An obvious hack-for-hire marketing campaign most likely orchestrated via a danger actor with suspected ties to the Indian executive focused reporters, activists, and executive officers around the Heart East and North Africa (MENA), in step with findings from Get right of entry to Now, Lookout, and SMEX.
Two of the goals integrated outstanding Egyptian reporters and executive critics, Mostafa Al-A’sar and Ahmed Eltantawy, who had been on the receiving finish of a chain of spear-phishing assaults that sought to compromise their Apple and Google accounts in October 2023 and January 2024 via directing them to faux pages that tricked them into coming into their credentials and two-factor authentication (2FA) codes.
“The attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted with spyware,” Get right of entry to Now could be Virtual Safety Helpline mentioned.
Additionally singled out as a part of those efforts used to be an nameless Lebanese journalist, who gained phishing messages in Would possibly 2025 during the Apple Messages app and WhatsApp containing malicious hyperlinks that, when clicked, tricked customers into coming into their account credentials as a part of a intended verification step from Apple.
“The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app, […] impersonating Apple Support,” SMEX, a virtual rights non-profit within the West Asia and North Africa (WANA) area, mentioned. “While the main focus of this campaign appears to be Apple services, evidence suggests that other messaging platforms, namely Telegram and Signal, were also targeted.”
The URL is classed to be a consent-based phishing assault that leverages Google’s OAuth 2.0 to grant the attacker unauthorized get admission to to the sufferer’s account via a malicious internet utility named “en-account.info.”
“Unlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to leverage legitimate Google assets to deceive targets into providing their credentials,” Get right of entry to Now mentioned.
“If the targeted user is not logged in to Google, they are prompted to enter their credentials (username and password). More commonly, if the user is already logged in, they are prompted to grant permission to an application that the attacker controls, using a third-party sign-in feature that is familiar to most Google users.”
One of the most domain names utilized in those phishing assaults are indexed under –
signin-apple.com-en-uk[.]co
id-apple.com-en[.]io
facetime.com-en[.]io
secure-signal.com-en[.]io
telegram.com-en[.]io
verify-apple.com-ae[.]internet
join-facetime.com-ae[.]internet
android.com-ae[.]internet
encryption-plug-in-signal.com-ae[.]internet
Curiously, the usage of the area “com-ae[.]net” overlaps with an Android spy ware marketing campaign that Slovakian cybersecurity corporate ESET documented in October 2025, highlighting the use of misleading web pages impersonating Sign, ToTok, and Botim to deploy ProSpy and ToSpy to unspecified goals within the U.A.E.
In particular, the area “encryption-plug-in-signal.com-ae[.]net” used to be used as an preliminary get admission to vector for ProSpy via claiming to be a non-existent encryption plugin for Sign.The spy ware comes fitted with features to exfiltrate delicate information like contacts, SMS messages, software metadata, and native information.
Neither of the Egyptian reporters’ accounts used to be in the end infiltrated. Then again, SMEX printed that the preliminary assault that focused the Lebanese journalist on Would possibly 19, 2025, utterly compromised their Apple Account and resulted within the addition of a digital software to the account to realize chronic get admission to to the sufferer’s information. The 2nd wave of assaults used to be unsuccessful.
Whilst there is not any proof that the 3 reporters had been focused with spy ware, the proof displays that danger actors can use the strategies and infrastructure related to the assaults to ship malicious payloads and exfiltrate delicate information.
“This suggests that the operation we identified may be part of a broader regional surveillance effort aimed at monitoring communications and harvesting personal data,” Get right of entry to Now mentioned.
Lookout, in its personal research of those campaigns, attributed the disparate efforts to a hack-for-hire operation with ties to Sour, a danger cluster that is assessed to be tasked with intelligence accumulating efforts within the pursuits of the Indian executive. The espionage marketing campaign has been operational since a minimum of 2022.
Based totally at the phishing domain names seen and ProSpy malware lures, the marketing campaign has most likely focused sufferers in Bahrain, the U.A.E., Saudi Arabia, the U.Okay., Egypt, and doubtlessly the U.S., or alumni of U.S. universities, indicating the assaults transcend individuals of Egyptian and Lebanese civil society.
“The operation features a combination of targeted spear-phishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target’s device,” the cybersecurity corporate mentioned.
The marketing campaign’s hyperlinks to Sour stem from infrastructure connections between “com-ae[.]net” and “youtubepremiumapp[.]com,” a site flagged via Cyble and Meta in August 2022 as related to Sour with regards to an espionage effort that used pretend websites mimicking depended on services and products like YouTube, Sign, Telegram, and WhatsApp to distribute an Android malware dubbed Dracarys.
Lookout’s research has additionally exposed similarities between Dracarys and ProSpy, regardless of the latter being evolved years later the usage of Kotlin as a substitute of Java. “Both families use worker logic to handle tasks, and they name the worker classes similarly. They also both use numbered C2 commands,” the corporate added. “While ProSpy exfiltrates data to server endpoints starting with ‘v3,’ Dracarys exfiltrates data to server endpoints starting with ‘r3.'”
Those connections however, what makes the marketing campaign odd is that Sour has by no means been attributed to espionage campaigns concentrated on civil society individuals. This has raised two probabilities: both it is the paintings of a hack-for-hire operation with ties to Sour or the danger actor itself is in the back of it, wherein case it might point out a selection of its concentrated on scope.
“We do not know whether this represents an expansion of Bitter’s role, or if it is an indication of overlap between Bitter and an unknown hack-for-hire group,” Lookout added. “What we do know is that mobile malware continues to be a primary means of spying on civil society, whether it is purchased through a commercial surveillance vendor, outsourced to a hack-for-hire organization, or deployed directly by a nation state.”
