A hack-for-hire group has been discovered targeting Android devices and iCloud backups

Security researchers say they have identified a hacking group for hire targeting journalists, activists and government officials across the Middle East and North Africa. The hackers used phishing attacks to access targets’ iCloud backups and Signal messaging accounts, and deployed Android spyware capable of taking over targets’ devices.

This hacking campaign highlights the growing trend of government agencies outsourcing their hacking operations to privately hired hacking companies. Some governments already rely on commercial companies that develop spyware and exploitation software that police and intelligence agencies use to access data on people’s phones.

Researchers from the digital rights organization Access Now documented three cases of attacks during the period from 2023 to 2025 against Egyptian journalists and a journalist in Lebanon whose case was also documented by the digital rights organization SMEX.

Mobile cybersecurity company Lookout also investigated these attacks. The three organizations cooperated with each other and published separate reports on Wednesday.

According to Lookout, the attacks extend beyond members of Egyptian and Lebanese civil society, and include targets in the Bahraini and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and possibly the United States or graduates of American universities.

Lookout concluded that the hackers behind this espionage campaign worked for a hack-for-hire vendor with connections to BITTER APT, a hacking group that cybersecurity companies suspect has ties to the Indian government.

Justin Albrecht, principal researcher at Lookout, told TechCrunch that the company behind the campaign may be a subsidiary of Indian hacking startup Appin, and pointed to one such company called RebSec as a possible suspect. In 2022 and 2023, Reuters published extensive investigations into Appin and other similar companies based in India, which revealed how these companies were allegedly being employed to hack company executives, politicians, military officials and others.

Appin was later apparently shut down, but Albrecht noted that the discovery of this new hacking campaign shows that the activity “has not disappeared, it has just moved to smaller companies.”

These groups and their agents get “plausible deniability because they manage all operations and infrastructure.” For their customers, these paid hacking groups are likely cheaper than purchasing commercial spyware, Albrecht said.

Rebsec could not be reached for comment, as the company has deleted its social media accounts and website.

“These operations have become cheaper and it has become possible to evade responsibility, especially since we will not know who the end customer is, and the infrastructure will not reveal who is behind them,” said Mohammed Al-Maskati, an investigator and director of the digital security helpline at Access Now who worked on these cases.

While groups like BITTER may not have the most advanced hacking and espionage tools, their tactics are still very effective.

In the attack portion of this campaign, hackers used several different techniques. When targeting iPhone users, hackers attempted to trick targets into giving up their Apple ID credentials in order to compromise their iCloud backups, which would have effectively given them access to the entire contents of the targets’ iPhones.

This is “potentially a cheaper alternative to using more complex and expensive iOS spyware,” according to Access Now.

When targeting Android users, the hackers used spyware called ProSpy, disguised as popular messaging and communication apps like Signal, WhatsApp, and Zoom, as well as ToTok and Botim, two apps popular in the Middle East.

In some cases, the hackers attempted to trick victims into registering and adding a new device – controlled by the hackers – to their Signal account, a technique that has been very popular among various hacking groups, including Russian spies.

A spokesman for the Indian Embassy in Washington, D.C., did not immediately respond to a request for comment.