Security researchers say they have identified a hack-for-hire group targeting journalists, activists, and government officials across the Middle East and North Africa. The hackers used phishing attacks to access targets’ iCloud backups and messaging accounts on Signal, and deployed Android spyware capable of taking over the targets’ devices.

Key Takeaways

• A sophisticated hack-for-hire operation, codenamed BITTER (potentially RebSec Solutions), is actively targeting journalists, activists, and government officials across the Middle East, North Africa, and extending globally.
• This campaign underscores a growing, global trend where governments outsource cyber espionage to private entities, leveraging these groups for plausible deniability and cost-effective, yet potent, hacking capabilities.
• Attack vectors include highly effective phishing for iCloud credentials, deployment of Android spyware (ProSpy) disguised as popular apps, and tricking victims into registering hacker-controlled devices on Signal.

Shadowy Hack-for-Hire Group Targets Journalists and Officials Globally, Researchers Warn

A new and concerning chapter in the world of private cyber espionage is unfolding, as leading security researchers reveal details of a persistent hack-for-hire group actively targeting a diverse array of high-value individuals. This shadowy entity, identified by the mobile cybersecurity firm Lookout as operating under the codename BITTER, is suspected of having significant ties to the Indian government and is allegedly an offshoot of the previously exposed hack-for-hire startup, Appin.

The group’s pervasive operations span across the Middle East and North Africa, with verified victims including prominent journalists, human rights activists, and government officials. Alarmingly, the scope of these attacks extends even further, reaching targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially even individuals residing in the United States or alumni of American universities. This broad and escalating reach highlights the increasing globalization of outsourced cyber attacks and the complex web of digital threats faced by civil society, independent media, and government agencies alike.

The Rise of Outsourced Cyber Espionage

This hacking campaign is not an isolated incident but rather a stark illustration of a disturbing global trend: the quiet but rapid proliferation and outsourcing of state-sponsored hacking operations to private, commercial entities. Governments are increasingly turning to specialized hack-for-hire companies, not only for the development of sophisticated spyware and exploits but also for the end-to-end execution of entire espionage campaigns. This strategy offers significant advantages to state actors, primarily providing a crucial layer of plausible deniability, allowing them to distance themselves from potentially controversial, politically sensitive, or outright illegal cyber activities.

Moreover, as Justin Albrecht, principal researcher at Lookout, articulated in an interview with TechCrunch, these hack-for-hire groups often represent a far more cost-effective alternative to acquiring high-end, bespoke commercial spyware solutions. “These groups and their customers get plausible deniability since they run all the operations and infrastructure,” Albrecht explained, adding that for their clients, such comprehensive services are “likely cheaper than purchasing commercial spyware,” presenting an irresistible proposition for those seeking to expand their surveillance capabilities discreetly.

Unmasking BITTER: A Legacy of Cyber Mercenaries

Lookout’s in-depth investigation led them to codename the group BITTER, with strong suspicions that it is intimately linked to RebSec Solutions. Albrecht further elaborated that RebSec Solutions could be a direct successor or a significant offshoot of Appin, a notorious Indian hack-for-hire startup that gained international infamy through extensive investigative reports published by Reuters in 2022 and 2023. These meticulously detailed reports exposed how Appin and other similar India-based firms were allegedly hired to compromise the digital security of a wide range of targets, including corporate executives, high-ranking politicians, and military officials.

Although Appin reportedly ceased operations following these damning exposes, Albrecht warns that the underlying illicit activity did not simply vanish. “The discovery of this new hacking campaign shows that the activity didn’t disappear and they just moved onto smaller companies,” he noted, suggesting a resilient, adaptive, and decentralized ecosystem of cyber mercenaries. Efforts by researchers to contact RebSec Solutions proved futile, as the company has apparently scrubbed its entire online presence, deleting social media accounts and its official website – a common tactic employed by groups seeking to evade scrutiny and attribution.

The Victims: Journalists, Activists, and State Officials Across Continents

The collaborative efforts of prominent digital rights organizations Access Now and SMEX, working in conjunction with Lookout, have meticulously documented several specific instances of these sophisticated attacks. Access Now, leveraging its specialized Digital Security Helpline, verified three distinct attacks that occurred between 2023 and 2025, targeting two Egyptian journalists and one Lebanese journalist. The Lebanese case, notably, was also independently documented by SMEX, underscoring the severity and authenticity of these threats and the coordinated nature of the research efforts.

However, Lookout’s comprehensive findings indicate a far broader and more alarming scope than initially understood. Beyond civil society members in Egypt and Lebanon, the campaign extended to include high-profile targets within the Bahraini and Egyptian governments, as well as individuals in the United Arab Emirates, Saudi Arabia, and the United Kingdom. The potential targeting of individuals in the United States or alumni of American universities signals an even wider international reach and a deeply worrying expansion of this private espionage network, suggesting that virtually no geography or sector is immune.

Mohammed Al-Maskati, an investigator with Access Now’s Digital Security Helpline who worked directly on these cases, highlighted the insidious nature of these operations. “These operations have become cheaper and it’s possible to evade responsibility, especially since we won’t know who the end customer is, and the infrastructure won’t reveal the entity behind it.” This deliberate opacity makes robust attribution incredibly difficult and accountability almost impossible, creating a fertile ground for unchecked digital aggression and a significant challenge for international law enforcement and human rights advocates.

BITTER’s Arsenal: Exploiting Vulnerabilities Across Diverse Platforms

While groups like BITTER may not always possess the bleeding-edge, zero-day exploits typically associated with elite nation-state actors or premium commercial spyware vendors, their tactics are demonstrably highly effective, leveraging a potent combination of social engineering and well-known vulnerabilities. The multi-platform approach used in this campaign demonstrates a pragmatic, adaptive, and dangerously effective methodology.

Targeting iOS Users: iCloud Phishing Exploits

For iPhone users, the hackers employed a meticulously crafted and deceptive phishing strategy. They developed convincing lures, often masquerading as legitimate service notifications or urgent alerts, designed to trick targets into divulging their sensitive Apple ID credentials. The ultimate goal? To gain unauthorized access to their iCloud backups. This method, as Access Now judiciously points out, is “potentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware.” By compromising iCloud backups, the attackers could effectively gain comprehensive access to a vast trove of personal data, including private messages, intimate photos, contacts, call logs, and other highly sensitive information stored on the victims’ iPhones, all without needing to deploy complex on-device spyware that might be detected.

Targeting Android Users: ProSpy Spyware Deployment

Android users, a significant demographic, faced a different but equally potent threat. The hackers deployed a powerful and intrusive spyware known as ProSpy. To ensure successful installation, ProSpy was cleverly disguised as legitimate and widely used messaging and communications applications. These included global giants like Signal, WhatsApp, and Zoom, as well as apps particularly popular in the Middle East, such as ToTok and Botim. Once successfully installed and granted permissions, ProSpy is capable of a comprehensive takeover of the target’s device, granting attackers extensive control and access to nearly all device data and functions, turning the victim’s smartphone into a powerful surveillance tool.

Insidious Signal Account Hijacking

In a particularly insidious maneuver, the hackers also attempted to exploit the trust users place in secure messaging platforms like Signal. They tried to trick victims into registering a new, hacker-controlled device to their existing Signal account. This technique, also reportedly used by other sophisticated groups including Russian intelligence, allows attackers to receive and send messages from the victim’s Signal account, effectively bypassing end-to-end encryption by becoming another legitimate endpoint on the user’s account. This method poses a severe and direct threat to individuals relying on Signal for secure and confidential communications, undermining a core pillar of digital security for journalists and activists.

A spokesperson for the Indian embassy in Washington D.C. did not immediately respond to a request for comment regarding the suspected ties of BITTER/RebSec Solutions to the Indian government, leaving crucial questions of state involvement unanswered.

The Bottom Line

The revelations surrounding the BITTER hack-for-hire group serve as a stark and urgent reminder of the escalating and relentlessly evolving threats in the global digital landscape. As private cyber mercenary groups proliferate, become more decentralized, and grow increasingly adept at leveraging cost-effective, yet highly impactful, tactics, the lines between clandestine state-sponsored espionage and commercial hacking blur almost entirely. For journalists, human rights activists, government officials, and indeed, any individual handling sensitive information, the risk of digital compromise is ever-present and demands continuous vigilance, robust security practices, and sustained, collaborative efforts from digital rights organizations, cybersecurity firms, and policymakers to expose and counter these pervasive threats. The ongoing fight for digital privacy, press freedom, and human rights is far from over, and the resilience and adaptability of these hack-for-hire operations ensure it will remain a critical battleground for years to come.