BITTER APT Deploys ProSpy Spyware via Signal, Google, and Zoom Lures Targeting Journalists
What Happened — The state‑linked BITTER APT group has been observed delivering the ProSpy (and its variant ToSpy) spyware through malicious links masquerading as legitimate Signal, Google, and Zoom communications. The campaign leverages LinkedIn and iMessage spear‑phishing to lure journalists and media professionals into downloading the payload.
Why It Matters for TPRM —
- Third‑party risk: Vendors that provide communication tools (Signal, Google Workspace, Zoom) can be abused as indirect attack vectors.
- Data exposure: Compromised journalists may exfiltrate sensitive source material, client data, or proprietary research.
- Reputation: Successful espionage against media outlets can damage brand trust and trigger regulatory scrutiny.
Who Is Affected — Media & journalism organizations, public‑relations firms, and any third‑party service providers that host or integrate Signal, Google, Zoom, or LinkedIn communications.
Recommended Actions —
- Review contracts with communication‑tool vendors for security‑by‑design clauses and incident‑response provisions.
- Enforce multi‑factor authentication and strict URL‑verification training for all staff handling external messages.
- Deploy endpoint detection and response (EDR) solutions capable of detecting ProSpy indicators of compromise.
Technical Notes — Attack vector: spear‑phishing (LinkedIn, iMessage) delivering malicious links that exploit user trust in Signal, Google, and Zoom. Malware family: ProSpy/ToSpy spyware, capable of keylogging, screen capture, and data exfiltration. No public CVE associated; the threat relies on social engineering rather than a software vulnerability. Source: HackRead