09.04.2026
5 min
244
A wide-ranging cyber-attack with a focus on targeting specific victims was identified in the Middle East and North Africa area as part of the “Bitter” attack group and also as part of the “hacker-for-hire” business model. The targeted individuals included journalists, activists, and government officials. The attackers employed social engineering techniques that were sophisticated along with phishing, and they also used forms of spyware.
A massive-scale cyberattack was seen in the Middle East and North Africa region. This attack is very likely to follow the so-called “hacking for hire” pattern. An entity possibly linked to the Indian government is behind the attack, according to Access Now and others. Journalists, activists and government officials were all attacked.
Some of the most high-profile targets include Egyptian journalists Mostafa Al-Asar and Ahmed Eltanwi (critics of Egypt’s government) who were targeted by phishing schemes in October 2023 and January 2024. The phishing schemes were well-planned, but followed a fairly common approach: users were diverted to fake versions of the login screens for Apple and Google. Users would log-in with their username/password, along with entering their two-factor authentication code.
“The attacks occurred between 2023 and 2024. Both victims are well-known critics of Egypt’s government. One victim had previously been targeted with spyware,” stated Access Now, a provider of digital security services.
Access Now mentions another example of a Lebanese journalist who wishes to remain anonymous. He started to receive phishing emails in May 2025. The phishing emails came via iMessage and WhatsApp. There were links inside the phishing emails that looked like an Apple account verification. Users needed to give up their information to access the verification.
“The phishing campaign included multiple attacks using iMessage and WhatsApp and posed as Apple support,” noted SMEX. “While the majority of attacks focused on Apple services, we also see attempts at hacking Telegram and Signal.”
One of the attacks involved LinkedIn. Mostafa Al-Assar was contacted by a fake recruiter named Haifa Karim about working. Once the journalist gave over his contact list, he received an invitation to participate in a Zoom meeting. The link to join the meeting was shortened with Rebrandly and directed to a phishing site.
This phishing attempt was much more sophisticated than your average phishing scam. It did not use a false version of a login screen. Rather, it used Google’s OAuth 2.0 mechanism. The victim could choose whether or not to log-in, since there was no indication that anything was wrong. If the user chose not to log-in, the attacker would get authorization to access the account through Google’s official mechanisms.
“Unlike other attacks that used fake webpages, this one used OAuth consent. That means the attackers got to use Google’s official systems to gain access to the account,” explained Access Now. “The victim actually gives permission for someone else to have access to their account before realizing what is happening.”
Fake websites for well known services were used for these attacks. Some examples of such sites include:
signin-apple.com-en-uk[.]co
id-apple.com-en[.]io
facetime.com-en[.]io
secure-signal.com-en[.]io
telegram.com-en[.]io
verify-apple.com-ae[.]net
join-facetime.com-ae[.]net
android.com-ae[.]net
encryption-plugin-signal.com-ae[.]net
There is interesting information regarding some of the above mentioned domains with the .com-ae[.]net domain zone. These domains have already shown up in another campaign. In October 2025, ESET wrote about how hackers created fake versions of apps like Signal, ToTok and Botim in order to spread Android spyware ProSpy and ToSpy in the UAE.
Overall, this shows that phishing is merely the initial phase in the process. Other phases will likely involve further surveillance of victims’ activities such as accessing their private information and communication.
