{"id":45369,"date":"2026-04-14T05:51:34","date_gmt":"2026-04-13T21:51:34","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/14\/bitter-apt-uses-signal-google-and-zoom-lures-to-spread-prospy-spyware\/"},"modified":"2026-04-14T05:51:34","modified_gmt":"2026-04-13T21:51:34","slug":"bitter-apt-uses-signal-google-and-zoom-lures-to-spread-prospy-spyware","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/14\/bitter-apt-uses-signal-google-and-zoom-lures-to-spread-prospy-spyware\/","title":{"rendered":"BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware"},"content":{"rendered":"\n<p>An ongoing spying operation has been discovered, specifically targeting journalists and opposition politicians across the Middle East. Researchers from the digital rights group <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.accessnow.org\/mena-phishing-2026\/\">Access Now<\/a> and the security firm Lookout collaborated in August 2025 to track these attacks. Their work shows that hackers have been active from at least 2022 until today.<\/p>\n<h3><strong>How the scam works<\/strong><\/h3>\n<p>According to Lookout, the scam involves a trick called <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/spear-phishing-attacks-underline-danger\/\">spearphishing,<\/a> in which a scammer sends a believable message to their targeted person to make them click a link. Researchers found that some targets were sent messages on LinkedIn or through iMessage, and some pretended to be from Apple Support.<\/p>\n<p>If the target clicks the link, they are sent to a \u201csimple, single page\u201d fake website. It looks like real login pages for various common use apps, including Zoom, Microsoft Teams, Google Drive, Yahoo, and iCloud. Scammers also trick their targets into linking their Signal accounts to their computers via malicious QR codes. If the victim follows the steps, the hackers can read all their private chats.<\/p>\n<p>&#8220;By linking their Signal account via the QR code, the victim gives the threat actor access to their Signal content,&#8221; the researchers explained in their <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.lookout.com\/threat-intelligence\/article\/bitter-hack-for-hire\">blog post<\/a>.<\/p>\n<h3>&nbsp;<strong>A Closer Look at ProSpy<\/strong><\/h3>\n<p>This joint research, and an <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/spyware-fake-signal-totok-apps-uae-android-users\/\">October 2025 report from ESET<\/a>, reveals that Android users are tricked into downloading any of these malware: ProSpy or ToSpy. Both are spyware, which is a program that secretly monitors the users each and every online activity. These viruses can even be distributed via a safe chat app like Signal, ToTok, or Botim. And, after compromising a device, these can steal:<\/p>\n<ul>\n<li>Photos, audio clips, and videos.<\/li>\n<li>Text messages (SMS) and contact lists.<\/li>\n<li>Private files like Word, Excel, and PDFs.<\/li>\n<li>Backup files from other apps like ToTok.<\/li>\n<\/ul>\n<p>Researchers explain that ProSpy is a feature-rich spyware developed in <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/android-malware-in-kotlin-on-play-store\/\" data-type=\"post\" data-id=\"60532\">Kotlin<\/a>, and out of the 11 ProSpy samples obtained, the earliest was from August 2024.<\/p>\n<p>\u201cProSpy is developed in a relatively professional way, and it has worker classes to handle the data collection and exfiltration tasks. It uses object-oriented programming principles and introduced new capabilities over the years, indicating it is actively being developed,\u201d Lookout threat intelligence analysts noted.<\/p>\n<div>\n<figure><a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware.png\"><img loading=\"lazy\" decoding=\"async\" width=\"447\" height=\"1024\" src=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-447x1024.png\" srcset=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-447x1024.png 447w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-131x300.png 131w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-768x1758.png 768w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-671x1536.png 671w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-895x2048.png 895w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-380x870.png 380w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware-800x1831.png 800w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/bitter-hackers-hit-middle-east-civil-society-with-prospy-malware.png 1111w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" alt=\"BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware\" \/><\/a><figcaption>Fake website used by the attackers, ProSpy distribution via TokTok, and the Signal lure (Source: Lookout)<\/figcaption><\/figure>\n<\/p><\/div>\n<h3><strong>Links to Bitter<\/strong><\/h3>\n<p>Lookout has linked this campaign to a South Asian group known as BITTER (also called T-APT-17, APT-Q-37) because the code in ProSpy is similar to an older virus called <strong><a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/hackers-facebook-cyber-espionage-attacks-meta\/\" data-type=\"post\" data-id=\"116397\">Dracarys<\/a><\/strong> from 2022. Both, reportedly, use the same numbered commands to control the phone.<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<p>As Hackread.com previously <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/bitter-apt-winrar-vulnerability-backdoor-attacks\/\"><strong>reported<\/strong>,<\/a> BITTER&#8217;s attacks usually support the interests of the Indian government and prefer to target military, energy, and government groups in places like:<\/p>\n<ul>\n<li>China<\/li>\n<li>Pakistan<\/li>\n<li>Saudi Arabia<\/li>\n<\/ul>\n<p>However, this new campaign is different because it is the first time BITTER has been caught targeting activists and journalists in Egypt, Lebanon, Bahrain, and the UAE. Researchers think that it might be a hack-for-hire job where the group was paid by someone else to do the spying.<\/p>\n<p>Still, the troubling part is that they are using mobile malware as \u201ca primary means of spying,&#8221; the researchers noted, concluding that we must be very careful when clicking any links to stay safe.<\/p>\n<div >\n<div>\n<div>\n<div>\n<h5> \t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/deeba\/\"> \t\t\t\t\t\t\tDeeba Ahmed\t\t\t\t\t\t<\/a> \t\t\t\t\t<\/h5>\n<div> \t\t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/deeba\/\"> \t\t\t\t\t\t\t\t<img src='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=80&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=160&#038;d=mm&#038;r=g 2x' height='80' width='80' alt=\"BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware\" \/>\t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t\t\t\t\t\t\tDeeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform\u2019s trusted coverage.\t\t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" target=\"\"> \t\t\tView Posts\t\t<\/a> \t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>An ongoing spying operation has been discovered, specif [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-45369","post","type-post","status-publish","format-standard","hentry","category-hackread"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45369"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45369\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}