惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
月光博客
月光博客
AI
AI
B
Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
GbyAI
GbyAI
L
Lohrmann on Cybersecurity
O
OpenAI News
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
L
LINUX DO - 最新话题
人人都是产品经理
人人都是产品经理
S
Security Affairs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
Arctic Wolf
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
C
Check Point Blog
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Vercel News
Vercel News
The Hacker News
The Hacker News
Y
Y Combinator Blog
Latest news
Latest news
SecWiki News
SecWiki News
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题

The Hacker News

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More Why Most AI Deployments Stall After the Demo Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories [Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data The Hacker News The Hacker News Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks UAC-0247 Targets Ukrainian Clinics and Government in Data-Theft Malware Campaign n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More Deterministic + Agentic AI: The Architecture Exposure Validation Requires Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report) 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025 FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More Your MTTD Looks Great. Your Post-Alert Gap Doesn't North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident CPUID Breach Distributes STX RAT via Trojanized CPU-Z and HWMonitor Downloads Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs Browser Extensions Are the New AI Consumption Channel That No One Is Talking About Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories The Hidden Security Risks of Shadow AI in Enterprises Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025 New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP) Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign [Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign The Hidden Cost of Recurring Credential Incidents New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea Multi-OS Cyberattacks: How SOCs Close a Critical Risk in 3 Steps ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation 36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners The State of Trusted Open Source Report WhatsApp Alerts 200 Users After Fake iOS App Installed Spyware; Italian Firm Faces Action Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
Bitter-Linked Hack-for-Hire Campaign Targets Journalists Across MENA Region
The Hacker News · 2026-04-09 · via The Hacker News

An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings from Access Now, Lookout, and SMEX.

Two of the targets included prominent Egyptian journalists and government critics, Mostafa Al-A'sar and Ahmed Eltantawy, who were at the receiving end of a series of spear-phishing attacks that sought to compromise their Apple and Google accounts in October 2023 and January 2024 by directing them to fake pages that tricked them into entering their credentials and two-factor authentication (2FA) codes.

"The attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted with spyware," Access Now's Digital Security Helpline said.

Also singled out as part of these efforts was an anonymous Lebanese journalist, who received phishing messages in May 2025 through the Apple Messages app and WhatsApp containing malicious links that, when clicked, tricked users into entering their account credentials as part of a supposed verification step from Apple.

"The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app, [...] impersonating Apple Support," SMEX, a digital rights non-profit in the West Asia and North Africa (WANA) region, said. "While the main focus of this campaign appears to be Apple services, evidence suggests that other messaging platforms, namely Telegram and Signal, were also targeted."

In the case of Al-A'sar, the spear-phishing attack aimed at compromising his Google account began with a LinkedIn message from a sock puppet persona named "Haifa Kareem," who approached him with a job opportunity. After the journalist shared their mobile number and email address with the LinkedIn user, he received an email from the latter on January 24, 2024, instructing him to join a Zoom call by clicking on a link shortened using Rebrandly.

Cybersecurity

The URL is assessed to be a consent-based phishing attack that leverages Google's OAuth 2.0 to grant the attacker unauthorized access to the victim's account through a malicious web application named "en-account.info."

"Unlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to leverage legitimate Google assets to deceive targets into providing their credentials," Access Now said.

"If the targeted user is not logged in to Google, they are prompted to enter their credentials (username and password). More commonly, if the user is already logged in, they are prompted to grant permission to an application that the attacker controls, using a third-party sign-in feature that is familiar to most Google users."

Some of the domains used in these phishing attacks are listed below -

  • signin-apple.com-en-uk[.]co
  • id-apple.com-en[.]io
  • facetime.com-en[.]io
  • secure-signal.com-en[.]io
  • telegram.com-en[.]io
  • verify-apple.com-ae[.]net
  • join-facetime.com-ae[.]net
  • android.com-ae[.]net
  • encryption-plug-in-signal.com-ae[.]net

Interestingly, the use of the domain "com-ae[.]net" overlaps with an Android spyware campaign that Slovakian cybersecurity company ESET documented in October 2025, highlighting the use of deceptive websites impersonating Signal, ToTok, and Botim to deploy ProSpy and ToSpy to unspecified targets in the U.A.E.

Specifically, the domain "encryption-plug-in-signal.com-ae[.]net" was used as an initial access vector for ProSpy by claiming to be a non-existent encryption plugin for Signal.The spyware comes fitted with capabilities to exfiltrate sensitive data like contacts, SMS messages, device metadata, and local files.

Neither of the Egyptian journalists' accounts was ultimately infiltrated. However, SMEX revealed that the initial attack that targeted the Lebanese journalist on May 19, 2025, completely compromised their Apple Account and resulted in the addition of a virtual device to the account to gain persistent access to the victim's data. The second wave of attacks was unsuccessful.

While there is no evidence that the three journalists were targeted with spyware, the evidence shows that threat actors can use the methods and infrastructure associated with the attacks to deliver malicious payloads and exfiltrate sensitive data.

"This suggests that the operation we identified may be part of a broader regional surveillance effort aimed at monitoring communications and harvesting personal data," Access Now said.

Lookout, in its own analysis of these campaigns, attributed the disparate efforts to a hack-for-hire operation with ties to Bitter, a threat cluster that's assessed to be tasked with intelligence gathering efforts in the interests of the Indian government. The espionage campaign has been operational since at least 2022.

Based on the phishing domains observed and ProSpy malware lures, the campaign has likely targeted victims in Bahrain, the U.A.E., Saudi Arabia, the U.K., Egypt, and potentially the U.S., or alumni of U.S. universities, indicating the attacks go beyond members of Egyptian and Lebanese civil society.

"The operation features a combination of targeted spear-phishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target’s device," the cybersecurity company said.

Cybersecurity

The campaign's links to Bitter stem from infrastructure connections between "com-ae[.]net" and "youtubepremiumapp[.]com," a domain flagged by Cyble and Meta in August 2022 as linked to Bitter in relation to an espionage effort that used fake sites mimicking trusted services like YouTube, Signal, Telegram, and WhatsApp to distribute an Android malware dubbed Dracarys.

Lookout's analysis has also uncovered similarities between Dracarys and ProSpy, despite the latter being developed years later using Kotlin instead of Java. "Both families use worker logic to handle tasks, and they name the worker classes similarly. They also both use numbered C2 commands," the company added. "While ProSpy exfiltrates data to server endpoints starting with 'v3,' Dracarys exfiltrates data to server endpoints starting with 'r3.'"

These connections notwithstanding, what makes the campaign unusual is that Bitter has never been attributed to espionage campaigns targeting civil society members. This has raised two possibilities: either it's the work of a hack-for-hire operation with ties to Bitter or the threat actor itself is behind it, in which case it could indicate an expansion of its targeting scope.

"We do not know whether this represents an expansion of Bitter's role, or if it is an indication of overlap between Bitter and an unknown hack-for-hire group," Lookout added. "What we do know is that mobile malware continues to be a primary means of spying on civil society, whether it is purchased through a commercial surveillance vendor, outsourced to a hack-for-hire organization, or deployed directly by a nation state."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.