Espionage for repression: hack-for-hire phishing campaign targets civil society in MENA

A new investigation by Access Now’s Digital Security Helpline has exposed a hack-for-hire campaign targeting two prominent Egyptian journalists and government critics, Mostafa Al-A’sar and Ahmed Eltantawy, through a series of spear-phishing attacks. Spear phishing is a highly personalized type of phishing that targets specific individuals or organizations, rather than casting a wider net. In the cases we document, the attackers used messages that appeared to be from trusted people and services in attempts to compromise the victims’ accounts.  

The attacks were carried out from 2023 to 2024 and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted with spyware.

To better understand these attacks, we collaborated with the mobile security company Lookout. Based on our forensic analysis and the infrastructure employed in these attacks, Lookout independently assesses that unknown entities used a hack-for-hire organization with ties to Asia to conduct espionage against civil society targets in the MENA region. Notably, there is evidence that attackers may use the methods and infrastructure associated with the attacks to deliver spyware and exfiltrate data. 

We also contributed to an investigation by SMEX, a nonprofit that advances digital rights in West Asia and North Africa, detailing a similar attack in 2025 against a prominent Lebanese journalist who prefers to keep their identity undisclosed. Based on our analysis, we believe the same threat actor could be behind this attack. 

At a time when civil society is increasingly targeted with sophisticated digital attacks, it is imperative that we pool and share the knowledge necessary to keep our communities safe and strong. Below we share background and highlights from the investigation, as well as digital security tips to help you prevent or mitigate the type of attacks we describe in our report. Please note that these tips are general advice, and we encourage you to consider your particular risk profile and reach out to a trusted practitioner for tailored guidance. 

// Who was targeted?

Mostafa Al-A’sar is an award-winning independent Egyptian journalist, human rights defender, and researcher. He spent nearly four years as a political prisoner for his work before fleeing to Lebanon, then going into exile in Canada.

Ahmed Eltantawy was a well-known journalist and member of the Egyptian Syndicate of Journalists before becoming a politician. As editor in chief of Al-Karama, an independent weekly publication, he led coverage of domestic issues and socioeconomic challenges. After joining the Egyptian parliament and serving from 2015 to 2020, he rose to become a prominent challenger to sitting president Abdel Fattah al-Sisi, and in 2023, announced his intention to run for president. However, when dozens of supporters and some of his relatives were subsequently arrested, and he was reportedly blocked from campaigning, he dropped from the race, and was later imprisoned. An investigation by The Citizen Lab at the Munk School of Global Affairs at the University of Toronto (“the Citizen Lab”) found that his phone had been targeted using Intellexa’s Predator spyware, in September 2021 and between May and September 2023.

The anonymous victim in the related SMEX investigation is also a journalist, with decades of work as a reporter and editor and considerable influence in shaping the conversation on political issues.

// How were the attacks carried out?

Attackers launched a spear-phishing campaign seeking to compromise Al-A’sar and Eltantawy’s online accounts (specifically, Apple and Google accounts) in October 2023 and continued in January 2024.

As we note above, the attackers impersonated legitimate people and services, investing time and effort to establish a connection with the targets through various channels. Our investigation showed that there is a persistent infrastructure for attacks; we found overlapping domains, hosting, and similarities in code. There is also evidence that this infrastructure can allow attackers to deliver Android spyware with the potential ability to access and extract victims’ files, personal contacts, text messages, and geolocation, and to enable device microphones and cameras, as well as installing malicious apps on a device. It appears that attackers use fake account profiles, messages, and pages to impersonate people and mimic common services and platforms such as the messaging app Signal to deliver the malware. This kind of activity has forced Signal and other companies to warn users about phishing campaigns.

After receiving a message that appeared to be from Apple, Al-A’sar entered his account credentials, but when he received a suspicious two-factor authentication (2FA) login notification from a distant location in Egypt, he refrained from engaging any further and sought assistance. The attackers failed to lure Eltantawy into taking action, and ultimately did not succeed in compromising his or Al-A’sar’s  accounts. If they had been successful, they would have gained unimpeded access to the personal and professional information in the targets’ Apple and/or Google accounts, including information on their families, associates, and journalistic sources. Given the Egyptian government’s years-long crackdown on independent media and opposition movements, as well as the arrests of Eltantawy’s family members and supporters, it is clear this digital attack could have exposed the victims and their entire networks of family, friends, colleagues, and supporters to persecution. 

In the additional attack documented by SMEX, the attackers followed the same pattern, but they were successful in compromising the target’s Apple account in 2025. 

// Who is behind the attacks?

Lookout’s threat intelligence team, with whom we collaborated in this investigation, independently assesses that the threat actor was a hack-for-hire group with ties to Asia. 

Attribution of an attack is always a complex endeavor, and if an attacker outsources to a hack-for-hire group that carries out the activities on their clients’ behalf, it adds further distance and potentially the ability to deny responsibility for the hacking. There is not enough information for us to confidently conclude which government(s) may be behind these attacks. However, there are several important points to consider, such as the nationality and profile of the victims and the technical finding of an authentication attempt appearing to originate from Egypt. Additionally, multiple investigations by civil society organizations reveal that the Egyptian government has a history of purchasing and using surveillance and surveillance-enabling technologies from Canadian and European companies. Research from the Citizen Lab and Amnesty International has also revealed that Egypt purchased Intellexa’s Predator spyware, and as we have highlighted, the Citizen Lab documented previous spyware targeting against Ahmed Eltantawy in 2021 and 2023 using Predator, including attacks that took place only weeks before the attacks we document in our report. They attribute these previous attacks to the Egyptian authorities.

// How to protect yourself

Following are general tips for members of civil society to prevent and mitigate phishing attacks of the type we detail in our report, as well as resources for learning more. While general guidance like this can be a useful starting point, we recommend that you consider your own circumstances, threats, and risk tolerance, and reach out to a trusted digital security practitioner for advice.

Start with prevention

Beware of social engineering: As we can see with the cases presented in our report, hack-for-hire actors and similar threat groups have built dedicated infrastructure and developed malicious applications to compromise their victims’ accounts. However, in cases like the ones we have documented, they still depend on the victim’s participation to click on the malicious link, download the malicious files, and/or install the spyware. Techniques like social engineering — the psychological manipulation of people to do things like divulge confidential information — and attacks like phishing target human rather than technological vulnerabilities, and it’s important to stay informed about the strategies attackers are using, as their techniques evolve quickly. In many cases, it helps to trust your instincts: If something feels off or you are being pressured or rushed to take action, take a step back and check in with your peers before moving forward.

Use two-factor authentication, correctly: Setting up two-factor authentication (2FA) is one of the most powerful ways to protect your account from getting hacked. However, hack-for-hire actors or other threat groups may try to trick you into revealing your second factor; we have seen attackers successfully compromise the accounts of victims who enabled 2FA. Never give out your 2FA codes to anyone, and always make sure that you input them only on the official website.

We recommend that you use more advanced 2FA options such as security keys, or, if you are a Gmail user, Google Passkeys. Here are four guides for increasing the level of security for your account:

• Create a Passkey to log in to your Google account (Google)
• How to: Enable two-factor authentication (Electronic Frontier Foundation) 
• Set up multi factor authentication (Consumer Reports) 
• Use a security key (Consumer Reports) 

Be aware that attackers may use familiar-looking, consent-based login pages for phishing attacks. As we have documented in our report with regard to Google OAuth, an attacker can use a legitimate-looking page or message to request your consent to authorize a new app or login using your existing accounts (such as your Google account or others). To avoid this, we recommend that you:

• Review third-party apps and services that are linked to your accounts, such as your Google account, and revoke access to any suspicious applications.
• If you are presented with a page to grant access permission to a new app, make sure to validate the origin carefully.
• If you are using an enterprise account, check with your system administrator before you grant access permission to a new app.
• System administrators can control which apps can access Google Workspace or Microsoft 365 data. Access to third-party apps should be restricted or require admin consent.

If you face a higher level of risk for digital attacks, enroll in programs and/or enable settings for high-risk users. Google and some other providers offer optional programs and settings for people who, because of who they are or what they do, may be targeted for attack. Some of these programs not only increase the security of your account, but also flag to companies that you could face sophisticated attacks. They include:

• Google Advanced Protection
• Microsoft Account Guard
• Proton Sentinel high-security program
• Apple Lockdown Mode
• WhatsApp’s Strict account settings

Received a message? Be a five-second detective

• Step one: check the sender’s username. Ask yourself if you have received messages from this account before, and if this is an official account. Look carefully for anything out of place: threat actors could use lookalike email addresses or user names to impersonate people you know or support teams from services that you use.
• Step two: check with the sender using a different service. If you have any concerns or are at all suspicious about a personal email or message, do not open any file attachment or click on any link in the email or message. Instead, check directly with the purported sender, via another service, to confirm whether they’ve reached out to you. If you don’t already have a way to reach them directly using another service, consider asking someone you trust to inquire on your behalf. If you receive a message that purports to be from an online platform’s security or service team, you may not be able to contact anyone directly to see if the message was legitimate. However, you can do a quick online search to verify whether the company in question, such as Signal, ever uses direct messages or chat bots to contact users.
• Step three: double-check links before you click. If you receive an email or chat message prompting you to make changes to your account, visit the official website manually rather than clicking on the link. If you have already clicked on a link and it sends you to a login page, that is a red flag. Stop and visit the official site to log in, to be sure that you are entering your credentials into the real page.

These recommendations address the kind of phishing attacks described in our report, but there are many other ways you could be targeted. Whatever your level of risk, you may find it helpful to use the Consumer Reports Security Planner to get personalized security recommendations, as well as access to a list of emergency resources and advanced security guides.

Think you are already being targeted? 

If you are part of an organization that is facing digital threats and you suspect that you have already been targeted in an attack, first reach out to a trusted digital security practitioner for advice. It is crucial to evaluate any damage to your organization and/or to other related organizations and individuals, such as journalistic sources, support organizations, and other partners, among others. If you determine that you have indeed been targeted, keep them informed about what has happened, whether and what information has been leaked, how this may impact them, and what steps you are taking to mitigate the impact. 

In addition, Access Now’s Digital Security Helpline is available to support members of civil society, including activists, media organizations, journalists, and human rights defenders, 24/7 in 10 languages. If your account has been compromised, we advise that you:

• Change your password right away. If you are using the same password for other accounts, you should change the password for those accounts too. Consider using a password manager to keep track of multiple passwords.   
• Review access logs on your accounts, such as Proton Mail’s activity monitor, Gmail’s last account activity, or Microsoft’s recent activity page, and review devices with account access. You may still have questions after reviewing these logs. If so, we encourage you to make a copy of the logs to share with an expert for review.

---