An ongoing spying operation has been discovered, specifically targeting journalists and opposition politicians across the Middle East. Researchers from the digital rights group Access Now and the security firm Lookout collaborated in August 2025 to track these attacks. Their work shows that hackers have been active from at least 2022 until today.
How the scam works
According to Lookout, the scam involves a trick called spearphishing, in which a scammer sends a believable message to their targeted person to make them click a link. Researchers found that some targets were sent messages on LinkedIn or through iMessage, and some pretended to be from Apple Support.
If the target clicks the link, they are sent to a “simple, single page” fake website. It looks like real login pages for various common use apps, including Zoom, Microsoft Teams, Google Drive, Yahoo, and iCloud. Scammers also trick their targets into linking their Signal accounts to their computers via malicious QR codes. If the victim follows the steps, the hackers can read all their private chats.
“By linking their Signal account via the QR code, the victim gives the threat actor access to their Signal content,” the researchers explained in their blog post.
A Closer Look at ProSpy
This joint research, and an October 2025 report from ESET, reveals that Android users are tricked into downloading any of these malware: ProSpy or ToSpy. Both are spyware, which is a program that secretly monitors the users each and every online activity. These viruses can even be distributed via a safe chat app like Signal, ToTok, or Botim. And, after compromising a device, these can steal:
- Photos, audio clips, and videos.
- Text messages (SMS) and contact lists.
- Private files like Word, Excel, and PDFs.
- Backup files from other apps like ToTok.
Researchers explain that ProSpy is a feature-rich spyware developed in Kotlin, and out of the 11 ProSpy samples obtained, the earliest was from August 2024.
“ProSpy is developed in a relatively professional way, and it has worker classes to handle the data collection and exfiltration tasks. It uses object-oriented programming principles and introduced new capabilities over the years, indicating it is actively being developed,” Lookout threat intelligence analysts noted.
Links to Bitter
Lookout has linked this campaign to a South Asian group known as BITTER (also called T-APT-17, APT-Q-37) because the code in ProSpy is similar to an older virus called Dracarys from 2022. Both, reportedly, use the same numbered commands to control the phone.
As Hackread.com previously reported, BITTER’s attacks usually support the interests of the Indian government and prefer to target military, energy, and government groups in places like:
- China
- Pakistan
- Saudi Arabia
However, this new campaign is different because it is the first time BITTER has been caught targeting activists and journalists in Egypt, Lebanon, Bahrain, and the UAE. Researchers think that it might be a hack-for-hire job where the group was paid by someone else to do the spying.
Still, the troubling part is that they are using mobile malware as “a primary means of spying,” the researchers noted, concluding that we must be very careful when clicking any links to stay safe.
