. This action bypasses all authentication and authorization checks, granting the attacker the ability to execute arbitrary code or commands on the compromised system.

Fortinet’s advisory was unequivocal: the company has observed active exploitation. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix,” the statement read. The emergency patch covers versions 7.4.5 and 7.4.6, with a permanent fix also slated for the upcoming 7.4.7 release.

A Pattern of Critical Endpoint Vulnerabilities

This incident is not isolated. In fact, it represents the second critical flaw discovered in the FortiClient EMS platform within a single week. The previous vulnerability, CVE-2026-21643, was an SQL injection flaw with a staggering CVSS score of 9.8. Similarly, it allowed unauthenticated attackers to execute code via crafted HTTP requests.

Building on this, the implications are severe. By compromising an organization’s endpoint management server, threat actors gain a powerful foothold. They can potentially push malicious software updates to every managed computer, laptop, and server. This access becomes a launchpad for deeper network penetration, data theft for espionage, or the deployment of ransomware payloads. For more context on the critical nature of such flaws, see our analysis on endpoint management security risks.

Why Endpoint Management Servers Are Prime Targets

Endpoint management solutions like FortiClient EMS are coveted targets for cybercriminals. The reason is straightforward: they offer centralized, privileged control over a company’s entire device ecosystem. Therefore, breaching this single point of control is far more efficient than attacking individual endpoints. A successful compromise effectively hands over the keys to the digital kingdom.

Immediate Actions and Mitigation Steps

For the specific CVE-2026-35616 flaw, the required action is clear. Affected organizations running FortiClient EMS 7.4.5 or 7.4.6 must apply the provided hotfix immediately. This patch is sufficient to close the security gap entirely until version 7.4.7 is formally released.

Regarding the earlier SQL injection vulnerability (CVE-2026-21643), the guidance differs. Fortinet advised customers to upgrade to version 7.4.5 or later. As a temporary workaround, if an immediate upgrade isn’t possible, administrators should disconnect the EMS administrative web interface from the internet to block external attack vectors.

Recognizing Signs of a Compromise

Vigilance is crucial. Security teams should monitor their systems for specific Indicators of Compromise (IoCs) associated with these attacks. Key warning signs include HTTP 500 error messages on the `/api/v1/init_consts` endpoint, unusual database error entries within PostgreSQL logs, and the unexpected presence of unauthorized remote management tools on the server.

This recent activity echoes a concerning trend. In 2024, Fortinet was forced to patch another critical SQL injection flaw in FortiClientEMS that threatened remote code execution. The repeated appearance of such severe vulnerabilities underscores the intense scrutiny these management platforms face. For a deeper dive into vulnerability management strategies, consider reading our guide on effective patch management.

The Imperative of Proactive Security Posture

The discovery of these flaws, notably by cybersecurity firm Defused, highlights the value of external security research. Defused reported witnessing zero-day exploitation of CVE-2026-35616 and responsibly disclosed their findings to Fortinet, triggering the rapid patch development.

Ultimately, this event serves as a stark reminder. In today’s threat landscape, critical infrastructure software is in the crosshairs. Organizations cannot afford to delay applying security patches, especially those labeled as “emergency” and “exploited in the wild.” Proactive monitoring, rapid patch deployment, and a defense-in-depth strategy are no longer optional; they are fundamental requirements for operational resilience.

How a Business Email Compromise Attack Cost Zephyr Energy Nearly $1 Million

A sophisticated cyberattack has resulted in a significant financial blow for Zephyr Energy, a British oil and gas firm. The company confirmed that a malicious actor successfully diverted a payment of £700,000—approximately one million dollars—from one of its U.S. subsidiaries. This incident serves as a stark reminder of the persistent and costly threat posed by business email compromise schemes.

According to a filing with the London Stock Exchange, the funds were intended for a contractor but were rerouted to an account controlled by the hacker. Consequently, Zephyr is now collaborating with its banks and external consultants in an effort to recover the stolen money. The company has stated that the incident is contained and its day-to-day operations continue unaffected.

Understanding the Mechanics of a Business Email Compromise

While Zephyr did not disclose the exact method of intrusion, the attack bears all the hallmarks of a classic business email compromise. Typically, hackers first gain access to corporate email accounts or accounting systems. This access is then used to monitor communications and identify upcoming payments. At the critical moment, the attacker intervenes, subtly altering the bank account and routing numbers on an invoice or payment instruction. The result? Funds flow directly into the criminal’s account instead of the legitimate recipient’s.

This form of cybercrime is notoriously effective and lucrative. In fact, the FBI’s latest annual report on internet crime, published in April, highlighted business email compromise as a leading source of financial loss. The scale is staggering, with victim losses exceeding $3 billion in 2025 alone. For more on protecting your financial operations, see our guide on secure payment processes.

The Aftermath and Corporate Response

Following the discovery of the fraud, Zephyr Energy moved quickly to assess the damage. The company emphasized that its existing technology and payment platforms adhered to “industry standard practices.” However, in response to the breach, it has already implemented “additional layers of security.” This reactive step is common but underscores a critical point: standard practices are often insufficient against determined attackers.

Building on this, the incident raises important questions about the security protocols surrounding high-value transactions. A spokesperson for Zephyr did not respond to requests for further comment, leaving specifics about the new security measures undisclosed. This lack of transparency, while understandable, makes it harder for other organizations to learn from the event.

Why Business Email Compromise Attacks Are So Pervasive

Several factors contribute to the enduring success of BEC attacks. First, they often rely on social engineering rather than complex technical exploits, making them harder for traditional security software to catch. Second, they target the fundamental human element of business: trust in communication. An email that appears to come from a known colleague or partner requesting a urgent payment change is often acted upon without sufficient verification.

Therefore, combating this threat requires a multi-faceted approach. Technological solutions like email authentication (DMARC, SPF, DKIM) are vital, but they must be paired with rigorous procedural controls. For instance, any request to change payment details should require verification through a separate, pre-established communication channel, such as a phone call to a known number. Discover more strategies in our article on email security best practices.

Protecting Your Organization from Financial Cybercrime

So, what can businesses learn from Zephyr Energy’s experience? Proactive defense is non-negotiable. Regular security awareness training for all employees, especially those in finance and procurement, is essential. Staff must be trained to recognize the subtle signs of phishing and fraudulent requests.

In addition, companies should conduct periodic audits of their accounts payable processes. This means reviewing and tightening controls around payment authorization and vendor information management. Implementing a system where dual approvals are needed for any payment over a certain threshold or any change to vendor banking details can create a crucial barrier.

Ultimately, the Zephyr Energy case is not an isolated event but part of a global trend. As the FBI data confirms, business email compromise remains a top-tier cyber threat. By understanding the tactics, reinforcing human vigilance, and strengthening financial controls, organizations can better shield themselves from suffering a similar seven-figure loss.