Hack-for-Hire Spyware Campaign Targeted Journalists in the Middle East and North Africa
Access Now, Lookout, and SMEX reported a suspected hack-for-hire espionage campaign targeting journalists and activists across the Middle East and North Africa through spearphishing, fake social media personas, messaging apps, and sustained social engineering. Researchers said the operation used infrastructure linked to the APT group Bitter and likely deployed ProSpy Android spyware, which can steal files, contacts, messages, and geolocation data, activate microphones and cameras, and install malicious apps. The activity has reportedly been ongoing since at least 2022, with broader targeting that may have included civil society figures and possibly government officials.
Two Egyptian journalists, Mostafa Al-A’sar and Ahmed Eltantawy, were among the identified targets in an elaborate campaign that ran between October 2023 and January 2024 and spoofed trusted services including Apple and Signal. A prominent Lebanese journalist was also reportedly targeted, and researchers said the attackers relied on overlapping infrastructure with possible ties to Asia, though Access Now said it lacked enough evidence to definitively name a sponsor. Neither Egyptian journalist’s accounts were ultimately compromised, but press freedom groups warned that surveillance of reporters endangers their safety, sources, and ability to work.
Timeline
Apr 13, 2026
Lookout attributes ProSpy campaign to BITTER APT
By April 13, 2026, reporting on Access Now and Lookout’s findings said Lookout attributed the espionage campaign targeting journalists and opposition figures in the Middle East to the South Asian threat group BITTER, also known as T-APT-17 and APT-Q-37. The attribution was based on code similarities between the ProSpy Android spyware used in the campaign and BITTER’s earlier Dracarys malware.
Apr 8, 2026
Committee to Protect Journalists condemns surveillance
Following publication of the findings on April 8, 2026, the Committee to Protect Journalists condemned the spying campaign, warning that surveillance of journalists endangers their safety, sources, and ability to work. The statement marked a public response from a press freedom organization to the reported activity.
Apr 8, 2026
Researchers reveal broader 2023–2025 targeting across multiple countries
On April 8, 2026, reporting on the hack-for-hire campaign said it targeted not only Egyptian and Lebanese civil society members but also government officials and other targets connected to Bahrain, Egypt, the UAE, Saudi Arabia, the UK, and potentially the United States between 2023 and 2025. The disclosure marked a broader understanding of the campaign’s scope and victimology than previously captured.
Apr 8, 2026
Researchers publish findings on MENA spyware campaign
On April 8, 2026, Access Now, Lookout, and SMEX publicly reported the suspected hack-for-hire espionage campaign targeting journalists and activists in the Middle East and North Africa. The report described social-engineering tactics, named victims including Mostafa Al-A’sar and a prominent Lebanese journalist, and said attribution to a specific sponsor remained unconfirmed.
Oct 1, 2023
Egyptian journalists targeted in spearphishing campaign
Between October 2023 and January 2024, attackers targeted Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy with an elaborate spearphishing operation using fake personas and spoofed Apple and Signal services. The campaign sought access to their Apple and Google accounts and used infrastructure capable of delivering Android spyware, though neither victim’s accounts were ultimately compromised.
Jan 1, 2023
Ahmed Eltantawy targeted again with Predator spyware in 2023
Citizen Lab previously found that Ahmed Eltantawy’s phone was targeted again with Intellexa’s Predator spyware in 2023. This was separate from the later spearphishing campaign documented by Access Now and Lookout.
Jan 1, 2022
Hack-for-hire spyware campaign active in MENA by at least 2022
Access Now, Lookout, and SMEX said the broader espionage campaign targeting journalists and activists in the Middle East and North Africa had been active since at least 2022. Researchers linked shared infrastructure in the attacks to Bitter and assessed the operation likely used ProSpy Android spyware.
Jan 1, 2021
Predator spyware targeted Ahmed Eltantawy's phone in 2021
Citizen Lab previously found that Egyptian journalist Ahmed Eltantawy’s phone was targeted with Intellexa’s Predator spyware in 2021. This establishes earlier surveillance activity against one of the later campaign’s victims.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
5 more from sources like accessnow.org, techcrunch com security, the record media and blueteamsec
Related Stories
Mercenary Spyware Campaigns Targeting Security Researchers and Developers
Multiple reports indicate that mercenary spyware operations have begun targeting not only traditional victims such as journalists and activists, but also the developers and security researchers who build and analyze surveillance tools. Apple issued high-confidence threat notifications to iOS exploit developers, warning them of government spyware targeting their devices. This marks a notable escalation in the mercenary spyware ecosystem, as attackers are now focusing on individuals with deep technical knowledge and access to sensitive information about exploit development. The commercial spyware market continues to thrive, with unpatched vulnerabilities fueling rapid innovation and deployment of new attack techniques. Security researchers have documented a record number of zero-day vulnerabilities exploited in the wild, many linked to commercial surveillance vendors. The targeting of exploit developers suggests a coordinated campaign within the cybersecurity community, highlighting the growing risks faced by those at the forefront of digital defense and offensive tool creation.
1 months ago
Android Malware and Spyware Campaigns Using Trusted Platforms and Social Engineering Lures
Two separate Android-focused threat operations were reported, both relying on social engineering to drive manual installation of malicious apps. Bitdefender documented a campaign that abuses **Hugging Face** as a trusted hosting/CDN distribution point for an Android credential-stealing payload targeting popular financial and payment services. Victims are lured into installing a dropper app named **TrustBastion** via scareware-style ads; after installation it displays a fake Google Play “mandatory update” flow, then contacts infrastructure associated with `trustbastion[.]com` which redirects to a Hugging Face dataset repository hosting the final APK. The actor used **server-side polymorphism** to generate new payload variants roughly every 15 minutes, resulting in thousands of variants and rapid repository churn (reported as >6,000 commits over ~29 days); after takedown, the operation reportedly resurfaced under a new name (“**Premium Club**”) with refreshed branding. ESET separately identified an Android spyware campaign tracked as **GhostChat** that uses **romance-scam** tactics to target individuals in Pakistan. The malicious app is disguised as a chat/dating service but primarily functions as a surveillance tool; it presents “locked” female profiles with passcodes (hardcoded in the app) to create a sense of exclusivity, then routes victims into WhatsApp chats tied to Pakistani numbers likely controlled by the operator. The app was distributed via unofficial sources (not Google Play) and is blocked by Google Play Protect by default; ESET also linked the same actor to a broader surveillance effort including a **ClickFix** compromise chain and a WhatsApp device-linking attack, using websites impersonating Pakistani government organizations as lures.
1 months ago
Covert surveillance campaigns abused SS7, Diameter, and SIMjacker-style SMS to track phones
Citizen Lab reported two covert surveillance campaigns that exploited weaknesses in global mobile signalling infrastructure to track targets’ locations across borders. The operations, labeled **STA1** and **STA2**, abused legacy `SS7` and newer `Diameter` protocols, with one campaign also using **SIMjacker-style zero-click binary SMS** and malicious SIM Toolkit commands to try to turn a handset into a covert beacon. Researchers said the activity marks the first time real-world attack traffic has been directly linked to mobile operator signalling systems, showing attackers impersonating operators, rotating identities across countries, manipulating routing paths, and evading signalling firewalls while exploiting weak authentication and trusted telecom interconnect relationships. The campaigns were observed using operator identifiers and infrastructure tied to networks in Europe, Africa, the Middle East, and Asia, including telecoms cited as transit or entry points such as **019Mobile**, **Tango Networks U.K.**, and **Airtel Jersey**. Citizen Lab said the activity is consistent with commercial surveillance platforms serving government intelligence customers, and one campaign may have links to an Israeli geo-intelligence provider, though no vendor or operator was conclusively attributed. The researchers warned that abuse of leased or intermediary signalling access, combined with long-standing flaws in roaming trust models, has enabled large volumes of hard-to-detect location tracking that may persist for years across 3G, 4G, and 5G-connected environments.
1 weeks ago