Security experts have uncovered a new hack-for-hire group that is reportedly targeting journalists, activists, and government officials in the Middle East and North Africa. This group employs phishing techniques to gain access to victims' iCloud backups and messaging accounts, along with deploying spyware capable of compromising Android devices.
This trend underscores a rising phenomenon where government entities are increasingly outsourcing their hacking capabilities to private companies. Many governments have begun utilizing commercial entities that create spyware and exploits for police and intelligence work, enabling them to gather data from personal devices.
Researchers from Access Now, a digital rights organization, have documented several attacks occurring between 2023 and 2025, specifically targeting two Egyptian journalists and one journalist in Lebanon, whose case was also highlighted by SMEX, another digital rights group.
Mobile cybersecurity firm Lookout has also investigated these incidents. The collaborative reports from these organizations reveal that the targets extend beyond civil society members in Egypt and Lebanon, implicating individuals in the Bahraini and Egyptian governments, as well as in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States.
Lookout identified the hackers involved in this campaign as affiliated with a vendor dubbed BITTER, which is suspected to have connections to the Indian government. Justin Albrecht, a principal researcher at Lookout, suggested that BITTER may be linked to RebSec Solutions, potentially an offshoot of the Indian startup Appin, which has faced scrutiny for its alleged involvement in similar activities.
Although Appin has reportedly ceased operations, Albrecht emphasized that the emergence of this new hacking group indicates that such activities have not vanished but have instead shifted to smaller firms. These hack-for-hire groups provide a layer of plausible deniability for their clients, as they manage all operational aspects and infrastructure, often at a lower cost than acquiring commercial spyware.
Despite the lack of advanced tools, groups like BITTER can still execute effective attacks. For instance, they have employed various methods to target iPhone users, attempting to deceive them into divulging their Apple ID credentials to access iCloud backups. This strategy presents a cost-effective alternative to using sophisticated iOS spyware.
When targeting Android users, the hackers utilized a spyware known as ProSpy, disguising it as popular messaging applications such as Signal, WhatsApp, and Zoom, as well as ToTok and Botim, which are widely used in the region. In certain cases, they tricked victims into adding a new device, controlled by the hackers, to their Signal account, a tactic that has gained popularity among various hacking factions.
The ongoing evolution of these hacking strategies illustrates the necessity for enhanced digital security measures, as the implications of such activities could reshape the landscape of privacy and security in the digital age.
