Everyone figured state-sponsored hacks in the Middle East stayed close to home—Egyptians targeting Egyptians, Saudis eyeing dissidents within borders. But this Bitter-Linked Hack-for-Hire Campaign flips the script. Lookout, Access Now, and SMEX just dropped evidence of Indian-linked operators hitting journalists across MENA, from Cairo to Beirut. It’s a wake-up: New Delhi’s intel machine isn’t just watching neighbors; it’s subcontracting the dirty work.
Targets? High-profile. Mostafa Al-A’sar and Ahmed Eltantawy, Egyptian firebrands who’ve done time for criticizing Sisi’s regime. Then a Lebanese journalist kept anonymous. Attacks rolled from 2023 into 2025—persistent, polished phishing via LinkedIn, iMessage, WhatsApp.
The Phishing Playbook: Fake Jobs to OAuth Tricks
Al-A’sar got the hook first. A LinkedIn sockpuppet, ‘Haifa Kareem,’ dangled a job. He bit, shared his number. Boom—email with a Rebrandly-shortened Zoom link on January 24, 2024. Clicks led to ‘en-account.info,’ a nasty OAuth consent phishing page exploiting Google’s own login flow.
If you’re logged in? It just asks for app permissions—feels legit, grabs your account. Access Now nailed it:
“Unlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to use legitimate Google assets to deceive targets into providing their credentials.”
Apple hits were clumsier but relentless. Fake signin-apple.com-en-uk[.]co domains, iMessage blasts pretending to be support. One Lebanese target fell hard—full Apple account compromise, virtual device added for backdoor access. Lucky breaks saved the Egyptians.
But here’s the overlap that screams coordination. Domains like encryption-plug-in-signal.com-ae[.]net? Straight from an ESET-tracked Android spyware op in the UAE, dropping ProSpy and ToSpy via fake Signal plugins. Contacts, SMS, files—gone.
Short para: Patterns match Bitter’s MO.
Lookout pins it on Bitter, a threat cluster grinding since 2022 for Indian intel interests. Hack-for-hire style—mercs doing the bidding, keeping fingerprints light. Domains geotagged to UAE (com-ae[.]net), but tactics scream cross-border ambition.
Why MENA? Regional tensions. Egypt’s critics bash India’s alliances; Lebanese outlets probe shared foes. But India’s play? Bold overreach. Reminds me of the 2019 Pegasus leaks—NSO selling to autocrats, backfiring into scandals. This feels like India’s homebrew version: cheaper, deniable, but sloppy enough to get called out.
Does This Signal a Broader Indian Spy Surge in MENA?
Data says yes. Bitter’s been quiet on India ops, loud abroad. Lookout tracks them hitting Southeast Asia, now MENA. Market dynamic? Hack-for-hire’s booming—$1M+ gigs for elite phishing, per Recorded Future stats. States love it: No messy diplomats, just results.
Access Now warns:
“This suggests that the operation we identified may be part of a broader regional surveillance effort aimed at monitoring communications and harvesting personal data.”
SMEX chimes in on WhatsApp, Telegram, Signal lures. Persistent — iMessage waves, job bait. No spyware confirmed here, but infrastructure’s primed for it.
My take? India’s strategy’s sharp but shortsighted. Ties to UAE domains hint at Gulf partnerships—oil deals, anti-Iran axis. Yet exposure risks blowback. Remember Candiru? Israeli spyware firm outed, sales tanked. Bitter’s crew just painted a target on India’s cyber ops.
Bold prediction: Expect UAE reciprocity. Their own hacks (ToTok days) get mirrored back. MENA journalists? Arm up—2FA’s not enough; OAuth vigilance is key.
Why Should Tech Pros Care About These Domains?
List ‘em: signin-apple.com-en-uk[.]co, id-apple.com-en[.]io, facetime.com-en[.]io, secure-signal.com-en[.]io, telegram.com-en[.]io, verify-apple.com-ae[.]net, join-facetime.com-ae[.]net, android.com-ae[.]net. Block ‘em enterprise-wide.
Google’s OAuth flaw? Not new—abused since 2020. But Bitter refined it: Legit-looking apps, regional tweaks (en-uk, ae-net). Apple? Simpler fakes, but iMessage bypasses some filters.
Journalists dodged bullets, but scale? Unknown. SMEX hints at officials too. If it’s hack-for-hire, clients multiply—governments, corps, rivals.
One sentence: Deniability’s the game.
India won’t confirm—classic playbook. But Lookout’s TTP overlap (phishing lures, infra) seals it. Historical parallel: QuaDream’s 2023 leaks showed iPhone zero-clicks on journos. This? Lower tech, wider net. Cost-effective espionage for mid-tier powers.
Critique the spin: None here—pure research, no PR fluff. Access Now’s helpline saved asses; credit where due.
Implications ripple. MENA press freedom? Already fragile (RSF ranks Egypt 170th). This chills speech, forces exodus to encrypted tools. Signal, Telegram—ironically targeted.
Tech fix? Platform liability. Apple/Google: Mandate OAuth reviews, flag suspicious consents. Enterprises: Train on sockpuppets—LinkedIn’s a vector.
🧬 Related Insights
- Read more: QR Codes Turn Traffic Texts into Data Heists
- Read more: ShinyHunters’ Anodot Heist: Dozens of Snowflake Customers Drained of Data
Frequently Asked Questions
What is the Bitter-Linked Hack-for-Hire Campaign?
A phishing operation tied to Bitter APT (Indian gov links) targeting MENA journalists via fake Apple/Google logins and OAuth tricks from 2023-2025.
How can I protect against these MENA journalist phishing attacks?
Ditch link clicks; use hardware keys for 2FA; scan OAuth apps; block those domains.
Is India spying on MENA through hack-for-hire groups?
Evidence points yes—Lookout attributes Bitter’s tactics to Indian intel interests expanding regionally.
