BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware

The BITTER APT group, also known as T‑APT‑17, has historically aligned its operations with Indian strategic interests, targeting military and energy sectors in China, Pakistan and Saudi Arabia. The latest campaign, however, marks a notable pivot toward civil‑society actors in the Gulf region, specifically journalists and opposition politicians in Egypt, Lebanon, Bahrain and the UAE. By employing spear‑phishing messages on platforms such as LinkedIn, iMessage and Apple Support impersonations, the group lures victims to counterfeit login pages for Zoom, Microsoft Teams, Google Drive and iCloud, establishing a foothold for deeper intrusion.

At the technical core of the operation lies ProSpy, a Kotlin‑based Android spyware capable of exfiltrating photos, audio, documents, SMS, contacts and backups from apps like ToTok and Botim. The malware is delivered through malicious QR codes that prompt users to link their Signal accounts to compromised devices, granting attackers full visibility into encrypted chats. ProSpy’s code shares signatures with the 2022 Dracarys malware, indicating a lineage that the Lookout team traced back to BITTER’s earlier toolset. The use of everyday communication tools as infection vectors underscores the growing sophistication of mobile‑first espionage campaigns.

For businesses and NGOs operating in the region, the revelations signal an urgent need to reassess mobile security protocols. Endpoint protection solutions must be updated to detect anomalous QR code activities and unauthorized app installations. Moreover, the suspected hack‑for‑hire nature of the campaign suggests that state‑aligned actors may outsource surveillance to specialized APT groups, expanding the attack surface beyond traditional nation‑state threats. Vigilance, user education and robust incident‑response plans are now essential components of any comprehensive cyber‑risk strategy.