Two Egyptian Journalists Targeted in Sophisticated Spearphishing Campaign Tied to Spyware Infrastructure

What happened

Two prominent Egyptian journalists were targeted in a sophisticated spearphishing campaign that ran from October 2023 through January 2024 and focused on compromising their Apple and Google accounts. Researchers from Access Now and Lookout said the attackers used fake personas, phony profiles, and messages impersonating legitimate people and services, including Signal, to lure the targets. The infrastructure used in the campaign showed overlapping domains, hosting, and code similarities, and the researchers said it could also support delivery of Android spyware capable of accessing files, contacts, text messages, geolocation, microphones, cameras, and malicious app installation. This campaign also comes in the context of earlier targeting documented by Citizen Lab, which found that Ahmed Eltantawy’s phone had previously been targeted with Intellexa’s Predator spyware in September 2021 and again between May and September 2023. 

Who is affected

The direct targets were Egyptian journalists Mostafa Al-A’sar and Ahmed Eltantawy, both of whom have challenged the Egyptian government and faced persecution by authorities. The report said neither victim’s accounts were ultimately penetrated, though one target entered account credentials before stopping after receiving a suspicious two-factor authentication alert from a location in Egypt. 

Why CISOs should care

This incident matters because it shows how spearphishing can be used as a lower-cost but still highly targeted alternative or complement to spyware operations. It also highlights how attackers can combine fake identities, trusted-platform impersonation, and persistent infrastructure to pursue high-value individuals over time, especially in politically sensitive environments. 

3 practical actions

1. Harden account-targeting defenses: Strengthen protections around Apple and Google accounts used by high-risk staff, including phishing-resistant multi-factor authentication and close monitoring of suspicious login prompts. 
2. Train for multi-channel impersonation: Prepare users for attacks that use fake personas and trusted services such as Signal, not just conventional email phishing. 
3. Treat spyware-adjacent infrastructure seriously: Investigate overlapping domains, hosting, and code patterns quickly when phishing infrastructure may also support spyware delivery or data exfiltration. 

For more news about targeted phishing and malicious surveillance-related campaigns, click Cyberattack to read more.