Security researchers say they have uncovered a hack-for-hire group that has been targeting journalists, activists, and government officials across the Middle East and North Africa, using a mix of phishing, account takeovers, and mobile spyware.
The attackers relied on phishing tactics to gain access to victims’ Apple ID credentials, allowing them to break into iCloud backups and potentially access large amounts of personal data. They also targeted messaging platforms like Signal and used Android spyware capable of taking control of infected devices.
This campaign reflects a broader shift where governments are increasingly outsourcing cyber operations to private companies. Instead of building their own capabilities, some agencies now depend on commercial vendors that provide hacking tools and spyware to monitor individuals through their phones.
Researchers from Access Now documented three separate attacks between 2023 and 2025 involving two Egyptian journalists and one journalist in Lebanon. The Lebanese case was also examined by SMEX, another digital rights group. Mobile security firm Lookout investigated the same incidents, and all three organizations worked together before publishing their findings in separate reports.
Lookout said the scope of the campaign appears wider than initially thought, with targets not only in civil society but also within government circles in countries like Bahrain and Egypt. Additional targets were identified in the United Arab Emirates, Saudi Arabia, the United Kingdom, and possibly even the United States or individuals linked to American universities.
The researchers believe the group behind these attacks is part of a hack-for-hire operation connected to BITTER APT, a known hacking group that cybersecurity firms have linked to India. According to Lookout’s principal researcher Justin Albrecht, the operation could be tied to a smaller offshoot of the now-defunct Indian startup Appin, with a company called RebSec emerging as a possible player.
Previous investigations by Reuters in 2022 and 2023 revealed how Appin and similar firms were allegedly hired to hack a wide range of targets, including executives, politicians, and military officials. Although Appin has since shut down, Albrecht said this latest campaign suggests that such activities have not disappeared but have instead shifted to smaller, less visible companies.
These groups offer a level of deniability to their clients, since they handle the infrastructure and execution of attacks, making it harder to trace who is ultimately behind them. They may also provide a more affordable option compared to high-end commercial spyware tools.
RebSec could not be reached for comment, as its website and social media accounts are no longer active.
Mohammed Al-Maskati from Access Now said these kinds of operations are becoming easier to carry out and harder to attribute, especially since the real customer behind an attack often remains hidden and technical evidence does not clearly point to a specific entity.
Even though groups like BITTER may not use the most advanced tools, their methods remain effective. In some cases, attackers tricked iPhone users into revealing their Apple ID details, giving them access to iCloud backups and the contents of their devices. Researchers noted this approach can serve as a lower-cost alternative to more sophisticated iOS spyware.
For Android users, the attackers deployed spyware known as ProSpy, disguising it as well-known apps such as Signal, WhatsApp, Zoom, and regionally popular platforms like ToTok and Botim. Victims were also targeted with attempts to link a hacker-controlled device to their Signal accounts, a tactic that has been used by multiple hacking groups, including those linked to Russian intelligence.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
A spokesperson for the Indian embassy in Washington, D.C. did not respond to requests for comment.
