Since early 2025, a coordinated and sophisticated phishing campaign has been actively targeting key sectors in Kuwait, including fisheries, telecommunications, and insurance. The operation employs over 230 malicious domains to deceive users and harvest sensitive credentials. These domains are meticulously crafted to impersonate legitimate Kuwaiti organizations, utilizing cloned login portals and brand impersonation techniques. The campaign's infrastructure is primarily hosted by Aeza International Ltd, a hosting provider known for its lenient abuse policies. A critical operational security lapse reusing SSH authentication keys across multiple servers has allowed researchers to link disparate elements of the campaign and track its evolution.
At the core of this campaign is a persistent effort to gain initial access to organizational networks through phishing specifically by exploiting public-facing web applications and login portals. According to technical analyses from Hunt.io and other researchers, the infrastructure is centered around multiple IP addresses assigned to Aeza International Ltd, including 78.153.136[.]29, 134.124.92[.]70, and 138.124.78[.]35. These IPs host multi-tenant phishing infrastructure, meaning a single server may serve several fake domains simultaneously, each tailored to a different sector or organization. The phishing pages are almost indistinguishable from the legitimate login portals of real Kuwaiti companies, replicating everything from corporate logos and color schemes to URL paths and form fields. This level of detail suggests either access to internal assets or highly specialized phishing kits designed to evade both user suspicion and automated detection.
From a tactics and techniques perspective, this operation falls under multiple categories in the MITRE ATT&CK framework. It leverages “Initial Access” through phishing and domain spoofing, and “Persistence” through long-term credential theft and potential reuse in future attacks. Although the campaign’s primary objective is credential harvesting, researchers have not ruled out secondary goals such as account hijacking, lateral movement, and data exfiltration. The reused SSH keys provide one of the most concrete technical links between different parts of the infrastructure. By fingerprinting these keys, analysts have been able to track the evolution of the campaign and discover new servers as they come online. This is particularly valuable given that the attackers regularly rotate domains and infrastructure in an effort to evade blacklists. Researchers also noted that the TLS certificates used by these servers often share metadata, enabling further correlation through passive DNS and certificate transparency logs.
The campaign’s history indicates a continuous expansion in scope and technical sophistication. The earliest domains linked to the operation appeared in late January 2025, with a small number of phishing pages impersonating telecom providers. Over time, the operation expanded to target insurance firms and fisheries, likely in response to observed success rates or strategic priorities. Unlike opportunistic phishing, which typically casts a wide net, this campaign clearly reflects a targeted approach with regional knowledge. The attackers’ use of domain transliterations and Kuwaiti brand impersonation strongly indicates a focus on Gulf-region victims, and the consistency in infrastructure suggests the involvement of a single group or a tightly coordinated network of actors.
The impact of this campaign is both immediate and long-term. On a basic level, compromised credentials can be used to log into email accounts, customer management systems, payment portals, and backend dashboards many of which may contain sensitive or regulated data. The attackers can exploit this access to exfiltrate data, redirect payments, launch further internal phishing attacks, or establish persistent access via malicious app integrations or password resets for telecommunications companies, attackers could use access to reroute SMS messages, manipulate customer data, or disable security features. For insurance firms, access could expose customer health or policy data. In the fisheries sector, the implications might involve disruption of logistics, internal communication theft, or exposure of confidential trade or compliance information.
Furthermore, the campaign’s persistence and growth suggest that it may be part of a broader long-term operation, possibly aimed at regional surveillance, corporate espionage, or financial crime. The scale and polish of the infrastructure over 230 domains, cloned branding, and precise linguistic targeting suggest that this is not the work of a lone attacker or script kiddie. While no single CVE has been identified in this campaign so far, the infrastructure’s reuse of insecure administrative interfaces and the pattern of shared key material indicates the potential for secondary exploitation vectors, especially once credentials are obtained. The broader impact also includes reputational damage for the impersonated brands, increased cost for affected organizations in incident response, and a growing erosion of public trust in online portals tied to vital services.
Implement Strong Email Protections:
Deploy Phishing-Resistant Multi-Factor Authentication (MFA):
Block and Monitor Malicious Infrastructure:
https://ground.news/article/ssh-auth-key-reuse-uncovers-advanced-targeted-phishing-campaign
