Findings from **Access Now**, **Lookout**, and **SMEX** reveal a concerning trend of targeted attacks against individuals critical of their governments. ### Spear-Phishing Attacks Target Apple and Google Accounts Two prominent Egyptian journalists and government critics, Mostafa Al-A'sar and Ahmed Eltantawy, were subjected to spear-phishing attacks in October 2023 and January 2024. These attacks aimed to compromise their **Apple** and **Google** accounts by redirecting them to fake login pages designed to steal credentials and two-factor authentication (2FA) codes. "The attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted with spyware," Access Now's Digital Security Helpline said. An anonymous Lebanese journalist was also targeted in May 2025 via **Apple Messages** and **WhatsApp** with malicious links impersonating **Apple Support**. Clicking these links led to credential-harvesting pages. ### OAuth Abuse and Deceptive Tactics In Al-A'sar's case, the attack began with a **LinkedIn** message from a fake persona, "Haifa Kareem," offering a job opportunity. This led to a **Zoom** call invitation with a link shortened using **Rebrandly**. The URL redirected to a consent-based phishing attack leveraging Google's OAuth 2.0 to grant unauthorized access via a malicious web application named "en-account.info." "Unlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to leverage legitimate Google assets to deceive targets into providing their credentials," Access Now said. If the user was not logged into Google, they were prompted to enter their credentials. If already logged in, they were prompted to grant permission to an attacker-controlled application, using a familiar third-party sign-in feature. ### Domain Overlap with Android Spyware Campaign Notably, the domain "com-ae[.]net" overlaps with an Android spyware campaign documented by **ESET** in October 2025. This campaign used deceptive websites impersonating **Signal**, **ToTok**, and **Botim** to deploy **ProSpy** and **ToSpy** to targets in the U.A.E.  The domain "encryption-plug-in-signal.com-ae[.]net" was used as an initial access vector for ProSpy, masquerading as a non-existent encryption plugin for Signal. ProSpy can exfiltrate sensitive data, including contacts, SMS messages, device metadata, and local files. ### Extent of Compromise and Surveillance Implications While the Egyptian journalists' accounts were not breached, the Lebanese journalist's **Apple Account** was fully compromised, with a virtual device added for persistent access. Access Now suggests this operation may be part of a broader regional surveillance effort targeting communications and personal data. ### Attribution to Bitter APT Group Lookout attributes these campaigns to a hack-for-hire operation linked to **Bitter**, a threat cluster believed to be tasked with intelligence gathering for the Indian government, operational since at least 2022. The campaign has likely targeted victims in Bahrain, the U.A.E., Saudi Arabia, the U.K., Egypt, and potentially the U.S., based on phishing domains and ProSpy malware lures. ### Infrastructure Connections and Malware Similarities Links to Bitter stem from infrastructure connections between "com-ae[.]net" and "youtubepremiumapp[.]com," a domain flagged by **Cyble** and **Meta** in August 2022 in connection with an espionage effort distributing the **Dracarys** Android malware. This involved fake sites mimicking trusted services like **YouTube**, **Signal**, **Telegram**, and **WhatsApp**. Lookout's analysis also reveals similarities between Dracarys and ProSpy, despite ProSpy being developed later using Kotlin instead of Java. Both families use worker logic and similar naming conventions for worker classes, and both use numbered C2 commands. ### Uncertainties Regarding Bitter's Involvement What remains unclear is whether this represents an expansion of Bitter's role or an overlap between Bitter and an unknown hack-for-hire group. "We do not know whether this represents an expansion of Bitter's role, or if it is an indication of overlap between Bitter and an unknown hack-for-hire group," Lookout added. "What we do know is that mobile malware continues to be a primary means of spying on civil society, whether it is purchased through a commercial surveillance vendor, outsourced to a hack-for-hire organization, or deployed directly by the actor."