Rotten Apple: An Invasive Threat Actor Targeting Civil Society in Lebanon

Executive Summary 

The SMEX Digital Forensic Lab presents a report on a spear-phishing campaign that targeted a high profile Lebanese journalist in 2025.  

The target, who wishes to remain anonymous, is a highly influential figure within the Lebanese media landscape, with decades of work as a reporter, editor, and with considerable influence shaping political and national discourse. The journalist is well connected to the Lebanese government and is considered to have influence, a network of contacts, and knowledge of political matters, which make them a high-value target.

A first phishing attack took place on May 19, 2025, through the Apple Messages app. A second wave, consisting of two separate phishing messages on WhatsApp, Meta’s messaging app, took place on May 21 and 22. All of them used the same infrastructure and had the same goal of compromising the journalist’s main Apple Account. 

The target reached out after both of these campaigns, on May 25, 2025. Recognizing the high risk and the persistent threat, SMEX’s Digital Forensics Lab (DFL) stepped in to analyze the forensic evidence, when available, of these digital attacks. The DFL established a dedicated channel of communication with the victim to provide continuous support and guide them through the necessary security protocols. 

The initial attack successfully compromised the target’s Apple Account and resulted in the addition of a virtual device. However, forensic evidence was limited, as the case was only shared with SMEX’s team several days after the attack had taken place. The second wave of attacks was unsuccessful, but SMEX was able to capture a complete exfiltration of credentials (username, password, and two-factor authentication codes). The analysis shows that the infrastructure was identical in all instances and that the attack window was as short as ca. 30 seconds from the moment of submitting a password to the full account takeover.

SMEX’s investigation uncovered a campaign characterized by technical precision and operational persistence. The threat actor demonstrated advanced capabilities including real-time interception of two-factor authentication codes, encrypted victim tracking mechanisms, and anti-forensic techniques designed to frustrate security researchers.

Collaborative information exchange with Access Now indicated that this attack shared infrastructure with two cases reviewed by Access Now’s helpline. The Helpline collaborated with the mobile security company Lookout to review two phishing cases against members of civil society in Egypt investigated by the Helpline. Lookout’s assessment was that the campaigns against these two individuals are likely linked to BITTER (known also as APT-C-08 and T-APT-17), a cyber espionage actor known for targeting government, military, diplomatic, and critical infrastructure sectors mostly across South Asia, with some targets in China, Saudi Arabia, Turkey, and South America. Access Now also believes that the case investigated by SMEX is likely related to the same threat actor identified by Lookout, but more research is needed to confirm this. This threat actor has traditionally been active in South Asia, Saudi Arabia, Turkey, and South America, but our investigation suggests that this threat actor may also be active in South West Asia and North Africa. 

This report documents SMEX’s  technical findings, details the attack infrastructure and methodologies employed, and presents SMEX’s assessment of the suggestion by our colleagues at Access Now that the attack is likely related to the two cases they identified that Lookout independently attributed to BITTER. It serves as both a record of this specific campaign and a warning to civil society organizations, journalists, and political figures throughout the region: sophisticated threat actors are actively working to compromise your digital lives, and vigilance remains your most essential defense.

Key findings

• A sophisticated phishing attack successfully compromised an Apple account of a civil society member in Lebanon,  successfully harvesting the victim’s credentials and potentially multi-factor authentication codes through the phishing page and by attaching a virtual device to the victim’s account.

• The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app over the course of X days/weeks,etc. impersonating Apple Support.

• While the main focus of this campaign appears to be Apple services, evidence suggests that other messaging platforms, namely Telegram and Signal, were also targeted.

• The methods and indicators of the attack are similar to the attacks conducted against two Egyptian civil society members identified by Access Now in their corresponding investigation. Lookout independently assesses that the  hack-for-hire campaign identified by Access Now is likely tied to BITTER.  

• Access Now believes that the same threat actor in their investigation is  also likely behind the case identified by SMEX, based on the use of similar impersonation tactics, a common fingerprint, and the repeated use of the same attack infrastructure.

Read the full findings by clicking and downloading the report.