Middle East Civil Society Figures Targeted in Sophisticated Spear-Phishing Campaign
In August 2025, digital rights organization Access Now uncovered a spear-phishing campaign targeting high-profile civil society figures in the Middle East, including three prominent journalists in Egypt and Lebanon. The campaign, active from 2023 to 2024, was linked to the Bitter APT group, a suspected South Asian cyber espionage threat actor active since at least 2013.
The targets included Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy, both vocal critics of the government with histories of political imprisonment. A third, unnamed Lebanese journalist was also identified by Beirut-based digital rights group SMEX as a victim in 2025.
The attackers employed Android malware, delivered through fake accounts and impersonation tactics across platforms, including Signal. Security firm Lookout analyzed the infrastructure and attributed the campaign to a hack-for-hire operation with ties to Bitter, which has previously targeted governments and energy sectors in Pakistan, China, Bangladesh, and Saudi Arabia.
Further investigation revealed the malware strains ProSpy and ToSpy disguised as messaging apps were also used in a separate campaign against users in the United Arab Emirates (UAE), as documented by ESET in October 2025. The attackers invested significant effort in social engineering, mimicking legitimate services to gain trust before deploying the spyware.
The campaign highlights the persistent threat posed by state-aligned cyber espionage groups to journalists, activists, and civil society in the region.
Source: https://www.infosecurity-magazine.com/news/middle-east-hack-operation-bitter/
Access Now cybersecurity rating report: https://www.rankiteo.com/company/access-now
SMEX cybersecurity rating report: https://www.rankiteo.com/company/smexorg
"id": "ACCSME1775737932",
"linkid": "access-now, smexorg",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Media/Journalism',
'location': 'Egypt',
'name': 'Mostafa Al-A’sar',
'type': 'Individual (Journalist)'},
{'industry': 'Media/Journalism',
'location': 'Egypt',
'name': 'Ahmed Eltantawy',
'type': 'Individual (Journalist)'},
{'industry': 'Media/Journalism',
'location': 'Lebanon',
'name': 'Unnamed Lebanese journalist',
'type': 'Individual (Journalist)'},
{'location': 'United Arab Emirates',
'type': 'Individuals'}],
'attack_vector': ['Fake accounts',
'Impersonation',
'Malicious messaging apps'],
'data_breach': {'data_exfiltration': 'Likely',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Communications data']},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-08',
'description': 'In August 2025, digital rights organization Access Now '
'uncovered a spear-phishing campaign targeting high-profile '
'civil society figures in the Middle East, including three '
'prominent journalists in Egypt and Lebanon. The campaign, '
'active from 2023 to 2024, was linked to the Bitter APT group, '
'a suspected South Asian cyber espionage threat actor. The '
'attackers employed Android malware, delivered through fake '
'accounts and impersonation tactics across platforms, '
'including Signal. The malware strains ProSpy and ToSpy were '
'used, disguised as messaging apps, and the campaign also '
'targeted users in the United Arab Emirates (UAE).',
'impact': {'brand_reputation_impact': 'Reputational damage to affected '
'journalists and civil society figures',
'data_compromised': 'Personally identifiable information, '
'communications data',
'identity_theft_risk': 'High',
'operational_impact': 'Compromised privacy and security of '
'targeted individuals',
'systems_affected': 'Mobile devices (Android)'},
'initial_access_broker': {'entry_point': 'Fake accounts and impersonation on '
'messaging platforms (e.g., Signal)',
'high_value_targets': ['Journalists',
'Civil society figures'],
'reconnaissance_period': '2023-2024'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The campaign highlights the persistent threat posed by '
'state-aligned cyber espionage groups to journalists, '
'activists, and civil society in the region. Social '
'engineering and impersonation tactics remain highly '
'effective for targeted attacks.',
'motivation': 'Cyber espionage',
'post_incident_analysis': {'root_causes': 'Sophisticated social engineering, '
'use of Android malware (ProSpy, '
'ToSpy), and impersonation of '
'legitimate services.'},
'recommendations': 'Enhanced security awareness training for high-risk '
'individuals, multi-factor authentication, and regular '
'security audits of communication platforms. Collaboration '
'with digital rights organizations and security firms for '
'threat intelligence sharing.',
'references': [{'source': 'Access Now'},
{'source': 'SMEX'},
{'source': 'Lookout'},
{'date_accessed': '2025-10', 'source': 'ESET'}],
'response': {'third_party_assistance': ['Access Now',
'SMEX',
'Lookout',
'ESET']},
'threat_actor': 'Bitter APT group',
'title': 'Middle East Civil Society Figures Targeted in Sophisticated '
'Spear-Phishing Campaign',
'type': 'Spear-Phishing',
'vulnerability_exploited': 'Social engineering'}