DomainTools Investigations | Doppelgänger / RRN Disinformation Infrastructure Ecosystem 2026

The Doppelgänger / Reliable Recent News (RRN) ecosystem is a professionally managed, cloud-native disinformation infrastructure that uses large-scale media brand impersonation, automated domain generation, TLD substitution, CDN fronting, and centralized CMS governance to sustain coordinated influence campaigns from 2022–2026. The operation emphasizes infrastructure resilience, registrar/TLD diversification, geographic micro-targeting (notably Germany, France, the U.S., UK, and Italy), and rapid enforcement-aware migration rather than short-term spoofing or financially motivated cybercrime. #Doppelganger #RRN

Keypoints

The ecosystem is an infrastructure-centric, professionally managed influence operation built around the RRN domain family and a coordinated constellation of impersonation and narrative-front sites.
Operators perform scripted bulk domain provisioning in distinct campaign waves (mid‑2022 and Sept‑2024) and preserve second-level domains across TLD swaps to maintain continuity under enforcement pressure.
Infrastructure is cloud-native and attribution-resistant, fronted by CDNs (Cloudflare) with backends on hyperscalers (Google Cloud, some AWS) and distributed IP micro-clusters to reduce single points of failure.
Technical tradecraft includes automated domain-variant generation (typosquatting, semantic suffixes, geographic modifiers), registrar diversification with privacy shielding, and role-segmented WordPress CMS governance for SEO-focused publishing.
Tiers of the campaign architecture include operator coordination, an RRN narrative hub, country-targeted narrative fronts, media impersonation clusters, redirect/tracking and SEO layers, and social media amplification.
Targeting is geographically calibrated: Germany is highest priority with extensive media impersonation; France, the U.S., the UK, and Italy receive tailored narratives via different combinations of impersonation and narrative-front sites.

MITRE Techniques

No MITRE ATT&CK techniques are explicitly named in the article; the reporting describes operational tradecraft (domain acquisition, CDN fronting, registrar/TLD substitution, CMS account management, SEO manipulation) but does not map those behaviors to specific MITRE technique IDs in-text.

Indicators of Compromise

[Domain ] campaign infrastructure and impersonation corpus – rrn[.]so, 50statesoflie[.]cc, and other 47 domains from the assessed corpus (e.g., spiegel[.]agency, bild[.]beauty, dailymail[.]cfd, rrn[.]com[.]tr, welt[.]media).
[IP address ranges ] CDN fronting and backend hosting signals – 104.x.x.x (Cloudflare edge addresses), 34.x.x.x (Google Cloud backend ranges), and other ranges including 15.x.x.x (AWS) observed in micro-clusters.
[Email / account artifacts ] CMS bootstrap and administrative accounts – a Yandex-linked bootstrap email (initial provisioning) and multiple accounts under the @rrn[.]com[.]tr namespace (e.g., seoadmin, RRN_Staff) referenced in recovered WordPress artifacts.