Facebook says it disrupted activities of two separate Palestine-linked hacker groups that abused its platform to conduct cyber-espionage and distribute malware.

One of the hacker groups is believed to have ties to the Preventive Security Service (PSS), the Palestinian Authority’s internal intelligence organization. It mainly targeted victims primarily in the Palestinian territories and Syria, to a lesser degree, they targeted Turkey, Iraq, Lebanon and Libya, Facebook said.

The group used a variety of malicious tools, including custom-build Android malware, the SpyNote Android RAT, as well as Windows malware (NJRat and HWorm) to spy on users. The hackers also used social engineering techniques to trick targets into clicking on malicious links and installing malware on their devices.

“This group used fake and compromised accounts to create fictitious personas posing primarily as young women, and also as supporters of Hamas, Fatah, various military groups, journalists and activists to build trust with people they targeted and trick them into installing malicious software. Some of their Pages were designed to lure particular followers for later social engineering and malware targeting,” Facebook said.

The other hacker group, Arid Viper, targeted primarily domestic audiences in Palestine, including government officials, members of the Fatah political party, student groups and security forces.

“It used sprawling infrastructure to support its operations, including over a hundred websites that either hosted iOS and Android malware, attempted to steal credentials through phishing or acted as command and control servers, according to Facebook.

In addition to Windows and Android malware, the group used a custom-built iOS espionage tool, dubbed Phenakite, which was capable of stealing sensitive user data from iPhones without jailbreaking the devices prior to the compromise. The malware was delivered via a trojanized chat application that used the open-source RealtimeChat code for legitimate app functionality. Phenakite could also direct people to phishing pages for Facebook and iCloud to steal their credentials for those services.