Security researchers have identified a hack-for-hire espionage campaign targeting journalists, activists, and government officials across the Middle East and North Africa. The campaign combined phishing to access iCloud backups and Signal messaging accounts with Android spyware designed to compromise victims’ devices. Access Now and Lookout documented the campaign, raising questions about how governments may be using commercial vendors to obtain mobile surveillance capabilities.
The campaign’s mobile attack strategy
Researchers identified attacks in which phishing was used to obtain access to targets’ iCloud backups and messaging accounts on Signal. The same campaign involved deploying Android spyware capable of taking over targets’ devices. This two-stage approach first uses social engineering to gain access to cloud-stored data and communications, then uses malware on the endpoint to maintain control over the phone itself.
Access Now documented three instances of attacks between 2023 and 2025 against two Egyptian journalists and a journalist in Lebanon. The Lebanon case was also documented by SMEX, a digital rights organization. Lookout investigated the attacks as well. The three organizations collaborated and published separate reports on Wednesday.
Geographic scope and infrastructure implications
Lookout’s investigation indicates that the attacks extended beyond civil society figures in Egypt and Lebanon. Targets included members of the Bahraini and Egyptian governments, as well as individuals in the United Arab Emirates, Saudi Arabia, and the United Kingdom. Lookout also identified potential targets in the United States or among alumni of American universities.
The geographic spread suggests the campaign could rely on infrastructure or operational capabilities not limited to a single jurisdiction. The reported breadth of targets indicates that the same mobile surveillance toolchain—phishing for cloud access plus Android takeover—was reused across multiple environments.
The hack-for-hire model and vendor connections
The campaign exemplifies a broader trend: government agencies outsourcing hacking operations to private hack-for-hire companies. Some governments already rely on commercial companies that develop spyware and exploits used by police and intelligence agencies to access data on mobile devices.
Lookout concluded that the hackers behind the espionage campaign work for a hack-for-hire vendor with connections to BITTER APT, a group that cybersecurity companies suspect has ties to the Indian government. Justin Albrecht, principal researcher at Lookout, told TechCrunch that the company behind the campaign may be an offshoot of the India-based hack-for-hire startup Appin. Lookout also named RebSec as a possible suspect.
In 2022 and 2023, Reuters published investigations into Appin and other similar India-based companies, exposing how these companies operate in the hack-for-hire space.
Implications for mobile security and defense
The described sequence—phishing to access iCloud backups and Signal accounts, followed by Android spyware for device takeover—highlights a mobile surveillance pattern that depends on both identity and data access and endpoint control. For defenders, this demonstrates that mobile threats extend beyond malicious apps distributed through app stores; they also involve credential capture and cloud compromise pathways.
The involvement of multiple organizations—Access Now, SMEX, and Lookout—underscores how cross-team analysis is often required to connect cloud-based access attempts with on-device malware behavior. Different teams contributed findings such as victimology, infrastructure observations, and technical analysis.
The hack-for-hire framing shifts the conversation from isolated criminal malware to commercially supplied surveillance capability. If governments outsource access to spyware and exploits, the lifecycle of these tools may be shaped by vendor relationships rather than by a single attacker’s development roadmap. This could affect how quickly similar techniques appear across regions and targets, based on the reported geographic spread and vendor connections.
Source: TechCrunch