The investigation began with spear-phishing cases against two Egyptian public figures, independent journalist Mostafa Al-A’sar and journalist-turned-opposition politician Ahmed Eltantawy. Access Now’s Digital Security Helpline said the attacks used messages crafted to look as though they came from trusted people and services and were designed to harvest credentials and other personal data from Apple, Microsoft and Google accounts. The organisation said the activity stretched across 2023 and 2024 and formed part of a broader malicious infrastructure aimed at civil society in MENA.
Researchers say the campaign mattered not only because of who was targeted, but because of how the operators blended low-cost phishing with mobile surveillance tactics. Access Now found fake Android applications disguised as services such as Signal, while Lookout said the campaign also relied on phishing pages imitating iCloud and other platforms to gain access to cloud backups and linked messaging accounts. That combination allowed the attackers to adapt their methods according to the victim’s device, using credential theft against iPhone users and spyware delivery against Android users.
Lookout’s analysis identified the Android toolset as ProSpy, spyware that masqueraded as secure messaging applications including Signal, ToTok and Botim. According to the company, the malware could collect contacts, SMS messages, hardware and software information, and local files, while its command-and-control infrastructure showed signs of continued development over time. The firm said it acquired 11 ProSpy samples, with the earliest dating back to August 2024 and newer samples continuing into March 2026, suggesting that parts of the operational ecosystem remained active after the first wave of documented phishing.
The victim pool appears wider than the initial Egyptian cases. Access Now said it also assisted SMEX in examining a similar attack against a Lebanese journalist, and Lookout said phishing domains and malware lures indicated likely targeting in Bahrain, the UAE, Saudi Arabia, the United Kingdom and possibly the United States, alongside Egyptian and Bahraini government-related bodies. Among the observed lures were pages themed around ministries, national communications offices, universities, media brands and messaging services, a sign that the operators tailored pretexts to the professional and political interests of intended victims.
The BITTER connection rests on infrastructure overlaps, malware similarities and established tradecraft rather than a single decisive indicator. Lookout said it found enough viable links to make a moderate-confidence attribution to BITTER or a hack-for-hire organisation tied to it, while cautioning that it could not yet determine whether the case reflected an expansion of BITTER’s mission or an overlap between the espionage group and a separate contractor. That distinction matters. A direct BITTER role would suggest a widening target set for a known cyber-espionage actor, while a contractor relationship would point to the growing commercialisation of digital repression in which tools, staff or infrastructure move between state-linked espionage and paid intrusion services.
Earlier research helps explain why investigators are taking the attribution seriously. Proofpoint and Threatray said in 2025 that TA397, also known as BITTER, was highly likely to be a state-backed espionage actor working in the interests of the government in New Delhi. Proofpoint also described spear-phishing as the group’s preferred initial access technique and said it had observed BITTER targeting beyond South Asia, including Turkey and entities in Europe connected to China. That record does not prove responsibility for the MENA civil society campaign on its own, but it does place the latest findings within a longer pattern of politically relevant phishing operations and regional intelligence collection.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
