A sophisticated cyber espionage campaign linked to the Bitter APT has been targeting journalists, activists, and government critics across the Middle East and North Africa (MENA), raising serious concerns about digital surveillance and press freedom. The operation, uncovered by Access Now, Lookout, and SMEX, appears to be part of a broader hack-for-hire effort with potential geopolitical implications.
The campaign relied heavily on targeted spear-phishing attacks designed to compromise accounts from major platforms like Apple and Google. Victims were tricked into entering credentials and even two-factor authentication codes through convincing fake login pages. Among those targeted were Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy, both known critics of the Egyptian government.
The attackers used a range of social engineering techniques to gain trust and access. In one case, a fake LinkedIn persona approached a target with a job opportunity, eventually leading them to a malicious link disguised as a meeting invitation. This link exploited Google’s OAuth system, prompting users to grant permissions to a rogue application—an approach that cleverly abused legitimate authentication mechanisms rather than relying on traditional credential theft alone.
The campaign also extended to messaging platforms, with phishing links distributed عبر apps like iMessage and WhatsApp, often impersonating Apple Support. In at least one instance, an anonymous Lebanese journalist’s account was fully compromised, allowing attackers to add a virtual device and maintain persistent access to sensitive data.
Researchers identified a network of deceptive domains impersonating trusted services such as Signal, Telegram, and FaceTime. These domains were used not only for phishing but also as potential delivery points for spyware like ProSpy, which is capable of extracting contacts, messages, device information, and local files from infected devices.
Interestingly, infrastructure used in this campaign overlaps with earlier spyware operations documented by ESET, suggesting a shared ecosystem of tools and tactics. Analysts also found technical similarities between ProSpy and an earlier malware strain known as Dracarys, further linking the campaign to past espionage activities associated with Bitter.
What sets this operation apart is its apparent focus on civil society targets—something not typically associated with Bitter’s previous campaigns. This has led researchers to consider whether the activity represents an expansion of the group’s objectives or the involvement of a hack-for-hire entity operating alongside it.
The campaign has likely impacted individuals across multiple countries, including Bahrain, the United Arab Emirates, Saudi Arabia, Egypt, and even regions beyond the MENA area. Its persistence, sophistication, and use of trusted platforms highlight how modern cyber espionage increasingly relies on deception and legitimacy rather than overtly malicious techniques.
Ultimately, this operation underscores a growing trend: attackers are leveraging familiar tools, platforms, and human behavior to infiltrate high-value targets. As mobile devices and cloud-based accounts become central to personal and professional communication, they are also becoming prime targets for surveillance and data exfiltration.
Recommended Cyber Technology News :
- CrowdStrike Gains Rating Boost on AI Cyber Defense Deal
- Cyber Defense Group Telarus Partnership Boosts Cybersecurity
- Rubrik Strengthens Cyber Resilience for Google Workspace
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
