Full Report
Access Now, Lookout and SMEX joined research forces to find a campaign involving suspected Indian government-connected group Bitter, ProSpy spyware and more. The post Hack-for-hire spyware campaign targets journalists in Middle East, North Africa appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Bitter (suspected)
## Attribution & Identity
* **Identification:** Bitter (also known as Bitter APT).
* **Suspected Origin:** India.
* **Associations:** Linked to the Indian government by researchers from Access Now, Lookout, and SMEX.
* **Nature of Operation:** In this specific instance, the group is described as a "hack-for-hire" campaign, suggesting they may act as mercenaries or provide services to specific government clients outside their usual scope.
## Activity Summary
* **Timeline:** Active from at least 2022 through 2024, with some components of the research stretching into early 2026.
* **Key Campaigns:**
* A 2023–2024 spearphishing campaign targeting activists and journalists in the MENA (Middle East and North Africa) region.
* A specific 2025–2026 operation targeting a prominent Lebanese journalist and an Egyptian journalist in exile.
* Previously identified activity involving the distribution of ProSpy to residents in the UAE.
## Tactics, Techniques & Procedures
* **Social Engineering:** Persistent social engineering efforts involving the creation of fake social media accounts and the use of messaging applications to build rapport with targets.
* **Spearphishing:** Delivery of malicious links via messaging apps, often disguised as legitimate job offers or professional opportunities.
* **Mobile Exploitation:** Delivery of Android-based spyware depending on the victim's device type.
* **Infrastructure Reuse:** Utilization of shared Command and Control (C2) infrastructure across various regional campaigns, which allowed researchers to link the disparate attacks to Bitter.
## Targeting
* **Sectors:** Civil society, journalists, activists, and potentially government officials.
* **Geography:** Primarily Middle East and North Africa (MENA), including Egypt, Lebanon, and the United Arab Emirates (UAE). Historically focused on South Asia.
* **Victims:**
* Mostafa Al-A’sar (Egyptian journalist).
* Unnamed prominent Lebanese journalist.
* General civil society members in the MENA region.
## Tools & Infrastructure
* **Malware Families:**
* **ProSpy:** An Android spyware family used for espionage and data exfiltration.
* **Infrastructure:**
* Shared infrastructure pointing to Bitter APT. (Specific indicator values were not provided in the source text, but researchers noted the "shared infrastructure" as a primary link).
* Defanged reference: [hxxps]://www[.]accessnow[.]org/mena-phishing-2026/ (Research report site).
## Implications
* **Strategic Shift:** While Bitter is historically known for targeting South Asian government and military sectors, this campaign demonstrates an expansion into "hack-for-hire" services or expanded geographic mandates targeting the Middle East.
* **Civil Society Risk:** The use of sophisticated APT-level infrastructure against journalists highlights a growing trend of weaponized technology being used for transnational repression, even against individuals living in exile.
## Mitigations
* **Identity Verification:** Journalists and activists should verify the identity of recruiters or professional contacts reaching out via social media or messaging apps, especially when unsolicited links are provided.
* **Mobile Security:** Utilize mobile security solutions (such as those provided by Lookout) that can detect signature-based and behavioral patterns of Android spyware like ProSpy.
* **Link Sanitization:** Exercise extreme caution with shortened or suspicious URLs; utilize sandboxed environments to open links if professional duties require interaction with unknown sources.
* **Multi-Factor Authentication (MFA):** While ProSpy focuses on exfiltration, robust MFA can prevent secondary account takeovers often associated with spearphishing.