Shared SSH Keys Expose Coordinated Phishing Campaign Targeting Kuwaiti Fisheries and Telecom Sectors

Hunt.io researchers are tracking an active phishing operation targeting Kuwait's fisheries, telecommunications, and insurance sectors. First observed in early 2025, the campaign remains ongoing, leveraging more than 100 domains to stage credential harvesting through cloned login portals and impersonated web pages.

While the domains vary between direct typosquatting and unrelated branding, the underlying servers share operational fingerprints, including reused SSH authentication keys and consistent ASN usage. These technical overlaps allow related assets to be linked across the broader campaign, offering clear opportunities to track malicious infrastructure staging over time.

This report outlines the infrastructure patterns observed, domain strategies employed, and methods defenders can use to identify and monitor similar operations.

Infrastructure Overview

Since early 2025, Hunt researchers have tracked phishing operations centered around three primary servers hosted within Aeza International Ltd's network. Across these servers, more than 100 domains were deployed to impersonate legitimate organizations in Kuwait's fisheries, telecommunications, and insurance sectors.

The majority of observed domains were concentrated on IP addresses 78.153.136[.]29, 134.124.92[.]70, and 138.124.78[.]35, each hosting multiple phishing portals simultaneously. Many servers exhibited multi-tenant characteristics, staging domains targeting different sectors from a single host to maximize operational efficiency.

Operational overlaps-including shared SSH authentication keys and common ASN usage-tie these assets together, enabling related servers to be identified across the campaign.

The following sections detail infrastructure linkages in greater depth and outline the phishing tradecraft leveraged across these domains.

Tradecraft Observations

Following a tip regarding sustained phishing activity targeting industries in Kuwait, Hunt researchers identified 138.124.92[.]70 as one of the initial servers associated with the campaign. The server, hosted within Aeza International Ltd's network, resolved to nearly 40 domains, with registrations beginning in January 2025 and continuing to appear as of this publication.

Across the broader infrastructure, more than 230 domains were identified, with over half impersonating the National Fishing Company of Kuwait. Rather than relying on slight typographical variations of the legitimate domain ( nfcq8[.]com), the actor registered unrelated domains incorporating transliterations or generic references to the brand name.. Examples include alwattnya[.]com, wtanaya[.]com, elwattanya1[.]com, and alwattnia[.]com. The observed webpages closely replicated the appearance of the company's online storefront, displaying seafood product listings, shopping cart features, and promotions.

In addition to fisheries-themed domains, the server also hosted sites impersonating Kuwait's automotive insurance sector. One domain, tamcar[.]pro, redirected visitors to a page claiming to compare local car insurance services.

Analysis of authentication overlaps identified eight additional IP addresses temporarily sharing SSH keys with 138.124.92[.]70 during April 2025. All were hosted within the same ASN and resolved to between 10 and 20 domains each.

These servers continued the same operational focus, staging domains spoofing fisheries, automotive service companies, and regional brands. Infrastructure mimicking Saiyarti, a well-known automotive service insurance company in Kuwait, was also observed.

The IOC section includes the overlapping IPs and a representative sample of domains. Full lists can be retrieved by querying the IPs in the Hunt.io app.

While no credential harvesting code or malware payloads were directly observed, the sustained domain registrations and server staging strongly suggest a long-term effort to deceive users and impersonate trusted regional businesses.

Among the eight linked servers, 89.208.97[.]251 hosted domains spoofing Delmon Fish, a prominent fishery company in Bahrain. Examples include dalmon-fishs[.]com, dalmon-bh[.]com, and dalmonfishs[.]com, following the same impersonation patterns used against Kuwaiti industries.

Together, these assets form a cohesive operational cluster, pointing to centralized management and ongoing phishing staging across Gulf-region industries.

Mobile Payment Lures Target Zain Customers

In addition to domains targeting fisheries, the same infrastructure cluster hosted phishing pages impersonating Zain, a major mobile telecommunications provider in Kuwait. Infrastructure linked to 78.153.136[.]29 included the domain zain-kw[.]pro, which Hunt.io classified as phishing activity shortly after its first appearance in April 2025.

The Zain-themed page was structured as a mobile payment portal, prompting users to enter their phone numbers and complete a discounted payment. The layout, branding, and checkout process closely mirrored legitimate Zain services, increasing the likelihood of user interaction, particularly on mobile devices where phishing indicators are harder to discern.

Targeting telecommunications customers introduces additional risks beyond credential theft. Successfully harvested phone numbers could enable downstream social engineering attacks, unauthorized SIM swap attempts, or account takeover activity across services tied to mobile authentication.

The infrastructure's pivot toward mobile payment impersonation demonstrates operational flexibility, with a clear focus on harvesting sensitive information tied to both consumer and enterprise users.

Hunting and Detection Guidance

Two SSH key fingerprints were consistently reused across assets in this campaign:

• dbe1065a0caaa2d1d89001b505ac1a00c5aee6202225b9897580c3c148ea2537

• 000e6797a0d6571bf2b4e77f86b1e68c61d23f0369b6a5e96682a9d84b4cbef9

Monitoring for these fingerprints can reveal additional servers linked to the broader activity cluster. A sample HuntSQL™ query to identify assets based on the observed keys is provided below:

SELECT  ip, port
FROM ssh
WHERE rsa_sha256 == 'dbe1065a0caaa2d1d89001b505ac1a00c5aee6202225b9897580c3c148ea2537'
  OR rsa_sha256 == '000e6797a0d6571bf2b4e77f86b1e68c61d23f0369b6a5e96682a9d84b4cbef9'
GROUP BY ip, port

Most assets were staged on servers within Aeza International Ltd's ASN (AS210644), a provider frequently associated with low-cost VPS hosting. To support broader detection efforts, a query targeting malware sightings across this ASN is included:

SELECT ip, hostname, malware.name
FROM malware
WHERE asn.number == '210644'
GROUP BY ip, hostname, malware.name

Naming patterns across phishing domains offer additional hunting angles. Rather than relying on typos of legitimate domains, the actor registered brand-inspired names using transliterations and generic references-for example, alwattny[.]com and zain-kw[.]pro, rather than variations of the legitimate domain.

New domain registrations imitating mobile payment portals are another indicator of operational expansion. Pages closely mimicking telecommunications payment processes were observed, likely intended to harvest phone numbers, credentials, and mobile authentication data.

Detection efforts should focus on identifying reused SSH key fingerprints, Aeza ASN assets staging brand-themed domains, transliterated or loosely connected domain names, and cloned company websites impersonating fisheries, insurance services, and telecommunications providers.

Final thoughts

The campaign detailed in this post highlights a deliberate effort to stage phishing assets across sectors tied to both consumer and enterprise users in Kuwait and the broader Gulf region. By leveraging consistent hosting patterns, repeated authentication artifacts, and brand impersonation tactics, the operators demonstrated scalable and adaptable tradecraft.

As domain registrations and mobile-themed phishing lures continue to evolve, defenders should remain vigilant for early operational signals-particularly SSH key reuse, VPS-hosted staging servers, and emerging payment impersonation pages tied to regional brands.

Proactive monitoring of these artifacts offers the best opportunity to identify related assets before they are fully operationalized against targeted organizations.

Kuwait Targeted Phishing Infrastructure Network Observables and Indicators of Compromise (IOCs)