CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Middle East civil society spear-phishing campaign linked to South Asian APT group Bitter using ProSpy Android spyware

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A spear-phishing campaign targeting civil society figures in the Middle East—including high-profile journalists in Egypt and Lebanon—was attributed to a hack-for-hire operation linked to the South Asian advanced persistent threat (APT) group Bitter (T-APT-17, APT-C-08). Between 2023 and 2025, attackers used social engineering via fake accounts and impersonation of legitimate services, including Signal and Apple Support, to deliver ProSpy Android spyware and compromise cloud accounts. The campaign leveraged two-stage delivery, credential phishing, and Android malware to extract files, contacts, messages, geolocation, and enable microphone and camera access. A Lebanese journalist’s Apple account was compromised in 2025, while two Egyptian journalists thwarted attempts in 2023–2024. The operation’s scope extended to Bahraini government entities, UAE, Saudi Arabia, UK, and potentially US targets, with infrastructure repurposed across campaigns.

Timeline

  1. 09.04.2026 13:45 1 articles · 3h ago

    Spear-phishing campaign against Middle Eastern civil society linked to Bitter APT group via ProSpy spyware

    In August 2025, Access Now’s Digital Security Helpline identified a spear-phishing campaign targeting Egyptian and Lebanese journalists from 2023 to 2024. Lookout attributed the campaign to a hack-for-hire operation linked to the Bitter APT group and confirmed the use of ProSpy Android spyware, previously documented by ESET in UAE-focused attacks. In May 2025, a separate campaign compromised a Lebanese journalist’s Apple account via phishing links delivered through Apple Messages and WhatsApp, achieving account takeover within 30 seconds of credential submission. Analysis revealed overlapping infrastructure across Bahrain, UAE, Saudi Arabia, UK, Egypt, and potential US targets, indicating a coordinated regional espionage operation.

    Show sources
    Open in new tab

Information Snippets

  • The campaign was initially detected by Access Now’s Digital Security Helpline in August 2025 after outreach from Egyptian journalists Mostafa Al‑A’sar and Ahmed Eltantawy, who reported spear-phishing attempts from 2023 to 2024.

    First reported: 09.04.2026 13:45
    1 source, 1 article
    Show sources

  • Lookout researchers, in collaboration with Access Now, attributed the campaign to a hack-for-hire operation linked to the Bitter APT group (T-APT-17, APT-C-08), a suspected South Asian cyber espionage actor active since at least 2013.

    First reported: 09.04.2026 13:45
    1 source, 1 article
    Show sources

  • ESET identified two Android spyware strains—ProSpy and ToSpy—used in UAE-targeted campaigns; Lookout confirmed these were the same implants used in the Middle East civil society targeting and tracked the strain as ProSpy.

    First reported: 09.04.2026 13:45
    1 source, 1 article
    Show sources

  • A Lebanese journalist’s Apple account was successfully compromised in May 2025 via Apple Messages and WhatsApp phishing links, with attackers adding a virtual device within 30 seconds of credential submission.

    First reported: 09.04.2026 13:45
    1 source, 1 article
    Show sources

  • ProSpy malware, written in Kotlin and delivered via deceptive domains such as totok-pro[.]ai-ae[.]io, includes capabilities for file exfiltration, contact and message collection, geolocation tracking, microphone and camera activation, and further malicious app installation.

    First reported: 09.04.2026 13:45
    1 source, 1 article
    Show sources

  • Lookout identified 11 ProSpy samples, with the earliest dating to August 2024, and discovered live staging servers hosted on single-page websites impersonating messaging apps to deliver malicious APKs.

    First reported: 09.04.2026 13:45
    1 source, 1 article
    Show sources

  • The operation is assessed to have targeted Bahraini government entities, UAE, Saudi Arabia, UK, Egyptian government entities, and potentially US targets or US university alumni, indicating broader regional espionage objectives.

    First reported: 09.04.2026 13:45
    1 source, 1 article
    Show sources