Spyware trap shadows MENA dissent

Hackers posing as trusted messaging and communications services have mounted a sustained surveillance campaign across the Middle East and North Africa, using fake app pages, phishing domains and a custom Android spyware known as ProSpy to target journalists, activists and political figures, according to a joint body of research published this week by Lookout, Access Now and SMEX. The operation, active since at least 2022 and documented through attacks in 2023, 2024 and 2025, is assessed with moderate confidence to be tied to a hack-for-hire network linked to the BITTER threat group rather than a simple criminal phishing ring.

Evidence assembled by the researchers points to a broad and carefully managed campaign rather than isolated incidents. Access Now said two Egyptian public figures, journalist Mostafa Al-A’sar and journalist-turned-opposition politician Ahmed Eltantawy, were targeted in October 2023 and January 2024 through spear-phishing aimed at compromising Apple, Microsoft and Google accounts. SMEX separately documented a 2025 attack against a Lebanese journalist that resulted in an Apple account compromise and the attachment of a virtual device, allowing persistent access. CyberScoop and TechCrunch reported that the three investigations were coordinated and that the attackers’ infrastructure stretched beyond those named cases.

Lookout’s analysis suggests the campaign’s geographic reach is wider than the confirmed victims. Based on phishing domains, malicious app lures and infrastructure patterns, the company said the activity likely extended to Bahrain, the UAE, Saudi Arabia, Egyptian government entities, the United Kingdom and potentially the United States or alumni of American universities. The lures were varied and tailored, impersonating Zoom, Microsoft Teams, Office 365, Apple, Google, Signal, Telegram, WhatsApp, ToTok, Botim, Reuters, The Guardian and even Bahraini and Egyptian government services. That breadth indicates an operation designed to match the daily habits of high-risk targets rather than relying on bulk spam.

At the centre of the Android side of the campaign is ProSpy, which researchers describe as a professionally built surveillance tool under active development. Lookout said it reviewed 11 samples, with the earliest dating back to August 2024, while Access Now said its own investigation first uncovered the malicious APK during work on the Egyptian cases before Lookout expanded the technical analysis. The spyware masqueraded as apps such as Signal Encryption Plugin, ToTok Pro and Botim Pro, and was delivered through simple staging sites in English and Arabic. One observed lure invited a target to a secure video call and then redirected the victim to a malicious ToTok download page.

Once installed, the malware could exfiltrate contacts, SMS messages, device information and a wide range of files, including documents, images, audio, video, archives and backup files. Researchers said it also looked specifically for backup-related filenames, including ToTok backup extensions, and could be instructed by command-and-control servers to search for newly modified files. That capability makes the tool especially relevant for journalists, campaigners and political organisers whose work often depends on documents, media files and sensitive contact networks stored on mobile devices.

The attribution question remains important and unresolved in one respect. Lookout stopped short of claiming absolute certainty, saying it had found enough links to BITTER to argue for attribution with moderate confidence but could not determine whether this marked an expansion of BITTER’s mandate or overlap with an unidentified hack-for-hire organisation. The connection rests on infrastructure overlaps, code similarities and tradecraft parallels with BITTER’s earlier Android malware, Dracarys, which Meta attributed to the group in 2022. Both operations used fake secure-messaging lures, numbered command structures and phishing-heavy delivery methods.

That distinction matters because it points to a larger shift in cyber-espionage. Researchers and outside reporting say the campaign fits a model in which private or semi-private operators conduct intrusive surveillance on behalf of unknown clients, giving governments or political actors distance from the operation itself. TechCrunch noted that Lookout researchers see possible links to the wider South Asian hack-for-hire ecosystem, while Reuters’ investigations in 2022 and 2023 documented how firms in that ecosystem were allegedly used to target executives, politicians, military personnel and other high-value individuals.