Hack-for-Hire Group Uses Android Spyware and Phishing to Steal iCloud Credentials

Security researchers have uncovered a sophisticated cyberespionage campaign conducted by a hack-for-hire group that targeted journalists, government officials, and activists. The operation utilized a combination of Android spyware and phishing attacks designed to compromise iCloud backups and encrypted messaging accounts.

The campaign was exposed through a collaboration between the mobile cybersecurity firm Lookout, the digital rights organization Access Now, and the organization SMEX. These entities published their findings on April 8, 2026, detailing an operation that has been active since at least 2022.

Targeting and Methodology

The attackers primarily targeted individuals in the Middle East and North Africa. Documented cases include attacks occurring between 2023 and 2025 against two Egyptian journalists and one journalist in Lebanon.

View this post on Instagram

The group employed diverse tactics depending on the victim’s device. For those using iOS devices, the hackers used phishing links that impersonated iCloud to gain access to mobile device backups. The researchers also noted specific targeting of end-to-end encrypted (E2EE) applications, including Signal and Botim.

For Android users, the group deployed spyware capable of taking full control of the target’s device. This approach demonstrates a trend where attackers mix high-end malware with simpler social engineering and spearphishing techniques to breach security-conscious targets.

Attribution and the BITTER APT

Lookout has attributed the hacking campaign to a hack-for-hire vendor codenamed BITTER, also identified as BITTER APT (T-APT-17). The cybersecurity firm suspects that this entity has ties to the Indian government.

Justin Albrecht, a principal researcher at Lookout, indicated that the company operating under the BITTER codename may be called RebSec Solutions. He further noted that this entity could be an offshoot of Appin, an Indian hack-for-hire startup.

The scope of the campaign extends beyond civil society in Egypt and Lebanon. Lookout’s investigation found that targets included individuals within the Bahraini and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, and the United Kingdom. There is also evidence of potential targets in the United States or alumni of American universities.

The Rise of Commercialized Espionage

This operation highlights a growing global trend where government agencies outsource espionage and hacking operations to private, commercial hack-for-hire companies. These vendors develop the spyware and exploits necessary for intelligence agencies and police to access private data on mobile phones.

The BITTER operation exists alongside other high-tier threats. Lookout has previously observed the deployment of advanced malware kits such as DarkSword, Coruna, and Predator, which are often associated with different threat actors, such as the Russian-linked group UNC6353.

Unlike some of these multi-million dollar exploit kits, the BITTER campaign’s reliance on phishing and credential theft demonstrates that relatively simple social engineering remains an effective tool for state-sponsored or state-affiliated espionage.

Broader Context of iCloud Targeting

The targeting of iCloud credentials seen in the BITTER campaign mirrors other historical attempts to exploit Apple’s cloud ecosystem. In a separate 2021 case, a California man known as iCloudRipper4You admitted to impersonating Apple support staff to steal hundreds of thousands of private images from iCloud accounts by tricking victims into providing login credentials via fake support emails.

While the BITTER campaign is focused on political espionage rather than individual theft, both highlight the vulnerability of cloud backups when users are deceived by phishing attempts.