This article describes an ongoing phishing campaign active since early 2025, targeting Kuwait’s fisheries, telecommunications, and insurance sectors through over 100 impersonating domains hosted mainly on Aeza International Ltd’s network. The attackers use reused SSH keys, consistent ASN hosting patterns, and brand mimicking tactics to harvest credentials and sensitive data primarily from regional businesses and consumers. #Kuwait #AezaInternationalLtd
Keypoints
- Since early 2025, a phishing campaign targeting Kuwait’s fisheries, telecommunications, and insurance sectors has been tracked using more than 100 fraudulent domains.
- The campaign infrastructure relies heavily on three primary servers hosted within Aeza International Ltd’s ASN, involving multi-tenant hosting of phishing portals.
- Phishing domains impersonate companies such as the National Fishing Company of Kuwait, Saiyarti automotive insurance, and Zain telecommunications.
- Attackers employ brand-inspired but loosely connected domain names, using transliterations and generic references rather than direct typosquatting.
- SSH authentication keys and ASN usage are reused across more than eight linked servers, enabling researchers to trace and cluster malicious assets.
- Phishing pages include credential harvesting portals and mobile payment lures aimed at stealing phone numbers, credentials, and enabling further social engineering and SIM swap attacks.
- Detection guidance includes monitoring reused SSH key fingerprints, Aeza International Ltd ASN assets, and identifying domains mimicking regional sector brands and mobile payment services.
MITRE Techniques
- [T1566] Phishing – The campaign uses cloned login portals and impersonated web pages to harvest credentials from targeted sectors (‘more than 100 domains to stage credential harvesting through cloned login portals and impersonated web pages’).
- [T1583] Acquire Infrastructure – Attackers registered over 230 domains and deployed them across servers with reused SSH keys, indicating the acquisition and management of infrastructure (‘SSH authentication keys and common ASN usage tie these assets together’).
- [T1588] Obtain Capabilities – The use of mobile payment impersonation portals targeting Zain customers to harvest phone numbers and credentials shows the development and deployment of phishing capabilities (‘a mobile payment portal, prompting users to enter their phone numbers and complete a discounted payment’).
Indicators of Compromise
- [IP Addresses] Hosting phishing infrastructure primarily on residential VPS within Aeza International Ltd ASN – 138.124.92[.]70, 78.153.136[.]29, 89.208.97[.]251, and 5 more IPs.
- [Domains] Brand-impersonating phishing domains targeting fisheries, insurance, and telecom sectors – alwattnya[.]com, zain-kw[.]pro, dalmon-bh[.]com, and over 230 others.
- [SSH Key Fingerprints] rsa_sha256 keys: dbe1065a0caaa2d1d89001b505ac1a00c5aee6202225b9897580c3c148ea2537, 000e6797a0d6571bf2b4e77f86b1e68c61d23f0369b6a5e96682a9d84b4cbef9 – used to link multiple servers within the campaign.
Read more: https://hunt.io/blog/phishing-campaign-kuwait-shared-ssh-keys