South Asian APT Group Bitter Targeted Journalists in Egypt and Lebanon With Android Spyware
A spear-phishing campaign linked to the South Asian APT group Bitter targeted journalists in Egypt and Lebanon from 2023 to 2025, using fake login pages to deliver ProSpy/ToSpy Android spyware.
A spear-phishing campaign linked to the South Asian advanced persistent threat group Bitter (T-APT-17) targeted high-profile journalists in Egypt and Lebanon from 2023 to 2025, according to a report published April 8 by digital rights organization Access Now and mobile security firm Lookout. The attackers used fake Signal and Apple login pages to deliver Android spyware known as ProSpy and ToSpy, which can exfiltrate contacts, messages, geolocation, and activate device microphones and cameras.
The campaign was detected by Access Now through its Digital Security Helpline in August 2025, after outreach from prominent Egyptian journalists Mostafa Al‑A'sar and Ahmed Eltantawy, both critics of the Egyptian government who have faced political imprisonment. Access Now found that both individuals had been targeted by spear-phishing campaigns from 2023 to 2024. The NGO contacted Lookout, which assessed the campaigns were "most likely" a hack-for-hire operation with ties to Bitter, a group active since at least 2013 that has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.
Lookout determined that the Android implants used in the campaign — dubbed ProSpy and ToSpy by ESET in an October 2025 report — were the same ones used against users in the UAE. In parallel, SMEX, a Beirut-based digital rights nonprofit, identified an unnamed high-profile Lebanese journalist targeted by the same spear-phishing campaign in 2025. The attack on the Lebanese journalist succeeded in compromising the target's Apple account, while the attempts against the Egyptian journalists failed.
The attackers invested time to establish connections with targets, impersonating legitimate people and services using fake accounts and profiles. They delivered the malware via phishing messages mimicking Signal and Apple login pages. In one instance, Al‑A'sar entered his credentials but stopped when he received a suspicious two-factor authentication notification. The Lebanese journalist's account was compromised within 30 seconds of submitting credentials, with attackers adding a virtual device to the account.
Lookout researchers acquired 11 samples of ProSpy, the earliest from August 2024. While not as sophisticated as top-tier spyware like DarkSword or Predator, ProSpy is developed in Kotlin and integrates common spyware functions. The maintainers have added new capabilities over time, indicating active development. The spyware can access and extract files, contacts, messages, geolocation, and enable device microphones and cameras, as well as install further malicious apps.
Lookout believes the same campaign likely targeted victims in Bahrain, including government entities, as well as the UAE, Saudi Arabia, the UK, Egyptian government entities, and potentially the US or alumni of US universities. The campaign highlights the ongoing threat of hack-for-hire operations targeting civil society, particularly journalists, in the Middle East.