Hack-for-Hire Spyware Campaign Targeted Journalists in the Middle East and North Africa
Access Now, Lookout, and SMEX reported a suspected hack-for-hire espionage campaign targeting journalists and activists across the Middle East and North Africa through spearphishing, fake social media personas, messaging apps, and sustained social engineering. Researchers said the operation used infrastructure linked to the APT group Bitter and likely deployed ProSpy Android spyware, which can steal files, contacts, messages, and geolocation data, activate microphones and cameras, and install malicious apps. The activity has reportedly been ongoing since at least 2022, with broader targeting that may have included civil society figures and possibly government officials.
Two Egyptian journalists, Mostafa Al-A’sar and Ahmed Eltantawy, were among the identified targets in an elaborate campaign that ran between October 2023 and January 2024 and spoofed trusted services including Apple and Signal. A prominent Lebanese journalist was also reportedly targeted, and researchers said the attackers relied on overlapping infrastructure with possible ties to Asia, though Access Now said it lacked enough evidence to definitively name a sponsor. Neither Egyptian journalist’s accounts were ultimately compromised, but press freedom groups warned that surveillance of reporters endangers their safety, sources, and ability to work.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Lookout attributes ProSpy campaign to BITTER APT
By April 13, 2026, reporting on Access Now and Lookout’s findings said Lookout attributed the espionage campaign targeting journalists and opposition figures in the Middle East to the South Asian threat group BITTER, also known as T-APT-17 and APT-Q-37. The attribution was based on code similarities between the ProSpy Android spyware used in the campaign and BITTER’s earlier Dracarys malware.
Committee to Protect Journalists condemns surveillance
Following publication of the findings on April 8, 2026, the Committee to Protect Journalists condemned the spying campaign, warning that surveillance of journalists endangers their safety, sources, and ability to work. The statement marked a public response from a press freedom organization to the reported activity.
Researchers reveal broader 2023–2025 targeting across multiple countries
On April 8, 2026, reporting on the hack-for-hire campaign said it targeted not only Egyptian and Lebanese civil society members but also government officials and other targets connected to Bahrain, Egypt, the UAE, Saudi Arabia, the UK, and potentially the United States between 2023 and 2025. The disclosure marked a broader understanding of the campaign’s scope and victimology than previously captured.
Researchers publish findings on MENA spyware campaign
On April 8, 2026, Access Now, Lookout, and SMEX publicly reported the suspected hack-for-hire espionage campaign targeting journalists and activists in the Middle East and North Africa. The report described social-engineering tactics, named victims including Mostafa Al-A’sar and a prominent Lebanese journalist, and said attribution to a specific sponsor remained unconfirmed.
Egyptian journalists targeted in spearphishing campaign
Between October 2023 and January 2024, attackers targeted Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy with an elaborate spearphishing operation using fake personas and spoofed Apple and Signal services. The campaign sought access to their Apple and Google accounts and used infrastructure capable of delivering Android spyware, though neither victim’s accounts were ultimately compromised.
Ahmed Eltantawy targeted again with Predator spyware in 2023
Citizen Lab previously found that Ahmed Eltantawy’s phone was targeted again with Intellexa’s Predator spyware in 2023. This was separate from the later spearphishing campaign documented by Access Now and Lookout.
Hack-for-hire spyware campaign active in MENA by at least 2022
Access Now, Lookout, and SMEX said the broader espionage campaign targeting journalists and activists in the Middle East and North Africa had been active since at least 2022. Researchers linked shared infrastructure in the attacks to Bitter and assessed the operation likely used ProSpy Android spyware.
Predator spyware targeted Ahmed Eltantawy's phone in 2021
Citizen Lab previously found that Egyptian journalist Ahmed Eltantawy’s phone was targeted with Intellexa’s Predator spyware in 2021. This establishes earlier surveillance activity against one of the later campaign’s victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware
hackread.com
Open sourceHack-for-hire group targets MENA journalists and officials | brief | SC Media
scworld.com
Open sourceBitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region
thehackernews.com
Open sourceHack-for-hire spyware campaign targets journalists in Middle East, North Africa | CyberScoop
cyberscoop.com
Open sourceTwo prominent Egyptian journalists targeted with elaborate spearphishing campaign | The Record from Recorded Future News
therecord.media
Open sourceHack-for-hire group caught targeting Android devices and iCloud backups | TechCrunch
techcrunch.com
Open sourceEspionage for repression: hack-for-hire phishing campaign targets civil society in MENA - Access Now - Infosec.Pub
infosec.pub
Open sourceBeyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation Linked to BITTER APT - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
State-Backed Hackers Posed as Journalists to Steal Political and Strategic Intelligence
Iranian and North Korean state-linked hacking groups were reported using **journalist and think tank impersonation** to trick targets into surrendering credentials and sensitive information. Recorded Future said Iran’s `APT42`, tied to the Islamic Revolutionary Guard Corps, continued masquerading as media outlets and research organizations in espionage campaigns, while U.S. agencies and regional reporting described North Korea’s `Kimsuky`/`APT43` using fake reporters and policy experts to approach foreign policy specialists, officials, and other high-value targets. Google said `APT42` also targeted both the Trump and Biden/Harris presidential campaigns, along with Israeli military, government, and diplomatic organizations, in phishing operations that included current and former officials and campaign personnel. Microsoft and Google reported successful compromises linked to the activity, including access to a political consultant’s personal Gmail account and a campaign-related official through a hacked adviser’s email, while the FBI opened an investigation and providers said they blocked login attempts, warned victims, and coordinated with law enforcement.
May 25, 2026
NSO Pegasus spyware targeted Amnesty staff and Moroccan human rights defenders
Amnesty International reported that an employee and a Saudi activist living abroad were targeted with malicious WhatsApp and SMS messages carrying Saudi-themed lures and links tied to infrastructure believed to deliver **NSO Group's Pegasus** spyware. Its investigation identified more than 600 suspicious domains associated with Pegasus's anonymizing transmission network, describing how the platform used social engineering, relay nodes, and exploitation servers to silently compromise mobile devices for full surveillance. NSO said its tools were intended only for government customers investigating crime and terrorism, while Amnesty said the targeting showed abusive use of highly invasive surveillance technology against civil society. Amnesty later documented similar Pegasus activity against Moroccan human rights defenders **Maati Monjib** and **Abdessadak El Bouchattaoui**, who were targeted from at least 2017 through malicious SMS links and suspected mobile network injection attacks. The organization said Monjib's iPhone showed signs consistent with compromise, including Safari redirections to suspicious domains, wiped crash logs, a suspicious process, and a forced reboot, and linked parts of the infrastructure to previously identified NSO systems and a domain associated by Citizen Lab with the Moroccan-linked actor **ATLAS**. The findings, reinforced by broader Citizen Lab reporting on Pegasus operations across dozens of countries, pointed to sustained surveillance of dissidents and rights advocates beyond traditional criminal or counterterrorism use.
May 27, 2026
Surveillance Malware and Phishing Campaigns Targeted Syrian and Vietnamese Activists
Syrian activists were hit by a sustained surveillance campaign that combined Facebook phishing with malware-laced files masquerading as revolutionary documents and other trusted content. Electronic Frontier Foundation reporting described attackers stealing account credentials through fake login pages and deploying remote-access trojans to monitor victims, with one later campaign using the commercially available **BlackShades** malware to capture data and maintain access to compromised systems. A separate EFF report said Vietnamese activists also faced highly personalized malware operations, indicating that threat actors tailored lures and surveillance tools to specific individuals and their relationships. Taken together, the incidents showed politically motivated targeting of dissidents through social engineering, credential theft, and commodity as well as custom malware designed to spy on activists and their networks.
May 25, 2026