Keypoints
- Doppelgänger is a suspected Russia-aligned influence network intensively targeting German audiences with anti-government and anti-Ukraine narratives.
- The operation uses coordinated clusters of X accounts that post and repost content to amplify reach and manipulate engagement metrics.
- Content distribution uses a two-stage redirect chain: first-stage pages (shared on X) that redirect via telegra[.]ph thumbnails to second-stage sites running Base64-obfuscated JavaScript.
- Second-stage JavaScript dynamically loads code from ggspace[.]space or sdgqaef[.]site, sending tracking requests with campaign identifiers and redirecting users to destination articles.
- ggspace[.]space and sdgqaef[.]site host a Keitaro Tracking System (/admin) and are behind cloud reverse proxies to hide true hosts and monitor campaign performance.
- First- and second-stage domains are short-lived, use many TLDs and automated/subdomain naming patterns, and rotate across hosting providers (Hostinger, Digital Ocean, Global Internet Solutions) to evade takedown.
- Destination sites often run WordPress (some with Russian-language components), use cPanel-managed servers, and sometimes implement geofencing to restrict external analysis.
MITRE Techniques
- [T1583] Acquire Infrastructure – The operation registers and uses many short-lived domains and varied hosting providers to host first-stage, second-stage, and destination sites (“The first-stage and second-stage websites often shift between a variety of hosting providers… domains … have short lifespans”).
- [T1036] Masquerading – Doppelgänger impersonates legitimate news outlets by mimicking domain names and site designs, e.g., “welt[.]pm (inauthentic) vs. welt[.]de (authentic) and faz[.]ltd (inauthentic) vs. faz[.]net (authentic)”.
- [T1027] Obfuscated Files or Information – Second-stage sites execute Base64-encoded JavaScript to hide logic and behavior (“The second-stage websites … execute a JavaScript code obfuscated using Base64-encoding”).
- [T1071] Application Layer Protocol – The JavaScript issues HTTP requests to monitoring domains (ggspace[.]space, sdgqaef[.]site) carrying tracking/campaign identifiers (“The JavaScript code samples we analyzed issue a request to ggspace[.]space … The request includes tracking information … [DE-02-01_deintelligenz]”).
- [T1584] Compromise Accounts / Use of Staged Accounts – The campaign operates large clusters of X accounts created in similar windows and coordinated to repost and amplify content (“We identified multiple clusters of suspected Doppelgänger-managed accounts which have joined the X platform within the same month” and “reposting of the same content at almost the same time”).
- [T1598] Phishing for Information / External Redirects (tracking) – Use of multi-stage redirects and thumbnail obfuscation via telegra[.]ph to funnel users and obscure origin (“first-stage websites … use thumbnail images hosted at telegra[.]ph to obfuscate the website thumbnails and redirect to second-stage sites”).
Indicators of Compromise
- [Domain] First-stage sites – 09474w.reyt-cre-ad34[.]buzz, pcrrjx.kredit-money-fun169[.]buzz, and many other short-lived domains (see list).
- [Domain] Second-stage / tracking servers – ggspace[.]space, sdgqaef[.]site (hosting Keitaro Tracking System at /admin).
- [Domain] Destination sites (Doppelgänger-managed) – arbeitspause[.]org, deintelligenz[.]com, derglaube[.]com (used to host propaganda articles).
- [Domain] Third-party outlets used/amplified – telepolis[.]de, freiewelt[.]net, overton-magazin[.]de (articles disseminated by the operation).
- [Campaign Identifier] Tracking IDs used in requests – DE-02-01_deintelligenz, DE-23-12-2_arbeitspause, DE-27-12_faz (identifiers included in tracking requests to ggspace[.]space/sdgqaef[.]site).
- [Social accounts] Suspected X/T accounts – AyniyeMcca18343, Brent8332812692, ButzlaffF6068, and many others listed as suspected Doppelgänger-managed accounts.
SentinelLabs and ClearSky analyzed Doppelgänger’s technical distribution chain and infrastructure to isolate the procedural elements used to deliver propaganda content. The campaign publishes first-stage landing pages (short-lived, auto-generated subdomains using diverse TLDs) that are posted to X and present telegra[.]ph-hosted thumbnails to mask the true destination. Those first-stage pages redirect users to second-stage sites which run Base64-obfuscated JavaScript; that code contacts central tracking hosts (ggspace[.]space or sdgqaef[.]site) with structured campaign identifiers (format: [country]-[day]-[month]_[domain]) and then dynamically loads additional JS that performs the final redirect to the intended article.
ggspace[.]space and sdgqaef[.]site act as both redirect/orchestration endpoints and analytics backends, hosting a Keitaro Tracking System instance at /admin and sitting behind cloud reverse proxies to conceal hosting providers. Doppelgänger rotates first- and second-stage domains across providers (Hostinger, Digital Ocean, Global Internet Solutions), uses automated name/subdomain patterns for rapid churn, and maintains destination sites on WordPress/cPanel infrastructure—some with Russian-language components—and optionally geofencing to limit visibility to targeted countries.
The social amplification layer is comprised of clusters of X accounts (many created within the same time windows) that post, repost, and engage with content linking to first-stage URLs to inflate engagement metrics. This coordinated behavior, combined with obfuscated client-side scripts, central tracking, infrastructure rotation, and impersonation of legitimate news domains, forms the technical backbone enabling persistent, hard-to-takedown influence campaigns.
Read more: https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/