Three Organizations Uncover a Coordinated Espionage Campaign
A suspected hack-for-hire operation with alleged ties to the Indian government has been targeting journalists and activists across the Middle East and North Africa, according to findings published Wednesday by three collaborating organizations: Access Now, Lookout, and SMEX. The campaign's shared infrastructure pointed investigators toward the advanced persistent threat group known as Bitter, which most commonly focuses its efforts on government, military, diplomatic, and critical infrastructure targets throughout South Asia.
Each organization contributed a distinct layer of analysis to build a comprehensive picture of the operation. Access Now first became aware of the threat through calls to its digital security helpline, which led it to investigate a spearphishing campaign active during 2023 and 2024. It subsequently reached out to Lookout for technical assistance in analyzing the malware samples it had collected. Lookout's researchers attributed the malware to Bitter and characterized the broader effort as a likely hack-for-hire campaign, identifying the payload as the Android ProSpy spyware. SMEX, meanwhile, independently examined a spearphishing campaign directed at a prominent Lebanese journalist the previous year, and later collaborated with Access Now to establish that both campaigns shared overlapping infrastructure.
A Campaign Operational Since at Least 2022
The joint investigation revealed that the operation extended well beyond the initial victims who had sought help. As Lookout summarized in its findings: "Our joint findings expose an espionage campaign that has been operational since at least 2022 until present day primarily targeting civil society members and potentially government officials in the Middle East."
Lookout further described the methodology employed by the threat actors: "The operation features a combination of targeted spearphishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target's device."
It is worth noting that ESET had previously published research on the ProSpy malware, having identified it targeting residents of the United Arab Emirates.
Victims Speak Out: Fear, Exile, and Surveillance
One of the identified victims, Mostafa Al-A'sar, an independent Egyptian journalist, came forward to describe his experience. He said he reached out to Access Now after receiving a suspicious link from someone he had been communicating with about a potential job opportunity. His instinct to be cautious was shaped by prior experience — he had been arrested in Egypt in 2018, during which his phone had previously been targeted.
Al-A'sar, who is currently living in exile, expressed a sense of persistent threat despite his distance from Egypt. "I feel like I'm threatened," he said, adding that even from abroad, "they are still following me. I also felt worried about my family, about my friends, about my sources."
His broader takeaway for journalists and civil society organizations was direct: cybersecurity "is not a luxury."
Spearphishing Through Fake Personas
The attack methodology relied heavily on social engineering. Threat actors created fraudulent social media accounts and impersonated contacts through messaging applications to establish trust with targets over time. Once a relationship was cultivated, victims were directed toward malicious links designed to deliver the ProSpy Android spyware if the target was using an Android device.
This type of sustained, persona-based manipulation is a hallmark of sophisticated threat actors and makes it particularly difficult for targets — even security-aware individuals — to recognize the threat before it is too late.
Attribution Challenges and Organizational Responses
While Lookout attributed the malware to the Bitter APT group and assessed the campaign as a likely hack-for-hire operation, Access Now stated that it did not have sufficient information to independently attribute who had commissioned or was behind the attacks it identified. The distinction between the technical malware attribution and the broader operational attribution underscores the complexity of investigating such campaigns.
The Committee to Protect Journalists condemned the operation in strong terms. Sara Qudah, the organization's regional director, stated: "Spying on journalists is often the first step in a broader pattern of intimidation, threats, and attacks. These actions endanger not only journalists' personal safety, but also their sources and their ability to do their work. Authorities in the region must stop weaponizing technology and financial resources to surveil journalists."
Implications for Press Freedom and Digital Security
The revelations add to a growing body of evidence that commercial and state-adjacent spyware tools are being deployed against journalists, activists, and members of civil society across the Middle East and North Africa. The campaign's longevity — running from at least 2022 through the present — and its combination of technical sophistication with persistent human-level manipulation make it a significant threat to press freedom in the region.
- The campaign has been active since at least 2022 and remains ongoing.
- The primary tool identified is Android ProSpy spyware, previously documented by ESET.
- Infrastructure analysis linked the campaign to the Bitter APT group.
- Victims include civil society members and potentially government officials in the Middle East.
- Attack vectors include fake social media accounts and messaging app-based social engineering.
For journalists and activists operating in high-risk environments, the findings serve as a stark reminder that digital threats are not abstract — they carry real consequences for personal safety, professional networks, and the protection of confidential sources.
Source: CyberScoop