Research reveals malicious digital campaign against Pakistani human rights defenders

Phishing attack. Image by Tumisu via Pixabay. CC0.

Cybersecurity researchers have found that commercially available spy software has been used to infiltrate the activist communities in Pakistan.

A May 2018 report by Amnesty International describes how rogue accounts engage with activists and trick them into downloading malicious software that can spy on them through their phones and computers. Lookout, a cybersecurity firm, also published similar findings that month.

Anna Neistat, Amnesty's senior director for research tweeted:

Human rights researcher and Executive Director of @EquidemResearch Mustafa Qadri tweeted:

The Amnesty report identifies a network of falsified social media profiles that use “social engineering” to gain proximity to human rights defenders, infect their devices with malware and obtain their email and social media credentials.

The report finds that attackers were using at least two different types of surveillance software, one known as Crimson, and the other StealthAgent.

A custom-build Android spyware, StealthAgent can intercept phone calls and messages, steal pictures, and track victims’ locations once installed on a victim’s Android phone. Amnesty believes this was custom-built for the attackers, but may have been derived from technical code in a commercial spy software called TheOneSpy, which is owned by the Australian company Ox-I-Gen. TheOneSpy is marketed as a tool for parents to monitor their children's mobile phone activities.

The report highlights the story of Diep Saeeda, a well-known activist from the eastern city of Lahore who became the target of a well‑orchestrated and relentless surveillance campaign.

Saeeda had been involved in Aman ki Asha, an initiative to bring peace between India and Pakistan. On December 2, 2017, one of her friends, Raza Mehmood Khan, a peace activist who tried to bring people from India and Pakistan together through activities like letter-writing, was subjected to an enforced disappearance.

According to Amnesty, a Facebook user who claimed to be an Afghan woman named Sana Halimi living in Dubai and working for the UN contacted Saeeda via Facebook to get information about her missing friend Raza Khan. The operator of the profile sent her links to files containing malware called StealthAgent which, if opened, would have infected her mobile devices.

The accounts under the name of Sana Halimi used for a profile picture a photo of Salwa Gardezi, a 21-year-old Pakistani business student and a chef from Lahore. Gardezi is known for her critiques of Pakistani military.

Gardezi registered an official complaint with the Federal Investigative Bureau or FIA.

It was very shocking for me because I have no relation or interest in politics or anything like that. It is a very horrifying phase for me to see my face used as Sana Halimi. I’d like to share that I feel physically threatened.

Unlawful surveillance of human rights defenders is not a new phenomenon and the threats attached to them are increasing. Surveillance of civil society organizations and individuals has become a tool used by repressive regimes to track activities and for the crackdown on voices of dissent.

In 2017, the University of Toronto's Citizen Lab uncovered Nile Phish: Large-scale phishing campaign targeting Egyptian civil society. This report describes Nile Phish, an ongoing and extensive phishing campaign against Egyptian civil society. In recent years, Egypt has witnessed what is widely described as an “unprecedented crackdown,” on both civil society and dissent. A 2016 research report by the same group showed evidence of attacks against journalists, activists, and dissidents in the United Arab Emirates.

Amnesty International and local civil society organizations have demanded that, as an elected member of the United Nations Human Rights Council, Pakistan immediately order an independent investigation to uncover those running the campaign to ensure the security of human rights activists both online and offline.

Start the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.