Hack‑for‑Hire Spearphishing Campaign Targets Egyptian Journalists, Potential Spyware Deployment
What Happened — A sophisticated hack‑for‑hire group conducted a multi‑channel spearphishing operation against two high‑profile Egyptian journalists from October 2023 through January 2024. The attackers impersonated legitimate services (including Apple and Signal) to harvest credentials and to deliver Android spyware capable of exfiltrating files, contacts, messages, location, and activating microphones/cameras.
Why It Matters for TPRM —
- Credential‑phishing and spyware delivery illustrate a supply‑chain style threat that can affect any third‑party handling sensitive communications.
- Persistent infrastructure (overlapping domains, hosting, code) indicates a reusable platform that could be repurposed against other clients of the same service providers.
- Targeted individuals are political dissidents; similar tactics may be used against corporate whistleblowers or employees with privileged access.
Who Is Affected — Media & journalism organizations, human‑rights NGOs, and any third‑party service providers (cloud, email, messaging) used by high‑risk individuals.
Recommended Actions —
- Review and harden authentication for all accounts (MFA, phishing‑resistant methods).
- Conduct threat‑intel monitoring for the identified malicious domains and code signatures.
- Verify that any third‑party mobile‑device‑management (MDM) or endpoint‑security solutions can detect and block the Predator spyware family.
Technical Notes — Attack vector: spearphishing (phishing). No specific CVE cited. Potential spyware: Intellexa’s Predator, capable of file exfiltration, contact harvesting, geolocation, and audio/video capture. Source: The Record