Mercenary Spyware Campaigns Targeting Security Researchers and Developers
Multiple reports indicate that mercenary spyware operations have begun targeting not only traditional victims such as journalists and activists, but also the developers and security researchers who build and analyze surveillance tools. Apple issued high-confidence threat notifications to iOS exploit developers, warning them of government spyware targeting their devices. This marks a notable escalation in the mercenary spyware ecosystem, as attackers are now focusing on individuals with deep technical knowledge and access to sensitive information about exploit development.
The commercial spyware market continues to thrive, with unpatched vulnerabilities fueling rapid innovation and deployment of new attack techniques. Security researchers have documented a record number of zero-day vulnerabilities exploited in the wild, many linked to commercial surveillance vendors. The targeting of exploit developers suggests a coordinated campaign within the cybersecurity community, highlighting the growing risks faced by those at the forefront of digital defense and offensive tool creation.
Timeline
Oct 21, 2025
Apple warns iOS exploit developer of government spyware targeting
Apple notified an iOS exploit developer that they had been targeted by government-grade spyware, indicating a mercenary spyware operator had attempted or carried out an attack against the researcher. Multiple reports describe this as an unusual case of spyware being used against someone who develops iOS exploits.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Surge in Zero-Click and Zero-Day Exploits Targeting Mobile Devices
A significant escalation in zero-click and zero-day exploitation techniques was observed throughout 2025, with attackers increasingly targeting mobile platforms such as iOS. Zero-click exploits, which require no user interaction, have become a preferred method for advanced persistent threats, nation-state actors, and commercial surveillance vendors. At least 14 major zero-click vulnerabilities were identified, affecting billions of devices and highlighting the growing attack surface beyond traditional user-driven threats. The average time from vulnerability disclosure to exploitation has dropped dramatically, putting pressure on organizations to accelerate patching cycles and improve detection capabilities. Recent reports confirm that multiple zero-day vulnerabilities in iOS were actively exploited in targeted spyware campaigns before patches became available. Attackers leveraged flaws in core mobile components, such as browser engines, to execute malicious code and compromise devices with minimal or no user involvement. These incidents underscore the persistent risks posed by mobile spyware and the critical need for rapid patching, enhanced mobile OS visibility, and continuous monitoring for anomalous device behavior as mobile endpoints remain high-value targets for cyber adversaries.
1 months ago
Commercial Spyware Policy Debate Amid Shifting US Enforcement
US policy toward the **commercial spyware** industry is facing renewed scrutiny as sanctions, contract decisions, and legal actions send mixed signals about how aggressively Washington intends to constrain vendors linked to surveillance abuse. Dark Reading reports that opponents of the spyware market fear recent moves — including rescinded sanctions and reactivated government contracts — could weaken pressure on firms whose tools have been used against journalists, activists, political figures, and officials, even after a Greek court convicted figures tied to the **Predator** spyware scandal. The broader policy discussion also reflects concern that governments are emphasizing disruption of cybercrime while easing pressure on software and security accountability elsewhere. A CyberScoop opinion piece argues that recent US action has focused on raising costs for cyber-enabled fraud operators, but that rollback of prior federal software supply-chain assurance measures risks leaving systemic weaknesses unaddressed. A weekly roundup mentioning multiple unrelated incidents, including an alleged **Handala** attack on Stryker and an Aadhaar bug bounty, does not describe the same spyware-policy story and should be excluded.
1 weeks ago
Hack-for-Hire Spyware Campaign Targeted Journalists in the Middle East and North Africa
Access Now, Lookout, and SMEX reported a suspected **hack-for-hire espionage campaign** targeting journalists and activists across the Middle East and North Africa through spearphishing, fake social media personas, messaging apps, and sustained social engineering. Researchers said the operation used infrastructure linked to the APT group **Bitter** and likely deployed **ProSpy** Android spyware, which can steal files, contacts, messages, and geolocation data, activate microphones and cameras, and install malicious apps. The activity has reportedly been ongoing since at least 2022, with broader targeting that may have included civil society figures and possibly government officials. Two Egyptian journalists, **Mostafa Al-A’sar** and **Ahmed Eltantawy**, were among the identified targets in an elaborate campaign that ran between October 2023 and January 2024 and spoofed trusted services including Apple and Signal. A prominent Lebanese journalist was also reportedly targeted, and researchers said the attackers relied on overlapping infrastructure with possible ties to Asia, though Access Now said it lacked enough evidence to definitively name a sponsor. Neither Egyptian journalist’s accounts were ultimately compromised, but press freedom groups warned that surveillance of reporters endangers their safety, sources, and ability to work.
3 weeks ago