This ongoing phishing campaign, active since early 2025, targets critical sectors in Kuwait including fisheries, telecommunications, and insurance. The attackers operate a sophisticated infrastructure comprising over 100 domains designed for credential harvesting through cloned login portals and impersonated web pages. A notable technical characteristic of this campaign is the reuse of SSH authentication keys across multiple operational assets, which serves as a unique fingerprint linking related infrastructure components. Additionally, the campaign exhibits consistent use of specific Autonomous System Numbers (ASNs), further aiding in the attribution and tracking of the threat actors' infrastructure. The attackers employ brand-inspired domain names and transliterations rather than simple typosquatting, increasing the likelihood of deceiving targeted users. Particularly, the National Fishing Company of Kuwait, automotive insurance providers, and Zain telecommunications customers are primary targets. The campaign also includes mobile payment lures aimed at Zain customers, potentially facilitating deeper social engineering attacks and financial fraud. The combination of credential harvesting, domain impersonation, and social engineering tactics underscores a multi-faceted approach to compromise user credentials and potentially gain unauthorized access to sensitive systems. The reuse of SSH keys within the attacker infrastructure is a notable operational security lapse that allows defenders to link and potentially disrupt the campaign's infrastructure. Although no known exploits are reported in the wild, the campaign leverages multiple MITRE ATT&CK techniques such as spearphishing via service (T1566.002), domain fronting (T1586.002), and credential dumping (T1589.002), indicating a well-resourced and persistent adversary.

For European organizations, the direct impact of this campaign may be limited given its current focus on Kuwaiti sectors. However, the tactics and infrastructure characteristics observed could be adopted or adapted by threat actors targeting European entities, especially in telecommunications and insurance sectors which share similarities with the targeted Kuwaiti industries. European organizations with business ties or partnerships in the Gulf region, or those using similar brand names or services, could be indirectly affected through supply chain or third-party risks. The use of shared SSH keys by attackers highlights a potential operational security weakness that, if mirrored in European threat actor infrastructure, could facilitate detection and disruption. The phishing techniques, including mobile payment lures and domain impersonation using transliterations, represent evolving social engineering methods that European organizations should anticipate. If attackers expand their targeting to Europe, credential harvesting could lead to unauthorized access, data breaches, financial fraud, and reputational damage. The campaign's medium severity reflects the current scope but also the potential for escalation or adaptation to other regions.

European organizations should implement advanced phishing detection and response capabilities, including domain monitoring for brand impersonation and transliteration-based domain registrations. Deploying multi-factor authentication (MFA) across all critical systems, especially for remote access and SSH connections, can significantly reduce the risk of credential compromise. Network defenders should monitor for reused or anomalous SSH keys within their environments and employ key rotation policies to prevent unauthorized access. Threat intelligence sharing platforms should be leveraged to track emerging phishing domains and infrastructure linked by shared SSH keys or ASN usage. User awareness training must emphasize the risks of mobile payment lures and the importance of verifying URLs and sender identities. Organizations should also conduct regular audits of third-party and supply chain partners, particularly those connected to telecommunications and insurance sectors, to identify potential exposure to similar phishing campaigns. Implementing email authentication standards such as DMARC, DKIM, and SPF can reduce the success rate of phishing emails. Finally, incident response plans should include procedures for rapid takedown requests of impersonating domains and coordinated action with hosting providers and law enforcement.