Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

May 21, 2025, 8:56 p.m.

Description

An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure shares operational fingerprints, including reused SSH authentication keys and consistent ASN usage, allowing related assets to be linked. The campaign primarily targets the National Fishing Company of Kuwait, automotive insurance sector, and Zain telecommunications. The actors use brand-inspired domain names and transliterations rather than direct typosquatting. Mobile payment lures targeting Zain customers have also been observed, potentially enabling further social engineering attacks.

External References

https://hunt.io/blog/phishing-campaign-kuwait-shared-ssh-keys
https://otx.alienvault.com/pulse/682768bd8d85a5422eb7c475
Tags
phishing
credential harvesting
telecommunications
infrastructure
insurance
domain impersonation
ssh keys
2025-05-16
fisheries
kuwait

Date

  • Created: May 16, 2025, 4:33 p.m.
  • Published: May 16, 2025, 4:33 p.m.
  • Modified: May 21, 2025, 8:56 p.m.

Indicators

  • dbe1065a0caaa2d1d89001b505ac1a00c5aee6202225b9897580c3c148ea2537
  • 000e6797a0d6571bf2b4e77f86b1e68c61d23f0369b6a5e96682a9d84b4cbef9
  • 89.208.97.251
  • 89.208.113.34
  • 89.208.113.172
  • 78.153.136.29
  • 77.221.153.225
  • 77.221.152.224
  • 46.226.167.145
  • 150.241.93.231
  • 138.124.92.70
  • 138.124.78.35
  • 138.124.58.18
  • 134.124.92.70
  • 109.120.178.145
  • 91.108.240.137
  • 77.221.152.232
  • dl5.xvipx.top
  • zain-kw.pro
  • wtanaya.com
  • wattanuea.com
  • watnnia.com
  • watanyafish.com
  • watenya.com
  • watanyaa10.com
  • watanya2.com
  • watanuya1.com
  • watanuia01.com
  • watanuia.com
  • wataniax.pro
  • wataniaa9.com
  • wataniaa10.com
  • watania01.com
  • tamienz.pro
  • tamcar.pro
  • tameeeny.com
  • syarati.pro
  • nfcq8.com
  • mothedaa.live
  • mothada.pro
  • motahidda2.com
  • motahida2.com
  • motaheda01.com
  • megamail.pw
  • malware.name
  • ilwatanea.com
  • elwattanya1.com
  • elwattanuia.com
  • elwataniaa8.com
  • el-watnneya.com
  • delmoon9.com
  • delmoon5.com
  • delmone9.com
  • delmone11.com
  • delmona5.com
  • dalmonfishy.com
  • dalmonfishs.com
  • dalmon-fishs.com
  • dallmonfish.com
  • dalmon-bh.com
  • awatanaia.com
  • alwtania2.com
  • alwtaneya1.com
  • alwattnya.com
  • alwattny.com
  • alwattnia.com
  • alwattanya.com
  • alwatnnia.com
  • alwatenia4.com
  • alwatanya2.com
  • alwatanniya.com
  • alwataniaa8.com
  • almotheda.com
  • almotahida1.com
  • al-watnya.com
  • al-watanyia.com
  • al-watanyea.com
Download all indicators here!

Attack Patterns

Additional Informations

  • Finance
  • Telecommunications
  • Kuwait
  • Bahrain