Middle East Civil Society Targeted by Sophisticated Spear-Phishing Campaign

In a chilling reminder of the growing threats facing journalists and civil society figures in the Middle East, a sophisticated spear-phishing campaign has been uncovered, targeting prominent individuals in Egypt, Lebanon, and potentially beyond. Detected by digital rights organization Access Now, this campaign highlights how state-level cyber espionage tools are increasingly being used against independent voices, rather than traditional government or corporate targets. The attackers’ methods demonstrate both technical sophistication and careful planning, showing that digital activists and journalists remain high-risk targets in a region fraught with political tensions.

Spear-Phishing Campaign Uncovered

The campaign first came to light in August 2025 when prominent Egyptian journalists Mostafa Al‑A’sar and Ahmed Eltantawy reported suspicious activity. Access Now’s Digital Security Helpline investigated and found that both journalists had been targeted through spear-phishing attacks dating back to 2023–2024. Android malware, tied to the phishing infrastructure, was discovered during the investigation. Collaboration with mobile security firm Lookout revealed that the operation bore hallmarks of a hack-for-hire campaign linked to the Bitter APT (advanced persistent threat) group, also known as T-APT-17 or APT-C-08. Bitter has been active since at least 2013, typically targeting government, energy, and engineering organizations in South Asia.

Researchers from ESET had earlier reported similar Android spyware strains in the UAE, disguised as messaging apps. Lookout confirmed that these malware strains—dubbed ProSpy and ToSpy—were used to target civil society figures in this campaign. In parallel, SMEX, a Beirut-based digital rights NGO, documented that a high-profile Lebanese journalist had been successfully compromised in 2025 using similar tactics.

The Mechanics of the Attack

According to Access Now, the attackers meticulously planned their operations, launching phishing campaigns against Al-A’sar and Eltantawy in October 2023 and January 2024. They impersonated legitimate services and individuals across multiple platforms, including Signal, Apple, and Google services, to deliver the ProSpy/ToSpy malware.

Al-A’sar narrowly avoided compromise by noticing a suspicious two-factor authentication login alert, while Eltantawy did not engage at all. Had the attackers succeeded, they could have accessed personal and professional data, including files, contacts, geolocation, and even activated microphones and cameras.

The Lebanese journalist, however, fell victim to the same phishing infrastructure in May 2025. The first wave of attacks via Apple Messages succeeded in compromising the account, while a second wave via WhatsApp failed but yielded full credential exfiltration, demonstrating the attackers’ ability to perform account takeovers in as little as 30 seconds.

ProSpy Malware Analysis

ProSpy, while not as sophisticated as top-tier spyware like DarkSword or Coruna, is professionally developed using Kotlin and includes common spyware functions for collecting sensitive data. Researchers noted active development, including new capabilities over time, and the use of live staging servers to distribute malicious APK files disguised as legitimate app updates. Targets are initially contacted via social media impersonation or fake support messages, before being tricked into downloading the malware.

Lookout linked the ProSpy campaign to Bitter APT through shared infrastructure, code similarities, and command conventions. However, this campaign marks a deviation from Bitter’s traditional targets, suggesting either an expansion of their operations or collaboration with hack-for-hire actors. Evidence indicates this may be the first documented case of Bitter targeting civil society in the Middle East and North Africa.

What Undercode Say:

This campaign represents a worrying evolution in cyber threats against civil society. By adopting tactics historically reserved for government and corporate espionage, actors like Bitter are signaling that journalists and activists are now prime targets. The multi-platform approach—leveraging Android malware, fake social media accounts, and phishing emails—demonstrates a high level of operational sophistication and planning.

The successful compromise of the Lebanese journalist underscores the speed and efficiency of these attacks. A mere 30-second window between credential submission and account takeover highlights that even cautious users are at significant risk. Organizations like Access Now and SMEX play a critical role in bridging the gap between victims and technical support, yet the delay in detection can limit forensic insights, leaving defenders with incomplete evidence.

The use of ProSpy and ToSpy indicates a trend where state-level tools or mercenary hacking groups are now accessible for hire, blurring the line between geopolitical espionage and targeted harassment. The targeting of multiple countries—including Bahrain, the UAE, Saudi Arabia, the UK, Egypt, and possibly the US—demonstrates the global reach of such campaigns.

Furthermore, this campaign raises questions about the responsibility of app and platform providers. Despite warnings from Signal and Apple, users remain vulnerable to impersonation attacks, particularly when attackers employ localized messaging and language to increase credibility. Active monitoring, user education, and rapid reporting are crucial defenses against such high-stakes cyber operations.

The deviation from Bitter’s historical focus on military and energy sectors to civil society targets signals a broader strategic shift. Hack-for-hire operations may now serve political actors, potentially altering the threat landscape in the Middle East, North Africa, and beyond. Continuous threat intelligence sharing among NGOs, tech companies, and cybersecurity firms is imperative to protect at-risk individuals and to anticipate the next wave of attacks.

Fact Checker Results:

✅ Access Now confirmed spear-phishing targeting Egyptian journalists in 2023–2024.
✅ SMEX verified compromise of a Lebanese journalist’s Apple account in 2025.
❌ No direct mercenary group linkage established; attribution is likely Bitter or affiliated entity.

Prediction:

🔮 As espionage malware becomes more accessible for hire, civil society figures will face increasing threats from sophisticated spear-phishing campaigns. Future attacks may integrate AI-driven social engineering, making rapid detection and multi-factor authentication critical for digital safety.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI