A suspected hack-for-hire group linked to the Indian threat actor Bitter is targeting journalists and activists across the Middle East using sophisticated spear-phishing and mobile spyware campaigns.

Key Points

• Researchers from Access Now, Lookout, and SMEX identified phishing attacks targeting prominent Egyptian and Lebanese journalists between 2023 and 2025.
• Attackers utilized fake domains and OAuth consent prompts to compromise Apple, Google, Telegram, and Signal accounts.
• Infrastructure overlaps link these efforts to the deployment of ProSpy, an Android spyware capable of exfiltrating contacts, SMS messages, and local device files.
• The campaign shows technical similarities to previous espionage operations involving the Dracarys malware, suggesting a potential expansion of the Bitter threat cluster's activities.
• Targeted regions include Bahrain, the U.A.E., Saudi Arabia, Egypt, and the U.K., indicating a broad, multi-national surveillance effort.

Why it Matters

This campaign highlights the growing trend of state-aligned actors outsourcing surveillance operations to hack-for-hire groups to target civil society members. The use of sophisticated social engineering and cross-platform malware demonstrates a significant risk to the digital privacy and physical safety of journalists and activists globally.