A coordinated phishing marketing campaign focusing on Kuwait’s essential sectors has been uncovered via a particular operational safety lapse: the constant reuse of SSH authentication keys throughout a number of assault servers.
The marketing campaign, which stays energetic as of Might 2025, has deployed over 100 domains to reap credentials via meticulously cloned login portals impersonating official Kuwaiti companies within the fisheries, telecommunications, and insurance coverage sectors.
Relatively than using conventional typosquatting methods, the attackers have registered brand-inspired domains utilizing transliterations and generic references, making conventional detection strategies much less efficient.
The phishing infrastructure spans a number of servers focused on IP addresses 78.153.136[.]29, 134.124.92[.]70, and 138.124.78[.]35, all hosted inside Aeza Worldwide Ltd’s community (AS210644).
These servers exhibit multi-tenant traits, concurrently staging domains focusing on completely different sectors to maximise operational effectivity.
Most of the domains impersonate the Nationwide Fishing Firm of Kuwait, with examples together with alwattnya[.]com, wtanaya[.]com, elwattanya1[.]com, and alwattnia[.]com.
The webpages convincingly replicate official firm storefronts, full with product listings and buying cart options.
Hunt.io researchers recognized the marketing campaign after receiving a tip concerning sustained phishing exercise focusing on industries in Kuwait.
Their investigation revealed that greater than half of the 230+ domains have been impersonating the Nationwide Fishing Firm of Kuwait.
Webpage imitating the Nationwide Fishing Firm (Supply – Hunt.io)
The webpages carefully mimicked the looks of official websites, which shows an instance webpage imitating the Nationwide Fishing Firm’s on-line storefront.
Infrastructure
The essential technical discovering that uncovered this operation was the constant reuse of SSH authentication keys throughout the phishing infrastructure.
Two particular SSH key fingerprints have been repeatedly deployed throughout a number of servers, creating a particular signature that allowed researchers to hyperlink seemingly unrelated phishing domains.
This operational safety failure supplied safety groups with a dependable methodology to establish the complete scope of the marketing campaign regardless of its use of numerous area naming conventions and internet hosting preparations.
The SSH key reuse demonstrates how refined menace actors can unwittingly create detectable patterns via infrastructure administration shortcuts.
When configuring new servers, the attackers apparently deployed the identical authentication keys reasonably than producing distinctive credentials for every asset.
SSH key pivot on 138.124.92[.]70 (Supply – Hunt.io)
This allowed Hunt.io researchers to pivot throughout the infrastructure, which reveals an SSH key pivot visualization on 138.124.92[.]70.
To establish associated infrastructure via SSH key fingerprinting, safety professionals can question for these particular keys throughout their community environments.
The constant deployment sample inside Aeza Worldwide Ltd’s ASN offers extra context for menace searching efforts.
Safety groups can use the next question to establish potential malware sightings throughout this particular ASN:-
SELECT ip, hostname, malware.title
FROM malware
WHERE asn.quantity == ‘210644’
GROUP BY ip, hostname, malware.title
The marketing campaign expanded past fisheries to incorporate domains impersonating Zain, a serious Kuwaiti telecommunications supplier.
The area zain-kw[.]professional hosted a convincing cell fee portal designed to reap cellphone numbers and fee particulars.
Zain spoofed account web page (Supply – Hunt.io)
The spoofed Zain account web page fastidiously mimicked official companies, making detection significantly troublesome on cell gadgets the place phishing indicators are much less apparent.
This phishing marketing campaign highlights how attackers proceed to evolve their methods whereas sometimes leaving essential operational traces.
The mix of numerous area methods, cross-sector focusing on, and cell fee lures demonstrates a classy strategy to social engineering, whereas the SSH key reuse offers defenders with a helpful detection alternative.
How SOC Groups Save Time and Effort with ANY.RUN – Reside webinar for SOC groups and managers
