Post

Rotten Apple An Invasive Threat Actor Targeting Civil Society in Lebanon

Posted
By ictsec.pl
1 min read
Rotten Apple An Invasive Threat Actor Targeting Civil Society in Lebanon

Rotten Apple: An Invasive Threat Actor Targeting Civil Society in Lebanon

The SMEX Digital Forensic Lab presents a report on a spear-phishing campaign that targeted a high-profile Lebanese journalist in 2025. This journalist is a highly influential figure within the Lebanese media landscape, with decades of experience as a reporter and editor, significantly shaping political and national discourse. 🌍

Attack Overview

The first phishing attack occurred on May 19, 2025, via the Apple Messages app. A second wave, consisting of two separate phishing messages on WhatsApp, took place on May 21 and 22. All attacks aimed to compromise the journalist’s main Apple Account. 📱

The initial attack successfully compromised the target’s Apple Account, resulting in the addition of a virtual device. Although the second wave of attacks was unsuccessful, SMEX captured a complete exfiltration of credentials, including username, password, and two-factor authentication codes. 🔑

Technical Analysis

The investigation revealed a campaign characterized by technical precision and operational persistence. The threat actor demonstrated advanced capabilities, including real-time interception of two-factor authentication codes and encrypted victim tracking mechanisms. The phishing campaign involved persistent attacks via iMessage/Apple Messenger and WhatsApp, impersonating Apple Support. 🛡️

Broader Implications

Collaborative information exchange with Access Now indicated that this attack shared infrastructure with two other cases reviewed by Access Now’s helpline. Lookout’s assessment suggested that the campaigns against these individuals are likely linked to BITTER (also known as APT-C-08 and T-APT-17), a cyber espionage actor known for targeting government, military, diplomatic, and critical infrastructure sectors primarily across South Asia, with some targets in China, Saudi Arabia, Turkey, and South America. 🌐

Access Now believes that the case investigated by SMEX is likely related to the same threat actor identified by Lookout, based on similar impersonation tactics and common infrastructure. This threat actor, traditionally active in South Asia, Saudi Arabia, Turkey, and South America, may also be operating in Southwest Asia and North Africa. 🔍

For further details, you can read the complete article here: Read full article

CYBERSECURITY
PHISHING CYBERSECURITY LEBANON THREAT-ACTOR
This post is licensed under CC BY 4.0 by the author.