Hack-for-Hire Campaign Targets Journalists Across MENA Region
Essential information
- Published
- 09/04/2026 19:38
- Modified
- 09/04/2026 18:06
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- civil-society-targeting dracarys hack-for-hire journalists mena oauth prospy regional-surveillance spear-phishing tospy
- Tags
- 2026-04-09 civil-society-targeting dracarys hack-for-hire journalists mena oauth prospy regional-surveillance spear-phishing tospy
- Related entities
- 4 vulnerabilities (cve), 12 indicators, 12 observables, 1 intrusion sets (apt), 3 malware, 20 others
Description
A hack-for-hire operation with suspected links to the Bitter threat actor targeted journalists, activists, and government officials across the Middle East and North Africa between 2023 and 2025. The campaign employed sophisticated spear-phishing attacks via LinkedIn, Apple Messages, WhatsApp, and email to compromise Apple and Google accounts. Victims included Egyptian journalists Mostafa Al-A'sar and Ahmed Eltantawy, along with a Lebanese journalist whose Apple Account was fully compromised. Attackers used OAuth consent phishing and fake login pages to harvest credentials and 2FA codes. Infrastructure overlaps with Android spyware campaigns distributing ProSpy, ToSpy, and Dracarys malware. The operation represents an unusual expansion of Bitter's targeting scope into civil society, suggesting either hack-for-hire services or direct nation-state involvement in regional surveillance efforts focused on monitoring communications and harvesting personal data.