Hack-for-Hire Espionage Campaign Targets Journalists with Advanced Phishing Across MENA
scsecApril 11, 20262 Mins read 
A sophisticated hack-for-hire cyber espionage campaign has been uncovered targeting journalists, activists, and government critics across the Middle East and North Africa (MENA). The operation, believed to be linked to a threat group associated with Indian interests, relied heavily on spear-phishing and social engineering to compromise victims’ digital accounts.
The campaign, active between 2023 and 2025, focused on high-profile individuals, including Egyptian journalists known for criticizing the government. Attackers used carefully crafted phishing tactics to trick targets into revealing login credentials and two-factor authentication codes. In many cases, victims were directed to fake login pages impersonating trusted platforms such as Apple and Google.
One of the key techniques involved impersonating official support services through messaging platforms like iMessage and WhatsApp. Victims received convincing messages urging them to verify their accounts, leading them to malicious links designed to harvest sensitive information. Other platforms, including Telegram and Signal, were also mimicked to expand the reach of the attacks.
In a more advanced variation, attackers leveraged legitimate authentication systems by abusing OAuth permissions. Instead of stealing credentials directly, victims were prompted to grant access to a malicious application, unknowingly giving attackers control over their accounts. This method increased the success rate by exploiting user trust in familiar login processes.
The campaign also made use of fake professional identities on platforms like LinkedIn to build trust with targets. In one instance, a journalist was approached with a job opportunity and later sent a malicious link disguised as a video call invitation. This link ultimately led to an account compromise attempt through a phishing workflow.
While some attacks were unsuccessful, at least one case resulted in a full account takeover. The attackers gained persistent access by linking a virtual device to the victim’s account, allowing ongoing surveillance and data collection.
Researchers also identified overlaps between the phishing infrastructure used in this campaign and earlier spyware operations. Certain domains were previously linked to Android spyware strains capable of stealing contacts, messages, device data, and local files. This suggests the campaign could extend beyond phishing to include malware deployment when needed.
The activity has been attributed to a hack-for-hire operation with connections to a known threat cluster associated with intelligence gathering. The campaign appears to have targeted individuals across multiple countries, including those in the Gulf region, North Africa, Europe, and potentially the United States.
What makes this operation particularly notable is its apparent focus on civil society targets, which differs from the group’s previously observed activities. This raises the possibility that either the threat actor has expanded its scope or that a separate contractor group is operating with shared infrastructure and techniques.
Overall, the campaign highlights the growing use of commercial or semi-commercial cyber-espionage services to monitor journalists and activists. It also underscores the increasing role of mobile devices and social engineering in modern surveillance operations, where attackers blend technical exploits with human manipulation to achieve their أهداف.
1 Comment
Leave a Reply
Related Articles
Apple Warns iPhone Users of New Scam Draining Bank Accounts Through Panic-Based Fraud
Apple has issued a global warning to iPhone users about a rapidly...
BlueHammer Zero-Day Gives Attackers Full Control of Windows Systems Without a Patch
A newly disclosed Windows zero-day vulnerability, known as “BlueHammer,” is raising serious...
Outdated Systems and Vulnerable Apps Leave Most Enterprises Exposed to Cyberattacks
A recent security analysis highlights a widespread problem in enterprise environments: many...
APT28 Turns Vulnerable Routers into a Global DNS Hijacking and Espionage Network
A Russia-linked cyber espionage group, widely tracked as APT28, has been connected...
This campaign is a clear example of how targeted phishing and social engineering are being used to monitor journalists and civil society at scale. The use of trusted platforms and OAuth-based access makes these attacks especially dangerous and harder to detect. It highlights the need for stronger account security practices, including verifying links, limiting third-party app permissions, and staying alert to highly personalized attack attempts.