Cybersecurity experts report that they have uncovered a hack-for-hire organization aimed at journalists, activists, and government officials in the Middle East and North Africa. The attackers executed phishing strategies to breach targets’ iCloud backups and messaging platforms on Signal, utilizing Android spyware capable of seizing control of the targets’ devices.

This hacking initiative underscores a rising pattern of government bodies delegating their hacking efforts to private hack-for-hire firms. Certain governments already depend on commercial entities that create spyware and exploits utilized by law enforcement and intelligence organizations to obtain data from individuals’ mobile devices.

Researchers from the digital rights group Access Now noted three instances of attacks from 2023 to 2025 involving two Egyptian journalists, along with a journalist in Lebanon whose situation was also reported by the digital rights organization SMEX. 

The mobile cybersecurity firm Lookout also examined these assaults. The three organizations collaborated and released independent reports on Wednesday. 

Lookout indicated that the attacks extend beyond Egyptian and Lebanese civil society members and include individuals within the Bahraini and Egyptian administrations, along with targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States or graduates of American institutions. 

Lookout concluded that the perpetrators behind this spying venture are affiliated with a hack-for-hire firm linked to BITTER APT, a hacking collective that cybersecurity firms believe has connections to the Indian government.

Justin Albrecht, principal researcher at Lookout, informed TechCrunch that the firm behind the operation may be an offshoot of the Indian hack-for-hire company Appin, mentioning a specific company named RebSec as a likely candidate. In 2022 and 2023, Reuters conducted thorough investigations into Appin and other similar Indian firms, revealing how these companies are allegedly contracted to hack corporate leaders, politicians, military personnel, and more. 

Appin apparently subsequently ceased operations, but Albrecht highlighted that the emergence of this new hacking campaign indicates that their activities “didn’t vanish; they merely transitioned to smaller firms.” 

These organizations and their clients receive “plausible deniability since they manage all the operations and infrastructure.” Furthermore, for their clients, these hack-for-hire entities are often less expensive than acquiring commercial spyware, Albrecht stated. 

Rebsec could not be contacted for comments, as the firm has erased its social media profiles and website. 

⁨Mohammed Al-Maskati⁩, an investigator and director at Access Now’s Digital Security Helpline who handled these situations, mentioned that “these operations have become less costly and evading accountability is feasible, particularly since the end customer remains unknown, and the infrastructure will not disclose the entity behind it.”

While groups like BITTER may lack the most sophisticated hacking and espionage tools, their strategies can still prove to be quite effective. 

In the attacks associated with this campaign, the hackers employed various techniques. When focusing on iPhone users, the attackers attempted to deceive targets into revealing their Apple ID information to subsequently infiltrate their iCloud backups, effectively granting them access to the complete contents of the targets’ iPhones. 

This presents “potentially a more affordable alternative to the employment of more advanced and costly iOS spyware,” according to Access Now.

When targeting Android users, the attackers utilized spyware known as ProSpy, disguising it as popular messaging and communication applications such as Signal, WhatsApp, and Zoom, along with ToTok and Botim, two applications favored in the Middle East. 

In some instances, the hackers attempted to deceive victims into registering and attaching a new device — under their control — to their Signal account, a method that has gained popularity among various hacking collectives, including Russian spies.

A representative for the Indian embassy in Washington, D.C. did not promptly respond to a request for remarks.