Security researchers have identified a hack-for-hire espionage campaign targeting journalists, activists, and government officials across the Middle East and North Africa. The campaign uses phishing to access iCloud backups and Signal accounts and deploys Android spyware capable of taking over victims’ devices. The findings, covered by TechCrunch and supported by parallel documentation from Access Now, SMEX, and Lookout, demonstrate how mobile compromise workflows increasingly combine cloud credential theft with on-device surveillance capabilities.
How the campaign worked: cloud access first, device control second
According to researchers cited by TechCrunch, the operation relied on phishing attacks to access targets’ iCloud backups and messaging accounts on Signal. This approach represents a shift from purely “break into a phone” tactics toward a two-stage model: compromise identity or session material to reach cloud-stored data, then use that foothold to enable further device access.
After the phishing component, the campaign deployed Android spyware described by researchers as capable of taking over targets’ devices. Lookout’s investigation indicates that the spyware and phishing workflow were used as part of a coordinated intrusion chain rather than isolated techniques.
Lookout and its collaborators documented the campaign as targeting civil society and government-adjacent users. Access Now documented three instances of attacks over 2023 through 2025 against two Egyptian journalists and a journalist in Lebanon whose case was also documented by SMEX. TechCrunch reports that these organizations collaborated and published separate reports on Wednesday.
Target geography and scope: beyond one country or one segment
Lookout’s findings, as summarized by TechCrunch, extend beyond members of Egyptian and Lebanese civil society. The report indicates targets included members of the Bahraini and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, and the United Kingdom. Lookout also reported that targets may include the United States or alumni of American universities.
The campaign’s tooling—phishing for iCloud and Signal access plus Android device takeover—appears adaptable across multiple jurisdictions. The geographic spread suggests that the operators could reuse the same core exploitation pattern against different targets in different regions.
Hack-for-hire dynamics: outsourcing and threat models
TechCrunch frames the campaign as highlighting a broader trend: government agencies outsourcing hacking operations to private hack-for-hire companies. The article notes that some governments rely on commercial providers that develop spyware and exploits used by police and intelligence agencies to access data on people’s phones.
From a security-engineering standpoint, outsourcing can complicate defense. When researchers identify specific malware or infrastructure, the operators may swap vendors, update payloads, or repackage capabilities. The TechCrunch coverage ties the campaign to that ecosystem by pointing to suspected relationships between hack-for-hire vendors and known advanced persistent threat activity.
Lookout reported that the hackers behind the campaign work for a hack-for-hire vendor with connections to BITTER APT, a hacking group that cybersecurity companies suspect has ties to the Indian government. TechCrunch also reports that Justin Albrecht, principal researcher at Lookout, said the company behind the campaign may be an offshoot of Appin, an India-based hack-for-hire startup.
Albrecht also noted RebSec as a possible suspect. The TechCrunch story further connects the dots to prior investigative coverage: in 2022 and 2023, Reuters published extensive investigations into Appin and other similar India-based companies, documenting how these companies are allegedly hired to conduct hacking operations.
What defenders and platform teams can take from the technical chain
The TechCrunch summary emphasizes two technical capabilities: (1) phishing to access iCloud backups and Signal messaging accounts, and (2) deploying Android spyware capable of device takeover. The combination suggests a threat model where attackers aim to capture both cloud-resident information (via iCloud backups) and communication data (via Signal accounts), then use the compromised device context to extend control.
Defenders may monitor how these campaigns bridge user-facing social engineering and platform-level compromise. If phishing is sufficient to reach iCloud backups and Signal messaging accounts, then controls around credential entry points, session integrity, and account recovery flows become central to reducing initial access. Meanwhile, the presence of Android spyware capable of taking over devices raises the importance of runtime detection, app integrity, and protections against unauthorized device administration or persistent execution.
For the wider security industry, the multi-organization documentation—Access Now, SMEX, and Lookout publishing reports in collaboration—demonstrates how research workflows now rely on cross-group evidence-sharing to establish timelines, confirm victim categories, and connect observed behavior to suspected vendors.
The reported hack-for-hire connections to BITTER APT and possible ties to Appin and RebSec suggest that attribution in this space often involves relationships and vendor links rather than a single “origin” payload. This could influence how security teams prioritize mitigation: focusing not only on one malware sample, but on the broader intrusion chain that includes phishing, cloud credential access, and mobile device takeover.
Source: TechCrunch