Hackers are still getting into phones the boring way: by pretending to be Apple. A new set of reports says a years-long hack-for-hire campaign used fake Apple pages to harvest Apple ID logins, then moved into iCloud backups – a tidy shortcut to the contents of an iPhone without breaking the phone itself.
The campaign is said to have targeted journalists, activists, and government officials across the Middle East and North Africa, with victims also identified in the United Kingdom and possibly the United States. That mix is familiar: the tools are low-tech, but the targets are high-value, which is usually a sign that the operator cares more about access than elegance.
Phishing pages built to look like Apple services
Security researchers say the operation leaned on impersonation sites rather than complex exploits. One report described nearly 1,500 web addresses set up to mimic legitimate services and host phishing pages or related infrastructure, with Apple-themed domains designed to look close enough to real login flows to catch an unwary user.
The point was simple: steal Apple ID credentials, then use them to reach iCloud backups. For an attacker, that can be almost as good as holding the device in hand, because the backup often contains the sort of material people assume lives only on the phone.
- Apple-themed domains were used alongside lookalike pages for Google, Microsoft, Signal, WhatsApp, and Yahoo.
- Researchers tied the campaign to BITTER APT, described as an offshoot of the Indian hack-for-hire startup Appin.
- The attacks in the reports span 2023 to 2025.
Why hack-for-hire firms are winning customers
This is part of a bigger shift in cyber-espionage: governments and politically motivated operators increasingly appear to be outsourcing dirty work to private firms. That gives customers plausible deniability, while the contractors get to industrialize phishing, infrastructure, and targeting without needing exotic zero-days every time.
It also helps explain why these campaigns keep recycling old tricks. If a fake login page costs less than commercial spyware, and it works against real people under deadline pressure, why spend more? The answer, apparently, is that many operators don’t.
How to protect your Apple ID from phishing pages
The lesson is unglamorous but useful: device security is only as strong as the login screen in front of it. Apple has spent years hardening the iPhone itself, but a stolen password can still open doors that no exploit chain needs to touch.
That leaves the obvious defenses doing the unexciting work: checking web addresses carefully, using phishing-resistant authentication where possible, and treating any message that urges a fast Apple sign-in as suspicious. The attackers are banking on muscle memory. Don’t give it to them for free.