How a Hacking Campaign Targeted High-Profile Gmail and WhatsApp Users Across the Middle East

The rise of mobile messaging platforms has created a fertile ground for phishing attacks, and WhatsApp’s popularity in the Middle East makes it an attractive vector. By exploiting a dynamic DNS service, attackers concealed the true location of their phishing infrastructure, allowing them to distribute counterfeit Gmail login pages and QR‑code‑driven WhatsApp hijacks at scale. This technique mirrors broader trends where threat actors leverage legitimate services to evade detection while targeting high‑value accounts for credential harvesting.

Technical analysis of the compromised site revealed a multi‑stage workflow. Victims who clicked the link were redirected to a fake Gmail portal or a WhatsApp‑styled page that prompted location, camera, and microphone permissions. The malicious script captured user agents across Windows, macOS, iOS, and Android, then streamed real‑time data to an unprotected server file. That file, later exposed, contained more than 850 records of usernames, passwords, two‑factor codes, and even attempted media captures, providing a granular view of each victim’s interaction with the phishing flow.

Attribution remains ambiguous, but the campaign’s sophistication and target list suggest a hybrid motive. While the inclusion of political figures and diaspora activists points to possible state‑sponsored espionage, the early registration of domains and the potential for financial exploitation hint at criminal involvement. Organizations should reinforce multi‑factor authentication, educate users about unsolicited WhatsApp links, and monitor DNS‑based anomalies to mitigate similar threats in an increasingly contested cyber landscape.