Security experts have uncovered a hack-for-hire group targeting journalists, activists, and government officials in the Middle East and North Africa. This group employs phishing techniques to infiltrate victims’ iCloud accounts and messaging services, such as Signal, while also deploying Android spyware capable of seizing control of devices.
The emergence of this hacking group underscores a troubling trend where governments outsource cyber-operations to private firms. There is a growing dependency on commercial entities that craft spyware, which law enforcement and intelligence agencies then use to extract data from individuals’ mobile devices.
According to the digital rights organisation Access Now, three documented attacks between 2023 and 2025 affected two Egyptian journalists and one in Lebanon, with further documentation provided by SMEX, another digital rights advocate. Lookout, a mobile cybersecurity firm, also investigated these incidents and collaborated with Access Now and SMEX to release their reports.
The investigation revealed that the hack targets extend beyond civil society members in Egypt and Lebanon, also including individuals from governments in Bahrain, Egypt, the UAE, Saudi Arabia, and even individuals affiliated with American universities.
Lookout has linked the cyberattacks to a vendor identified as BITTER, suspected to have connections to the Indian government. It’s believed that BITTER may originate from RebSec Solutions, which could be associated with the Indian hack-for-hire startup Appin. Reports from 2022 and 2023 by Reuters have detailed how such companies are allegedly contracted to compromise executives, politicians, and military officials.
Although Appin has reportedly ceased operations, Justin Albrecht from Lookout noted that evidence of new hacking activities indicates the practice has merely transitioned to smaller firms. These hack-for-hire groups offer a level of plausible deniability to their clients, who prefer these covert services over the high costs of commercial spyware. RebSec, however, could not be contacted for comment as its online presence has vanished.
Mohammed Al-Maskati from Access Now highlighted that the affordability and anonymity of such operations complicate accountability, obscuring the identity of clients and operators. While groups like BITTER may lack the most advanced hacking tools, their methodologies remain effective.
During the reported attacks, hackers used various strategies; when targeting Apple users, they manipulated victims into providing their Apple ID details to access iCloud backups. This method serves as a less expensive alternative to complex iOS spyware. Meanwhile, Android users were targeted with ProSpy spyware disguised as legitimate messaging apps, including Signal and WhatsApp, and even popular local alternatives like ToTok and Botim.
The hackers sometimes exploited Signal accounts by tricking victims into registering a new device—controlled by the criminals—an approach also used by other hacking entities, including Russian operatives. Communication attempts with the Indian embassy in Washington, D.C., for comments on these allegations went unanswered.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
