A Hack-for-Hire Group Is Targeting Journalists Across the Middle East

How the Attacks Worked

The operation used a two pronged approach to gain persistent access to targets' digital lives:

• Android malware: Malicious applications were deployed to compromise Android devices directly, giving attackers access to messages, call logs, contacts, and location data.
• iCloud credential phishing: Social engineering attacks targeted Apple account credentials, enabling access to iCloud backups which contain a complete copy of a victim's phone data, including encrypted messaging app histories.

By targeting both Android and Apple ecosystems simultaneously, the attackers ensured they could monitor targets regardless of which platform they used.

Who Is Behind It

Lookout's independent analysis linked the operation to BITTER APT, also known as T-APT-17, a hack-for-hire group with ties to South Asia. BITTER has been active since at least 2013, primarily targeting government and energy sector organizations. This campaign marked an expansion into civil society targets in the MENA region.

The hack-for-hire model means the group likely operates on behalf of paying clients, though the identity of those clients remains unknown. This is the surveillance industry in its most distilled form: unknown entities purchasing espionage capabilities against specific individuals.

The Campaign's Reach

The investigation revealed targets well beyond Egypt. According to the research, the operation also reached individuals in:

• Lebanon, where a prominent journalist was targeted in a 2025 attack investigated by SMEX, a digital rights nonprofit
• Bahrain and the United Arab Emirates
• Saudi Arabia and the United Kingdom
• Potentially the United States or alumni of American universities

Targets included not only journalists but also members of the Bahraini and Egyptian governments, suggesting the campaign served multiple clients with different objectives.

Part of a Growing Pattern

This campaign adds to an accelerating pattern of surveillance targeting journalists and civil society. In the past year alone, Predator spyware was used to hack an Angolan journalist on World Press Freedom Day, Hungary charged a journalist with espionage for exposing Russian ties, and an Italian spy firm built a fake WhatsApp that took over entire phones.

What makes the BITTER campaign distinct is the hack-for-hire business model. While Predator and Pegasus are sold as software products, BITTER operates as a service. Clients do not need to acquire or operate surveillance tools themselves. They simply designate targets and pay for results.

How Journalists and Activists Can Protect Themselves

If you work in journalism, activism, or civil society, especially in the MENA region, these steps reduce your exposure:

• Enable Apple Lockdown Mode on iPhones. Apple reports no device in Lockdown Mode has been hacked by spyware.
• Use hardware security keys for iCloud and Google accounts. Phishing attacks that steal passwords cannot bypass a physical key.
• Audit app installations on Android devices. Avoid sideloading APKs and check for apps you did not install.
• Disable iCloud backups for sensitive messaging apps. End to end encryption protects messages in transit but not when they are backed up unencrypted to the cloud.
• Contact Access Now's Digital Security Helpline if you suspect your device has been compromised. The helpline provides free forensic analysis for civil society members.

Why Email Security Matters in This Context

Spear phishing, the initial attack vector in this campaign, starts in the inbox. The phishing emails that delivered malware and credential theft pages were crafted to look like legitimate messages from trusted contacts or organizations. For anyone in a high risk role, basic email hygiene is the first line of defense: verify sender addresses, avoid clicking links in unexpected messages, and treat any email requesting login credentials as suspicious until proven otherwise.