Spear-Phishing Attack Targets Middle Eastern Journalists and Activists
In recent developments, several civil society figures across the Middle East, including three well-known journalists from Egypt and Lebanon, have come under threat from a sophisticated spear-phishing campaign. This attack is believed to be linked to a notorious South Asian cyber espionage group. The alarming trend was brought to light by Access Now, a prominent digital civil rights organization, which detected the malicious activities through its Digital Security Helpline in August 2025, following reports from esteemed Egyptian journalists Mostafa Al‑A’sar and Ahmed Eltantawy.
Access Now, an international non-profit organization dedicated to promoting human rights in the digital realm, revealed that both journalists have been vocal critics of the Egyptian government and have faced severe consequences for their activism, including political imprisonment. Their previous experiences placed them in a vulnerable position, making them prime targets for spear-phishing operations from 2023 to 2024.
During their investigation, Access Now uncovered Android malware associated with the phishing infrastructure used in these attacks. To further analyze this threat, the organization consulted researchers from Lookout, a mobile security firm. These experts assessed the campaigns and determined they were "most likely" part of a hack-for-hire operation connected to the Bitter advanced persistent threat (APT) group.
Bitter, which is also identified as T-APT-17 and APT-C-08, has been active since at least 2013 and primarily targets government, energy, and engineering entities in various countries, including Pakistan, China, Bangladesh, and Saudi Arabia. This revelation is particularly troubling as it highlights the far-reaching implications of cyber espionage on journalistic freedom and civil liberties.
Furthermore, researchers from ESET published a report in October 2025 regarding two mobile spyware strains posing as messaging applications that targeted individuals within the United Arab Emirates (UAE). Their findings indicated that the ProSpy and ToSpy variants, utilized in the aforementioned spear-phishing campaign, were indeed designed to infiltrate civil society organizations.
Additionally, SMEX, a Beirut-based non-profit organization advocating for digital rights, identified another high-profile journalist from Lebanon who fell victim to this spear-phishing campaign. Access Now’s report, released on April 8, detailed how attackers employed elaborate strategies to infiltrate the accounts of Al-A’sar and Eltantawy, specifically targeting their Apple and Google accounts from October 2023 through January 2024.
According to Access Now, the attackers spent considerable effort establishing rapport with their targets via various channels, impersonating legitimate contacts and services using fabricated accounts and profiles. They exploited familiar platforms to deliver the ProSpy and ToSpy malware, with the messaging application Signal being one of the primary targets.
In a proactive response, Signal issued a public warning in March 2026, alerting users to the rising impersonation phishing attacks. In a notable incident, Al-A’sar, believing he was communicating with Apple, unwittingly provided his account details. However, he quickly refrained from further engagement after receiving an unusual two-factor authentication (2FA) alert from an unfamiliar location in Egypt. Conversely, Eltantawy did not take the bait at all, resulting in the attackers’ failure to compromise either individual’s accounts.
Access Now emphasized the potentially devastating consequences had the attackers succeeded; they would have gained unrestricted access to personal and professional information stored in the targets’ Apple or Google accounts, including sensitive data concerning their families, associates, and journalistic sources. The spyware embedded in this attack could have enabled the perpetrators to extract files, contacts, text messages, and geolocation data while activating device cameras and microphones.
The attack against the Lebanese journalist, identified by SMEX in a separate report, also leveraged similar tactics but unfortunately succeeded in breaching the target’s Apple account in 2025. The initial assault occurred through Apple Messages in May 2025, swiftly followed by another wave of attacks via WhatsApp, consisting of separate phishing messages that aimed to compromise the victim’s Apple account.
Upon detection of these attacks, the journalist reached out to SMEX’s Digital Forensics Lab, initiating an urgent investigation due to the considerable risks involved. Although the first attack successfully infiltrated the Apple account and introduced a virtual device, the forensic evidence gathered was limited since the incident was reported days later. The second wave, while unsuccessful, revealed that the same malicious infrastructure was implicated in all attacks.
Lookout researchers indicated that malicious actors were conducting account takeovers in as little as thirty seconds following the submission of victim passwords. They suggested that the campaign may have also targeted victims in Bahrain, as well as government entities in the UAE, Saudi Arabia, and Egypt, with possible links to individuals or alumni of U.S. universities.
In their detailed examination of the ProSpy malware used in these operations, Lookout acquired multiple samples, the earliest dating back to August 2024. While ProSpy does not exhibit the complexity of premier spyware—such as DarkSword and Predator—it has been crafted professionally, integrating various spyware functions aimed at extracting private information and sensitive files.
Furthermore, researchers discovered that the ProSpy campaign was closely related to the Bitter APT group, evidenced by shared infrastructures and code similarities. This raises significant concerns, as Bitter’s historical focus has primarily rested on military and governmental targets, making this escalation to civil society alarming. While no direct links to mercenary groups have been confirmed, indications suggest that Bitter, or an associated entity, may have been commissioned to conduct espionage within the Middle East and North Africa region—marking a poignant shift in their operational scope.
Such revelations shed light on the increasingly perilous landscape for civil society figures in the Middle East, navigating not only the challenges of oppressive regimes but also the lurking threats of cyber espionage that aim to undermine their essential work.