SSH Auth Key Reuse Uncovers Advanced Targeted Phishing Campaign

A meticulously orchestrated phishing campaign targeting Kuwait’s fisheries, telecommunications, and insurance sectors has been exposed by Hunt.io researchers, revealing a sprawling network of over 230 malicious domains and a tightly knit cluster of servers.

First detected in early 2025, this ongoing operation leverages reused SSH authentication keys and consistent Autonomous System Number (ASN) usage to link its infrastructure, providing defenders with critical fingerprints to track and mitigate the threat.

The campaign, primarily hosted on Aeza International Ltd’s network (ASN AS210644), showcases advanced tradecraft through cloned login portals and impersonated web pages designed to harvest credentials from unsuspecting users across consumer and enterprise segments in Kuwait and the broader Gulf region.

Kuwaiti Industries Under Siege

Hunt.io’s investigation initially pinpointed three core servers-78.153.136[.]29, 134.124.92[.]70, and 138.124.78[.]35-hosting over 100 phishing domains that mimic legitimate entities like the National Fishing Company of Kuwait and Zain, a major telecommunications provider.

Beyond these, a deeper analysis of SSH key overlaps, specifically fingerprints dbe1065a0caaa2d1d89001b505ac1a00c5aee6202225b9897580c3c148ea2537 and 000e6797a0d6571bf2b4e77f86b1e68c61d23f0369b6a5e96682a9d84b4cbef9, uncovered eight additional IP addresses tied to the same campaign.

These servers, also within Aeza’s network, host domains targeting regional brands like Delmon Fish in Bahrain and Saiyarti, a Kuwaiti automotive insurance service.

Infrastructure Patterns Reveal Operational Scale

The domains often avoid direct typosquatting, instead using transliterations and generic brand references such as alwattnya[.]com and zain-kw[.]pro, paired with visually convincing web pages to deceive users.

Notably, mobile payment lures mimicking Zain’s checkout process pose significant risks, potentially enabling phone number harvesting for SIM swaps or account takeovers.

This operational flexibility, combined with multi-tenant server usage for efficiency, underscores the threat actors’ strategic focus on scalability and persistence.

While no direct malware payloads were observed, the sustained registration of domains since January 2025 signals a long-term effort to exploit trusted regional identities.

Defenders are urged to monitor for SSH key reuse and query Aeza-hosted assets within AS210644 for malware sightings or brand-themed domains.

Hunt.io provides tailored HuntSQL queries to identify related infrastructure, emphasizing proactive detection of transliterated domain names and cloned websites.

As the campaign evolves with mobile-themed phishing lures, vigilance for emerging payment impersonation pages remains critical to disrupting this sophisticated operation before further damage is inflicted on targeted organizations.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!