Mumbai, January 17: A sophisticated cyber-espionage campaign has been uncovered targeting high-profile individuals across the Middle East, including government ministers, academics, and business leaders. The operation, first identified by UK-based Iranian activist Nariman Gharib and later verified by cybersecurity researchers, uses a multi-stage phishing attack to hijack WhatsApp accounts and steal Gmail credentials. Evidence suggests the campaign is designed not just for data theft but for real-time surveillance, allowing attackers to remotely access device cameras, microphones, and location data.

The hacking spree comes at a time of heightened digital warfare in the region, with researchers noting that the infrastructure for this campaign was established in late 2025. Victims identified so far include a senior Lebanese cabinet minister, the head of an Israeli drone manufacturing firm, a Middle Eastern academic specialising in national security, and several journalists. Phishing links were primarily distributed via WhatsApp messages, tricking users into clicking on subdomains masked by dynamic DNS providers to appear as legitimate meeting or login requests. Google Issues Urgent Security Alert for Chrome Users; Update Required to Fix High-Risk Vulnerabilities.

Inside the WhatsApp ‘Surveillance Kit’

Technical analysis of the attack chain reveals a highly advanced method for compromising WhatsApp accounts. When a target clicks the malicious link, they are directed to a fake WhatsApp Web interface that displays a live QR code. This code is a real-time relay from the attacker’s own browser; if the victim scans it, believing they are authenticating a desktop session or joining a virtual meeting, they unknowingly grant the hacker full access to their encrypted messages and contact lists.

Middle East Phishing Attack 2026

Beyond account hijacking, the phishing kit requests browser-level permissions that turn the victim's device into a tracking tool. If a user inadvertently grants access to their camera or microphone, the malicious code is capable of capturing photos and audio bursts every three to five seconds. Researchers found that the attacker's server remained active for several weeks, tracking the coordinates of victims as long as the phishing tab remained open in their browsers.

Targeting and Potential Attribution

While the exact identity of the hackers remains unconfirmed, security experts note that the operation bears the hallmarks of APT42, a threat actor group frequently linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). The campaign's focus on individuals involved in Iran-related political activism, as well as high-ranking regional officials, points toward a state-sponsored espionage motive. However, some researchers have also observed overlaps with financially motivated cybercrime infrastructure, suggesting the possibility of outsourced hacking services.

Gmail Credential Theft News

The attack also targeted Gmail users through a classic credential-harvesting flow. By presenting a pixel-perfect imitation of the Google sign-in page, hackers were able to intercept usernames, passwords, and even two-factor authentication (2FA) codes. In one instance, logs showed a victim attempting several incorrect passwords before finally entering the correct one, which was immediately used by the attackers to bypass security measures and gain full inbox access.

Preventive Measures and Current Status

Although the primary phishing domain used in this cluster has been taken down, security analysts warn that the underlying kit is likely to resurface under different subdomains. Users are strongly advised to remain vigilant against unsolicited WhatsApp messages, even if they appear to come from known contacts, as those accounts may have already been compromised. Experts recommend that high-risk individuals enable hardware-based security keys rather than relying solely on SMS-based 2FA, which this campaign proved capable of intercepting. What Is Quishing? Know All About Growing QR Code-Based Cybersecurity Threat, How It Works and How To Stay Safe.

How to Stay Safe from Such Cyberattacks?

  • Do not click unknown or urgent links received on WhatsApp

  • Never scan QR codes sent through messages or emails

  • Always verify meeting or login requests via another channel

  • Check website URLs carefully for fake or misspelt domains

  • Deny camera, microphone and location access to unknown sites

  • Enable WhatsApp two-step verification with a secure PIN

  • Regularly review and remove unknown WhatsApp Web sessions

  • Use hardware security keys for Gmail instead of SMS-based 2FA

  • Keep apps and device software fully updated

  • Assume targeting if you are a journalist, activist or executive

WhatsApp Security Alert January 2026

The exposure of this campaign highlights the evolving nature of mobile-first espionage. As the Middle East continues to face internet shutdowns and regional instability, digital platforms have become primary battlegrounds for intelligence gathering. Meta, the parent company of WhatsApp, has reportedly been notified of the findings and is working to implement further protections against QR-code-based account linking from unverified sources to prevent such takeovers in the future.

TruLY Score by LatestLY
Rating:3

TruLY Score 3 – Believable; Needs Further Research | On a Trust Scale of 0-5 this article has scored 3 on LatestLY, this article appears believable but may need additional verification. It is based on reporting from news websites or verified journalists (TechCrunch), but lacks supporting official confirmation. Readers are advised to treat the information as credible but continue to follow up for updates or confirmations

(The above story first appeared on LatestLY on Jan 17, 2026 01:15 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).