AN apparent hack-for-hire campaign, seemingly orchestrated by a threat actor with suspected ties to the Indian government, targeted journalists, activists and government officials across the Middle East and North Africa (MENA), according to findings reported by Access Now, Lookout and SMEX. Two Egyptian journalists, Mostafa Al-A'sar and Ahmed Eltantawy, were among those targeted in spear-phishing attacks in which they were directed to fake pages to harvest Google and Apple credentials and 2FA codes.
The attacks, described as lasting from 2023 to 2024, were linked by SMEX to attempts to compromise accounts via OAuth and fake domains, with later messages hitting a Lebanese journalist in May 2025 and impersonating Apple Support on messaging apps. Lookout attributed the disparate efforts to Bitter, a threat cluster believed to operate espionage in the interests of the Indian government, and noted that the operation has been active since at least 2022.
The campaign’s observed phishing domains and ProSpy malware connections suggest broader regional surveillance and data harvesting, with targets including Bahrain, the U.A.E., Saudi Arabia, the U.K., Egypt and possibly the U.S. or alumni of U.S. universities.