A major breakthrough in uncovering the campaign was the reuse of two specific SSH key fingerprints across multiple servers. This practice, typically avoided by sophisticated actors, created a clear signature allowing researchers to link otherwise unrelated phishing domains. As attackers deployed identical SSH keys when configuring new servers, the Researcher was able to pivot across the infrastructure and map out the campaign. This operational misstep offers defenders a powerful detection mechanism by fingerprinting SSH keys across enterprise environments, security teams can identify related malicious infrastructure, despite domain variation or evasive hosting tactics.

The campaign further expanded to the leading Kuwaiti telecommunications provider. Hosted a realistic-looking mobile payment portal designed to harvest sensitive data such as phone numbers and payment credentials. The site’s design made it especially effective on mobile devices, where visual phishing indicators are often less noticeable. This campaign exemplifies the growing sophistication of phishing operations that blend adaptive domain strategies, cross-sector targeting, and mobile-first lures, yet also illustrates how attackers’ shortcuts in infrastructure setup, such as SSH key reuse, can become their undoing.

Impact

• Sensitive Credential Theft
• Gain Access

Remediation

• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement unique SSH keys for each server to avoid operational security lapses and prevent attackers from creating identifiable patterns.
• Continuously monitor SSH key usage and fingerprints across all infrastructure to detect suspicious reuse or unauthorized access.
• Deploy advanced domain monitoring solutions that look beyond simple typosquatting to detect transliterated or brand-inspired phishing domains.
• Use threat intelligence feeds and IP/ASN reputation checks, especially monitoring AS210644 (Aeza International Ltd), to identify and block malicious infrastructure.
• Educate employees and customers about phishing tactics, including sophisticated mobile payment portal scams and how to verify legitimate company websites.
• Implement multi-factor authentication (MFA) on all critical accounts to reduce the risk of credential harvesting.
• Regularly audit and harden hosting environments to prevent multi-tenant phishing infrastructure from going unnoticed.
• Set up network and endpoint detection rules to flag unusual traffic to known phishing domains or suspicious IP addresses involved in the campaign.
• Coordinate with ISPs and domain registrars to quickly take down identified phishing domains impersonating critical sectors in Kuwait.