{"id":3565,"date":"2025-05-20T08:23:11","date_gmt":"2025-05-20T08:23:11","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3565"},"modified":"2025-05-26T05:08:24","modified_gmt":"2025-05-26T05:08:24","slug":"ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/","title":{"rendered":"SSH Key Reuse Unmasks Major Phishing Campaign in Kuwait"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-about-the-incidence\">About the Incidence<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">What began as a handful of phishing attacks by early 2025 became a large, organised attack aimed at the <strong>fisheries, telecommunications, and insurance sectors in Kuwait.<\/strong><\/p>\n\n\n\n<p class=\"quote-section wp-block-paragraph\">Security Researchers at <strong>Hunt.io<\/strong> have found evidence of a large phishing campaign that used over <strong>230 different malicious websites<\/strong> to try and steal the personal data and account information of people and organisations in Kuwait and other countries in the Gulf region.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">They used the <strong>same SSH authentication keys for different servers<\/strong>. Sadly, if it weren\u2019t for effectively using the same cryptographic key, the cyber operation could have gone more unnoticed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Also Read:<\/strong> <a href=\"https:\/\/certera.com\/blog\/passwordless-ssh-the-future-of-secure-remote-access-and-automation\/\">Passwordless SSH: The Future of Secure Remote Access and Automation<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This was not a typical phishing scam. Hackers took their time to learn about my organisation. They copied the appearance of <strong>Kuwait\u2019s National Fishing Company and telecom company Zain\u2019s login pages.<\/strong> What made these scams different was that they were carefully designed to look exactly like the real ones.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The experts discovered fake payment gates, login forms and dashboards as part of the phishing pages. The pages are optimised for mobiles as well, making it easier for scammers to grab mobile account data and take control of accounts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-did-they-discover-this-threat-campaign\">How did they discover this Threat Campaign?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The attackers operated mostly within <strong>Aeza International Ltd&#8217;s network<\/strong> (ASN <strong>AS210644<\/strong>), a hosting provider known for its lax oversight. Hunt.io first discovered three core servers driving the campaign:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>78.153.136[.]29<\/li>\n\n\n\n<li>134.124.92[.]70<\/li>\n\n\n\n<li>138.124.78[.]35<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These servers alone hosted over 100 phishing domains. But from these three IPs to uncovering a full-fledged campaign with 230+ domains.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Every time an attacker sets up a server, they typically generate a new <a href=\"https:\/\/certera.com\/blog\/what-is-ssh-secure-shell-how-does-the-ssh-protocol-work\/\">SSH key<\/a> for secure access. But in this case, the hackers reused the same private key across multiple machines.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>This allowed researchers to track the campaign by identifying common SSH key fingerprints, including:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dbe1065a0caaa2d1d89001b505ac1a00c5aee6202225b9897580c3c148ea2537<\/li>\n\n\n\n<li>000e6797a0d6571bf2b4e77f86b1e68c61d23f0369b6a5e96682a9d84b4cbef9<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">With these fingerprints, Hunt.io was able to <strong>pivot<\/strong> to <strong>eight more IP addresses<\/strong>, all tied to the same campaign. All of them were hosted within Aeza&#8217;s infrastructure. These additional servers hosted domains impersonating regional businesses like <strong>Delmon Fish (Bahrain)<\/strong> and <strong>Saiyarti<\/strong>, an automotive insurance platform in Kuwait.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What made this campaign stand out wasn&#8217;t just the scale, but the creativity in domain names and design of phishing pages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Instead of obvious typos like gooogle[.]com, attackers used smart transliterations and believable names like:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>alwattnya[.]com<\/li>\n\n\n\n<li>zain-kw[.]pro<\/li>\n\n\n\n<li>dalmon-bh[.]com<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These domains sounded right and <strong>looked trustworthy<\/strong>, especially to users who didn\u2019t tech background. Researchers also noticed that the attackers avoided registering all their domains at once. Instead, they <strong>slow-dripped new domain registrations<\/strong> starting from <strong>January 2025<\/strong>, a sign of long-term planning and persistence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Also Read:<\/strong> <a href=\"https:\/\/certera.com\/blog\/phishing-attacks-explained-how-to-spot-and-prevent-online-scams\/\">Phishing Attacks Explained: How to Spot and Prevent Online Scams?<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Interestingly, Hunt.io didn\u2019t observe any <strong>direct malware payloads<\/strong> being delivered through these sites. That\u2019s a sign of <strong>low-and-slow operations<\/strong>. Rather than infecting devices, the goal was likely to <strong>harvest credentials<\/strong>, <strong>perform account takeovers<\/strong>, or <strong>sell verified access<\/strong> to other threat actors. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This &#8220;clean&#8221; approach also made the campaign harder to detect. With no malicious downloads, traditional antivirus tools remained silent.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-indicators-of-compromise-iocs-to-watch\">Indicators of Compromise (IOCs) to Watch<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Keep an eye out for the following IP addresses and domains, especially if your organization operates in the Middle East:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>IP Address<\/strong><\/td><td><strong>Sample Domains<\/strong><\/td><td><strong>Hosting Company<\/strong><\/td><td><strong>Location<\/strong><\/td><\/tr><tr><td>138.124.92[.]70 &nbsp;<\/td><td>alwattnya[.]com,<br>tamcar[.]pro<\/td><td>AEZA INTERNATIONAL LTD &nbsp;<\/td><td>DE &nbsp;<\/td><\/tr><tr><td>77.221.152[.]224 &nbsp;<\/td><td>al-watanyia[.]com, syarati[.]pro &nbsp;<\/td><td>AEZA INTERNATIONAL LTD &nbsp;<\/td><td>DE &nbsp;<\/td><\/tr><tr><td>89.208.97[.]251 &nbsp;<\/td><td>dalmon-bh[.]com,&nbsp;&nbsp;&nbsp;<br>dalmon-fishs[.]com &nbsp;<\/td><td>AEZA INTERNATIONAL LTD &nbsp;<\/td><td>DE &nbsp;<\/td><\/tr><tr><td>78.153.136[.]29 &nbsp;<\/td><td>delmone11[.]com, zain-kw[.]pro &nbsp;<\/td><td>AEZA INTERNATIONAL LTD &nbsp;<\/td><td>DE &nbsp;<\/td><\/tr><tr><td>91.108.240[.]137 &nbsp;<\/td><td>awatanaia[.]com, dallmonfish[.]com &nbsp;<\/td><td>AEZA INTERNATIONAL LTD &nbsp;<\/td><td>DE &nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">These are just samples. The full list is available via <a href=\"https:\/\/hunt.io\/blog\/phishing-campaign-kuwait-shared-ssh-keys\">Hunt.io\u2019s platform<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion-nbsp\">Conclusion&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Phishing attacks today are not the same old days scams. As we saw in the campaign targeting Kuwait\u2019s fisheries and telecom sectors, attackers are now operating with precision, patience, and even a touch of professionalism. They\u2019re using well-designed fake sites, smart domain names, and subtle tactics like SSH key reuse that nearly slipped under the radar.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But here\u2019s the upside: you can defend your organization by getting ahead of these threats.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start by putting strong email security in place. Use protocols like <a href=\"https:\/\/certera.com\/blog\/what-is-dkim-dmarc-and-spf-the-ultimate-guide-on-email-autentication-protocols\/\">SPF, DKIM, and DMARC<\/a> to ensure only verified sources can send messages on your behalf. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Add <a href=\"https:\/\/certera.com\/smime-certificates\">S\/MIME Certificate<\/a> to protect the authenticity and integrity of your emails. And don\u2019t underestimate the power of awareness. Train your team regularly to recognize red flags and question anything that feels slightly off.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Phishing is evolving, but so can your defences. With the <a href=\"https:\/\/certera.com\/sitelock\">right tools<\/a> and best practices, you can reduce your risk and maintain the authenticity, integrity, and security your business depends on.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>About the Incidence What began as a handful of phishing attacks by early 2025 became a large, organised attack aimed at the fisheries, telecommunications, and insurance sectors in Kuwait. Security Researchers at Hunt.io have found evidence of a large phishing campaign that used over 230 different malicious websites to try and steal the personal data<span class=\"morelink d-block mt-3\"><a href=\"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":3566,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31],"tags":[687,686],"class_list":["post-3565","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attack","tag-shared-ssh-keys-attack","tag-ssh-key-resuse","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SSH Key Reuse Reveals Large-Scale Phishing Attack in Kuwait<\/title>\n<meta name=\"description\" content=\"Sophisticated Phishing campaign in Kuwait exposed due to reused SSH keys across attack servers, revealing critical operational security flaw.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SSH Key Reuse Reveals Large-Scale Phishing Attack in Kuwait\" \/>\n<meta property=\"og:description\" content=\"Sophisticated Phishing campaign in Kuwait exposed due to reused SSH keys across attack servers, revealing critical operational security flaw.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/\" \/>\n<meta property=\"og:site_name\" content=\"EncryptedFence by Certera - Web &amp; Cyber Security Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/certeraLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-20T08:23:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-26T05:08:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/05\/ssh-key-reuse-phishing-attack.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"620\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:site\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/\"},\"author\":{\"name\":\"Janki Mehta\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\"},\"headline\":\"SSH Key Reuse Unmasks Major Phishing Campaign in Kuwait\",\"datePublished\":\"2025-05-20T08:23:11+00:00\",\"dateModified\":\"2025-05-26T05:08:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/\"},\"wordCount\":839,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/ssh-key-reuse-phishing-attack.webp\",\"keywords\":[\"Shared SSH Keys Attack\",\"SSH Key Resuse\"],\"articleSection\":[\"Cyber Attack\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/\",\"name\":\"SSH Key Reuse Reveals Large-Scale Phishing Attack in Kuwait\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/ssh-key-reuse-phishing-attack.webp\",\"datePublished\":\"2025-05-20T08:23:11+00:00\",\"dateModified\":\"2025-05-26T05:08:24+00:00\",\"description\":\"Sophisticated Phishing campaign in Kuwait exposed due to reused SSH keys across attack servers, revealing critical operational security flaw.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#primaryimage\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/ssh-key-reuse-phishing-attack.webp\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/ssh-key-reuse-phishing-attack.webp\",\"width\":960,\"height\":620,\"caption\":\"Shared SSH Keys Phishing Attack\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/certera.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SSH Key Reuse Unmasks Major Phishing Campaign in Kuwait\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"name\":\"EncryptedFence by Certera - Web & Cyber Security Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"alternateName\":\"Certera's EncryptedFence Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/certera.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\",\"name\":\"Certera\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"caption\":\"Certera\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/certeraLLC\\\/\",\"https:\\\/\\\/x.com\\\/certera_llc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/certera-llc\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\",\"name\":\"Janki Mehta\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"caption\":\"Janki Mehta\"},\"description\":\"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\\\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.\",\"sameAs\":[\"https:\\\/\\\/certerassl.com\\\/\"],\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/author\\\/certerabguser\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SSH Key Reuse Reveals Large-Scale Phishing Attack in Kuwait","description":"Sophisticated Phishing campaign in Kuwait exposed due to reused SSH keys across attack servers, revealing critical operational security flaw.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/","og_locale":"en_US","og_type":"article","og_title":"SSH Key Reuse Reveals Large-Scale Phishing Attack in Kuwait","og_description":"Sophisticated Phishing campaign in Kuwait exposed due to reused SSH keys across attack servers, revealing critical operational security flaw.","og_url":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/","og_site_name":"EncryptedFence by Certera - Web &amp; Cyber Security Blog","article_publisher":"https:\/\/www.facebook.com\/certeraLLC\/","article_published_time":"2025-05-20T08:23:11+00:00","article_modified_time":"2025-05-26T05:08:24+00:00","og_image":[{"width":960,"height":620,"url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/05\/ssh-key-reuse-phishing-attack.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_creator":"@certera_llc","twitter_site":"@certera_llc","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#article","isPartOf":{"@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/"},"author":{"name":"Janki Mehta","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7"},"headline":"SSH Key Reuse Unmasks Major Phishing Campaign in Kuwait","datePublished":"2025-05-20T08:23:11+00:00","dateModified":"2025-05-26T05:08:24+00:00","mainEntityOfPage":{"@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/"},"wordCount":839,"commentCount":0,"publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"image":{"@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/05\/ssh-key-reuse-phishing-attack.webp","keywords":["Shared SSH Keys Attack","SSH Key Resuse"],"articleSection":["Cyber Attack"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/certera.com\/blog\/#organization"}},{"@type":"WebPage","@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/","url":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/","name":"SSH Key Reuse Reveals Large-Scale Phishing Attack in Kuwait","isPartOf":{"@id":"https:\/\/certera.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#primaryimage"},"image":{"@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/05\/ssh-key-reuse-phishing-attack.webp","datePublished":"2025-05-20T08:23:11+00:00","dateModified":"2025-05-26T05:08:24+00:00","description":"Sophisticated Phishing campaign in Kuwait exposed due to reused SSH keys across attack servers, revealing critical operational security flaw.","breadcrumb":{"@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#primaryimage","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/05\/ssh-key-reuse-phishing-attack.webp","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/05\/ssh-key-reuse-phishing-attack.webp","width":960,"height":620,"caption":"Shared SSH Keys Phishing Attack"},{"@type":"BreadcrumbList","@id":"https:\/\/certera.com\/blog\/ssh-key-reuse-unmasks-major-phishing-campaign-in-kuwait\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/certera.com\/blog\/"},{"@type":"ListItem","position":2,"name":"SSH Key Reuse Unmasks Major Phishing Campaign in Kuwait"}]},{"@type":"WebSite","@id":"https:\/\/certera.com\/blog\/#website","url":"https:\/\/certera.com\/blog\/","name":"EncryptedFence by Certera - Web & Cyber Security Blog","description":"","publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"alternateName":"Certera's EncryptedFence Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/certera.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/certera.com\/blog\/#organization","name":"Certera","url":"https:\/\/certera.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","caption":"Certera"},"image":{"@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/certeraLLC\/","https:\/\/x.com\/certera_llc","https:\/\/www.linkedin.com\/company\/certera-llc\/"]},{"@type":"Person","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7","name":"Janki Mehta","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","caption":"Janki Mehta"},"description":"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.","sameAs":["https:\/\/certerassl.com\/"],"url":"https:\/\/certera.com\/blog\/author\/certerabguser\/"}]}},"_links":{"self":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/comments?post=3565"}],"version-history":[{"count":4,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3565\/revisions"}],"predecessor-version":[{"id":3584,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3565\/revisions\/3584"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media\/3566"}],"wp:attachment":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media?parent=3565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/categories?post=3565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/tags?post=3565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}