Security researchers have uncovered a hack-for-hire group targeting journalists, activists, and government officials in the Middle East and North Africa. This group utilized phishing attacks to gain access to iCloud backups and Signal messaging accounts, and deployed Android spyware to control victims’ devices.
This campaign points to a rise in government agencies contracting private companies for hacking operations. Many governments already engage commercial firms to develop spyware and exploits for police and intelligence use.
Access Now recorded three attacks from 2023 to 2025 against two Egyptian journalists and a journalist in Lebanon, with SMEX also documenting the Lebanese incident. Mobile cybersecurity firm Lookout also investigated these attacks. The organizations collaborated and published individual reports.
According to Lookout, the campaign targets extend beyond Egyptian and Lebanese civil society, including the Bahraini and Egyptian governments, and entities in the UAE, Saudi Arabia, the UK, and potentially the US or American university alumni.
Lookout states that the espionage is linked to a hack-for-hire vendor connected to BITTER APT, suspected of Indian government ties. Justin Albrecht of Lookout suggested the group might be linked to the Indian startup Appin, and mentioned RebSec as a possible suspect. Reuters previously investigated Appin and similar companies, revealing their alleged roles in hacking prominent individuals.
Appin seems to have shut down, but Albrecht indicated the new campaign shows continued activity via smaller entities. These groups offer plausible deniability for their clients and are cheaper than commercial spyware.
RebSec is unreachable, having removed its online presence.
Contact Lorenzo Franceschi-Bicchierai securely for more information about Rebsec Solutions or similar companies.
Mohammed Al-Maskati from Access Now’s Digital Security Helpline said such operations are cost-effective and obscure client identities.
Though BITTER may lack advanced tools, their methods are effective. They tricked iPhone users into exposing Apple ID credentials to hack iCloud backups. This is cheaper than using costly iOS spyware.
For Android users, the hackers deployed ProSpy, camouflaged as popular apps like Signal, WhatsApp, Zoom, ToTok, and Botim. Some victims were deceived into adding a hacker-controlled device to their Signal account, a tactic used by various cyber groups, including Russian operatives.
The Indian embassy in Washington, D.C. did not comment.