{"id":551,"date":"2026-04-09T15:14:29","date_gmt":"2026-04-09T15:14:29","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=551"},"modified":"2026-04-09T15:14:29","modified_gmt":"2026-04-09T15:14:29","slug":"bitter-linked-hack-for-hire-campaign-targets-journalists-across-mena-region","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=551","title":{"rendered":"Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region"},"content":{"rendered":"
\n
<\/a><\/div>\n

An\u00a0apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings\u00a0from Access\u00a0Now<\/a>, Lookout<\/a>,\u00a0and SMEX<\/a>.<\/p>\n

Two\u00a0of the targets included prominent Egyptian journalists and government critics, Mostafa Al-A’sar and Ahmed Eltantawy, who were at the receiving end of a series of spear-phishing attacks that sought to compromise their Apple and Google accounts in October 2023 and January 2024 by directing them to fake pages that tricked them into entering their credentials and two-factor authentication (2FA)\u00a0codes.<\/p>\n

\u00abThe attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted\u00a0with spyware,\u00bb Access Now’s Digital Security Helpline\u00a0said.<\/p>\n

Also\u00a0singled out as part of these efforts was an anonymous Lebanese journalist, who received phishing messages in May 2025 through the Apple Messages app and WhatsApp containing malicious links that, when clicked, tricked users into entering their account credentials as part of a supposed verification step from\u00a0Apple.<\/p>\n

\u00abThe phishing campaign included persistent attacks via iMessage\/Apple Messenger and WhatsApp app, […] impersonating Apple Support,\u00bb SMEX, a digital rights non-profit in the West Asia and North Africa (WANA) region, said. \u00abWhile the main focus of this campaign appears to be Apple services, evidence suggests that other messaging platforms, namely Telegram and Signal, were also targeted.\u00bb<\/p>\n

In\u00a0the case of Al-A’sar, the spear-phishing attack aimed at compromising his Google account began with a LinkedIn message from a sock puppet persona named \u00abHaifa Kareem,\u00bb who approached him with a job opportunity. After\u00a0the journalist shared their mobile number and email address with the LinkedIn user, he received an email from the latter on January 24, 2024, instructing him to join a Zoom call by clicking on a link shortened using Rebrandly.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The\u00a0URL is assessed to be a consent-based phishing attack that leverages Google’s OAuth 2.0\u00a0to grant the attacker unauthorized access to the victim’s account through a malicious web application named \u00aben-account.info.\u00bb<\/p>\n

\u00abUnlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to leverage legitimate Google assets to deceive targets into providing their credentials,\u00bb Access Now\u00a0said.<\/p>\n

\u00abIf the targeted\u00a0user is not logged\u00a0in to Google, they are prompted to enter their credentials (username and password). More\u00a0commonly, if the\u00a0user is already logged\u00a0in, they are prompted to grant permission to an application that the attacker controls, using a third-party sign-in feature that is familiar to most Google\u00a0users.\u00bb<\/p>\n

Some of the domains used in these phishing attacks are listed below\u00a0–<\/p>\n