A coordinated phishing campaign targeting Kuwait’s critical sectors has been exposed through a distinctive operational security lapse: the consistent reuse of SSH authentication keys across multiple attack servers.
The campaign, which remains active as of May 2025, has deployed over 100 domains to harvest credentials through meticulously cloned login portals impersonating legitimate Kuwaiti businesses in the fisheries, telecommunications, and insurance sectors.
Rather than employing traditional typosquatting techniques, the attackers have registered brand-inspired domain names using transliterations and generic references, making traditional detection methods less effective.
.png
)
The phishing infrastructure spans multiple servers concentrated on IP addresses 78.153.136[.]29, 134.124.92[.]70, and 138.124.78[.]35, all hosted within Aeza International Ltd’s network (AS210644).
These servers exhibit multi-tenant characteristics, simultaneously staging domains targeting different sectors to maximize operational efficiency.
Many of the domains impersonate the National Fishing Company of Kuwait, with examples including alwattnya[.]com, wtanaya[.]com, elwattanya1[.]com, and alwattnia[.]com.
The webpages convincingly replicate legitimate company storefronts, complete with product listings and shopping cart features.
Hunt.io researchers identified the campaign after receiving a tip regarding sustained phishing activity targeting industries in Kuwait.
Their investigation revealed that more than half of the 230+ domains were impersonating the National Fishing Company of Kuwait.
.webp)
The webpages closely mimicked the appearance of legitimate sites, which displays an example webpage imitating the National Fishing Company’s online storefront.
Infrastructure
The critical technical finding that exposed this operation was the consistent reuse of SSH authentication keys across the phishing infrastructure.
Two specific SSH key fingerprints were repeatedly deployed across multiple servers, creating a distinctive signature that allowed researchers to link seemingly unrelated phishing domains.
This operational security failure provided security teams with a reliable method to identify the full scope of the campaign despite its use of diverse domain naming conventions and hosting arrangements.
The SSH key reuse demonstrates how sophisticated threat actors can unwittingly create detectable patterns through infrastructure management shortcuts.
When configuring new servers, the attackers apparently deployed the same authentication keys rather than generating unique credentials for each asset.
.webp)
This allowed Hunt.io researchers to pivot across the infrastructure, which shows an SSH key pivot visualization on 138.124.92[.]70.
To identify related infrastructure through SSH key fingerprinting, security professionals can query for these specific keys across their network environments.
The consistent deployment pattern within Aeza International Ltd’s ASN provides additional context for threat hunting efforts.
Security teams can use the following query to identify potential malware sightings across this specific ASN:-
SELECT ip, hostname, malware.name
FROM malware
WHERE asn.number == '210644'
GROUP BY ip, hostname, malware.nameThe campaign expanded beyond fisheries to include domains impersonating Zain, a major Kuwaiti telecommunications provider.
The domain zain-kw[.]pro hosted a convincing mobile payment portal designed to harvest phone numbers and payment details.
.webp)
The spoofed Zain account page carefully mimicked legitimate services, making detection particularly difficult on mobile devices where phishing indicators are less obvious.
This phishing campaign highlights how attackers continue to evolve their techniques while occasionally leaving critical operational traces.
The combination of diverse domain strategies, cross-sector targeting, and mobile payment lures demonstrates a sophisticated approach to social engineering, while the SSH key reuse provides defenders with a valuable detection opportunity.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
