(6 votes, average: 5.00 out of 5)
Loading...SSH Key Reuse Unmasks Major Phishing Campaign in Kuwait
(6 votes, average: 5.00 out of 5)Loading...
About the Incidence
What began as a handful of phishing attacks by early 2025 became a large, organised attack aimed at the fisheries, telecommunications, and insurance sectors in Kuwait.
Security Researchers at Hunt.io have found evidence of a large phishing campaign that used over 230 different malicious websites to try and steal the personal data and account information of people and organisations in Kuwait and other countries in the Gulf region.
They used the same SSH authentication keys for different servers. Sadly, if it weren’t for effectively using the same cryptographic key, the cyber operation could have gone more unnoticed.
Also Read: Passwordless SSH: The Future of Secure Remote Access and Automation
This was not a typical phishing scam. Hackers took their time to learn about my organisation. They copied the appearance of Kuwait’s National Fishing Company and telecom company Zain’s login pages. What made these scams different was that they were carefully designed to look exactly like the real ones.
The experts discovered fake payment gates, login forms and dashboards as part of the phishing pages. The pages are optimised for mobiles as well, making it easier for scammers to grab mobile account data and take control of accounts.
How did they discover this Threat Campaign?
The attackers operated mostly within Aeza International Ltd’s network (ASN AS210644), a hosting provider known for its lax oversight. Hunt.io first discovered three core servers driving the campaign:
- 78.153.136[.]29
- 134.124.92[.]70
- 138.124.78[.]35
These servers alone hosted over 100 phishing domains. But from these three IPs to uncovering a full-fledged campaign with 230+ domains.
Every time an attacker sets up a server, they typically generate a new SSH key for secure access. But in this case, the hackers reused the same private key across multiple machines.
This allowed researchers to track the campaign by identifying common SSH key fingerprints, including:
- dbe1065a0caaa2d1d89001b505ac1a00c5aee6202225b9897580c3c148ea2537
- 000e6797a0d6571bf2b4e77f86b1e68c61d23f0369b6a5e96682a9d84b4cbef9
With these fingerprints, Hunt.io was able to pivot to eight more IP addresses, all tied to the same campaign. All of them were hosted within Aeza’s infrastructure. These additional servers hosted domains impersonating regional businesses like Delmon Fish (Bahrain) and Saiyarti, an automotive insurance platform in Kuwait.
What made this campaign stand out wasn’t just the scale, but the creativity in domain names and design of phishing pages.
Instead of obvious typos like gooogle[.]com, attackers used smart transliterations and believable names like:
- alwattnya[.]com
- zain-kw[.]pro
- dalmon-bh[.]com
These domains sounded right and looked trustworthy, especially to users who didn’t tech background. Researchers also noticed that the attackers avoided registering all their domains at once. Instead, they slow-dripped new domain registrations starting from January 2025, a sign of long-term planning and persistence.
Also Read: Phishing Attacks Explained: How to Spot and Prevent Online Scams?
Interestingly, Hunt.io didn’t observe any direct malware payloads being delivered through these sites. That’s a sign of low-and-slow operations. Rather than infecting devices, the goal was likely to harvest credentials, perform account takeovers, or sell verified access to other threat actors.
This “clean” approach also made the campaign harder to detect. With no malicious downloads, traditional antivirus tools remained silent.
Indicators of Compromise (IOCs) to Watch
Keep an eye out for the following IP addresses and domains, especially if your organization operates in the Middle East:
| IP Address | Sample Domains | Hosting Company | Location |
| 138.124.92[.]70 | alwattnya[.]com, tamcar[.]pro | AEZA INTERNATIONAL LTD | DE |
| 77.221.152[.]224 | al-watanyia[.]com, syarati[.]pro | AEZA INTERNATIONAL LTD | DE |
| 89.208.97[.]251 | dalmon-bh[.]com, dalmon-fishs[.]com | AEZA INTERNATIONAL LTD | DE |
| 78.153.136[.]29 | delmone11[.]com, zain-kw[.]pro | AEZA INTERNATIONAL LTD | DE |
| 91.108.240[.]137 | awatanaia[.]com, dallmonfish[.]com | AEZA INTERNATIONAL LTD | DE |
These are just samples. The full list is available via Hunt.io’s platform.
Conclusion
Phishing attacks today are not the same old days scams. As we saw in the campaign targeting Kuwait’s fisheries and telecom sectors, attackers are now operating with precision, patience, and even a touch of professionalism. They’re using well-designed fake sites, smart domain names, and subtle tactics like SSH key reuse that nearly slipped under the radar.
But here’s the upside: you can defend your organization by getting ahead of these threats.
Start by putting strong email security in place. Use protocols like SPF, DKIM, and DMARC to ensure only verified sources can send messages on your behalf.
Add S/MIME Certificate to protect the authenticity and integrity of your emails. And don’t underestimate the power of awareness. Train your team regularly to recognize red flags and question anything that feels slightly off.
Phishing is evolving, but so can your defences. With the right tools and best practices, you can reduce your risk and maintain the authenticity, integrity, and security your business depends on.
