\n<\/p>\n
Security researchers say they have identified a hack-for-hire group targeting journalists, activists, and government officials across the Middle East and North Africa. The hackers used phishing attacks to access targets\u2019 iCloud backups and messaging accounts on Signal, and deployed Android spyware capable of taking over the targets\u2019 devices.<\/p>\n
This hacking campaign highlights a growing trend of government agencies outsourcing their hacking operations to private hack-for-hire companies. Some governments already rely on commercial companies that develop spyware and exploits used by police and intelligence agencies to access data on people\u2019s phones.<\/p>\n
Researchers from the digital rights organization Access Now documented three instances of attacks<\/a> over 2023 through 2025 against two Egyptian journalists, and a journalist in Lebanon whose case was also documented<\/a> by digital rights organization SMEX.\u00a0<\/p>\n Mobile cybersecurity company Lookout also investigated these attacks<\/a>. The three organizations collaborated with each other and published separate reports on Wednesday.\u00a0<\/p>\n According to Lookout, the attacks go beyond members of Egyptian and Lebanese civil society, and include targets in the Bahraini and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States or alumni of American universities.\u00a0<\/p>\n Lookout concluded that the hackers behind this espionage campaign work for a hack-for-hire vendor with connections to BITTER APT, a hacking group that cybersecurity<\/a> companies<\/a> suspect has ties to the Indian government.<\/p>\n Justin Albrecht, principal researcher at Lookout, told TechCrunch that the company behind the campaign may be an offshoot of the Indian hack-for-hire startup Appin, and noted one such company named RebSec<\/a> as a possible suspect. In 2022 and 2023, Reuters published extensive<\/a> investigations<\/a> into Appin and other similar India-based companies, which exposed how these companies are allegedly hired to hack company executives, politicians, military officials, and others.\u00a0<\/p>\n Techcrunch event<\/p>\n \n\t\t\t\t\t\t\t\t\tSan Francisco, CA<\/span> Appin apparently later shut down, but Albrecht noted that the discovery of this new hacking campaign shows that the activity \u201cdidn\u2019t disappear and they just moved onto smaller companies.\u201d\u00a0<\/p>\n These groups and their customers get \u201cplausible deniability since they run all the operations and infrastructure.\u201d And for their customers, these hack-for-hire groups are likely cheaper than purchasing commercial spyware<\/a>, said Albrecht.\u00a0<\/p>\n Rebsec could not be reached for comment, as the company has deleted its social media accounts and website.\u00a0<\/p>\n \t\t\tDo you have more information about Rebsec Solutions? Or other hack-for-hire companies? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email<\/a>.<\/a>\t\t<\/div>\n \u2068Mohammed Al-Maskati\u2069, an investigator and director at Access Now\u2019s Digital Security Helpline<\/a> who worked on these cases, said that \u201cthese operations have become cheaper and it\u2019s possible to evade responsibility, especially since we won\u2019t know who the end customer is, and the infrastructure won\u2019t reveal the entity behind it.\u201d<\/p>\n While groups like BITTER may not have the most advanced hacking and spy tools, their tactics can still be highly effective.\u00a0<\/p>\n In the attacks part of this campaign, the hackers used several different techniques. When targeting iPhone users, the hackers tried to trick targets into giving up their Apple ID credentials in order to then hack into their iCloud backups, which effectively would have given them access to the full content of the targets\u2019 iPhones.\u00a0<\/p>\n This is \u201cpotentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware,\u201d according to Access Now.<\/p>\n When targeting Android users, the hackers used a spyware called ProSpy, masquerading as popular messaging and communications apps like Signal, WhatsApp, and Zoom, as well as ToTok and Botim, two apps that are popular in the Middle East.\u00a0<\/p>\n In some cases, the hackers tried to trick victims into registering and adding a new device \u2014 controlled by the hackers \u2014 to their Signal account, a technique that has been popular among various hacking groups, including Russian spies<\/a>.<\/p>\n A spokesperson for the Indian embassy in Washington, D.C. did not immediately respond to a request for comment.<\/p>\n<\/div>\n
\n\t\t\t\t\t\t\t\t\t\t\t\t\t|<\/span>
\n\t\t\t\t\t\t\t\t\t\t\t\t\tOctober 13-15, 2026<\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\nContact Us<\/h4>\n