A hack-for-hire group has been discovered targeting Android devices and iCloud backups

Security researchers say they have identified a hacking group for hire targeting journalists, activists and government officials across the Middle East and North Africa. The hackers used phishing attacks to access targets’ iCloud backups and Signal messaging accounts, and deployed Android spyware capable of taking over targets’ devices.

This hacking campaign highlights the growing trend of government agencies outsourcing their hacking operations to privately hired hacking companies. Some governments already rely on commercial companies that develop spyware and exploitation software that police and intelligence agencies use to access data on people’s phones.

Researchers from the digital rights organization Access Now have documented this Three cases of attacks During the period from 2023 to 2025, against two Egyptian journalists, and a journalist in Lebanon, whose case was also Notarized By digital rights organization SMEX.

Mobile cybersecurity company Lookout These attacks were also investigated. The three organizations cooperated with each other and published separate reports on Wednesday.

According to Lookout, the attacks extend beyond members of Egyptian and Lebanese civil society, and include targets in the Bahraini and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and possibly the United States or graduates of American universities.

Lookout concluded that the hackers behind this espionage campaign worked for a hack-for-hire vendor with connections to BITTER APT, a hacking group working on… Cyber ​​security Companies The suspect has ties to the Indian government.

Justin Albrecht, lead researcher at Lookout, told TechCrunch that the company behind the campaign may be an offshoot of Indian hack-for-hire startup Appin, and pointed to one such company called Repsec As a possible suspect. Reuters published in 2022 and 2023 vast Investigations In Appin and other similar companies based in India, which revealed how these companies are employed to hack company executives, politicians, military officials and others.

Appin was later apparently shut down, but Albrecht noted that the discovery of this new hacking campaign shows that the activity “has not disappeared, it has just moved to smaller companies.”

These groups and their agents get “plausible deniability because they manage all operations and infrastructure.” For its customers, these hack kits will likely be cheaper than purchasing Commercial spyware“Albrecht said.

Rebsec could not be reached for comment, as the company has deleted its social media accounts and website.

Mohammed Al Maskati, Access Now’s Investigator and Director Digital Security Helpline Those who worked on these cases said, “These operations have become cheaper, and it is possible to evade responsibility, especially since we will not know who the final customer is, and the infrastructure will not reveal the party behind them.”

While groups like BITTER may not have the most advanced hacking and espionage tools, their tactics are still very effective.

In the attack portion of this campaign, hackers used several different techniques. When targeting iPhone users, hackers attempted to trick targets into giving up their Apple ID credentials in order to compromise their iCloud backups, which would have effectively given them access to the entire contents of the targets’ iPhones.

This is “potentially a cheaper alternative to using more complex and expensive iOS spyware,” according to Access Now.

When targeting Android users, the hackers used spyware called ProSpy, disguised as popular messaging and communication apps like Signal, WhatsApp, and Zoom, as well as ToTok and Botim, two apps popular in the Middle East.

In some cases, hackers attempted to trick victims into registering and adding a new device — controlled by the hackers — to their Signal account, a technique that has become very popular among various hacking groups. Including Russian spies.

A spokesman for the Indian Embassy in Washington, D.C., did not immediately respond to a request for comment.