How an APT Hijacked Apple Accounts in 30 Seconds to Spy on Middle‑East Journalists

Apple‑ID phishing campaign

Attackers sent iMessage messages impersonating Apple, claiming the victim’s phone number needed verification. The message linked to a counterfeit verification page. When the victim entered the Apple ID password and the one‑time verification code, the page relayed the code in real time to Apple’s legitimate login page, completing the two‑factor authentication and full account takeover in as little as 30 seconds. SMEX’s controlled‑environment test measured a 30‑second interval from credential entry to takeover.

Case 1: Egyptian journalist Mustafa Asal received the iMessage on 18 Oct 2023 while in Lebanon, ignored the first message, later clicked the link and entered credentials. Apple sent a login alert for a new device in Cairo; Asal rejected the login and contacted Access Now.

Case 2: Journalist Ahmed Tantawi, previously infected with Cytrox Predator spyware (2021, 2023), received a similar iMessage in early 2024; his arrest in February 2024 preceded intensified phishing.

Case 3: An unnamed Lebanese journalist on 19 May 2025 received an iMessage from [email protected], entered credentials, and the attacker added a virtual device “iPhone VMWare”, gaining persistent access to iCloud data, contacts, mail and location.

Phishing infrastructure

Attackers operated a fast‑rotating domain ecosystem with region‑specific primary domains such as com‑en.io (Lebanon), com‑ae.net (UAE) and ar‑id.cc (Arabic users). Each primary domain hosted dozens of subdomains mimicking services (Apple ID, FaceTime, Signal, Telegram). Domains were registered shortly before attacks and taken down immediately after, limiting detection windows.

Example subdomains under com‑en.io included id‑apple.com‑en.io, facetime.com‑en.io, secure‑signal.com‑en.io, join‑telegram.com‑en.io. Registration and activation typically occurred on the day of the attack and were revoked thereafter.

2FA bypass technique

The malicious page captured the six‑digit verification code and automatically forwarded it to Apple’s genuine login page, completing the two‑factor step without user interaction. SMEX observed that the attacker’s system submitted the code automatically, eliminating the need for manual input.

Android spyware “ProSpy”

In parallel, the campaign distributed a malicious Android APK disguised as a Signal encryption plug‑in. Named “ProSpy” by ESET, the spyware targeted primarily UAE victims and, once installed, obtained full device control, exfiltrated documents, media, SMS, contacts, monitored file changes, and uploaded stolen data to attacker‑controlled servers.

Scan and steal all documents, images, audio and video files

Read and export all SMS messages and address‑book entries

Monitor recently modified and backup files

Automatically upload stolen data to attacker servers

Anti‑forensics measures

Phishing pages contained roughly 600 lines of hex‑filled code, developer‑tool blocking, console hijacking and debugger traps that caused analysis tools to crash or hide the real page source. Attackers also set tracking cookies with a ten‑year lifespan to maintain long‑term surveillance.

Attribution to BITTER

Lookout’s technical analysis linked the campaign to the Indian APT group BITTER, historically focused on governments, militaries and critical infrastructure in South Asia. Recent activity shows expansion to Saudi Arabia, Turkey, South America and the MENA region. BITTER appears to operate via a hire‑the‑hackers model, with unknown entities commissioning attacks against civil‑society figures.

Infrastructure and tool overlap with a 2022 Meta‑disclosed attack toolkit indicates continuous evolution of BITTER’s arsenal.

Resources

Full PDF report, IOCs and related files are hosted at https://github.com/blackorbird/APT_REPORT/tree/master/bitter/2026