Sniper's Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud
SniperDz is a phishing-as-a-service platform targeting users primarily in the Middle East and North Africa, including Algeria. It uses fraudulent Facebook accounts impersonating trusted figures to promote fake offers such as free mobile internet and financial compensation. Victims are redirected through legitimate link-aggregation services to evade detection. The platform offers numerous phishing templates mimicking over 30 global brands and employs browser notification abuse, history manipulation to trap users, premium SMS and calls, investment scams, and affiliate marketing for monetization. Over 900 suspicious domains are linked to this infrastructure.
AI Analysis
Technical Summary
The SniperDz campaign is a centralized phishing-as-a-service operation that leverages brand impersonation and browser hijacking techniques to conduct fraud. It uses fake Facebook accounts impersonating politicians, public figures, and trusted organizations to lure victims with fraudulent offers. Victims are redirected through trusted link-aggregation services like Linktree and Linkbio to avoid detection. SniperDz provides 80 phishing templates mimicking over 30 global brands across sectors such as financial services, social media, streaming, and gaming. The infrastructure abuses browser notifications and manipulates browser history to create a back-button prison, preventing easy exit. Monetization methods include premium SMS subscriptions, premium-rate calls, investment scams, and affiliate marketing. Analysis identified over 900 suspicious domains and a recurring VAPID public key linking multiple campaigns, indicating a large-scale, organized operation.
Potential Impact
Victims may be deceived into providing sensitive information or subscribing to costly premium services. The abuse of browser notifications and history manipulation can trap users in fraudulent sites, increasing the likelihood of successful phishing and financial fraud. The campaign's use of trusted link-aggregation services complicates detection and blocking efforts. The operation targets users in Algeria and the broader Middle East and North Africa region, potentially causing financial loss and privacy breaches.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign rather than a software vulnerability. Defenders should block known malicious domains and IPs associated with SniperDz, monitor for suspicious browser notification abuse, and educate users about the risks of unsolicited offers and the tactics used by this campaign. Since the campaign uses trusted link-aggregation services, additional scrutiny of redirected URLs is recommended. There is no indication that vendor or platform-level mitigations have been implemented; therefore, vigilance and user awareness are key.
Affected Countries
Algeria
Indicators of Compromise
- domain: aff.bnaosf1he.shop
- domain: win.anababayala.com
- domain: win.feezossl.xyz
- ip: 184.154.10.254
- ip: 65.60.9.236
Sniper's Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud
Description
SniperDz is a phishing-as-a-service platform targeting users primarily in the Middle East and North Africa, including Algeria. It uses fraudulent Facebook accounts impersonating trusted figures to promote fake offers such as free mobile internet and financial compensation. Victims are redirected through legitimate link-aggregation services to evade detection. The platform offers numerous phishing templates mimicking over 30 global brands and employs browser notification abuse, history manipulation to trap users, premium SMS and calls, investment scams, and affiliate marketing for monetization. Over 900 suspicious domains are linked to this infrastructure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The SniperDz campaign is a centralized phishing-as-a-service operation that leverages brand impersonation and browser hijacking techniques to conduct fraud. It uses fake Facebook accounts impersonating politicians, public figures, and trusted organizations to lure victims with fraudulent offers. Victims are redirected through trusted link-aggregation services like Linktree and Linkbio to avoid detection. SniperDz provides 80 phishing templates mimicking over 30 global brands across sectors such as financial services, social media, streaming, and gaming. The infrastructure abuses browser notifications and manipulates browser history to create a back-button prison, preventing easy exit. Monetization methods include premium SMS subscriptions, premium-rate calls, investment scams, and affiliate marketing. Analysis identified over 900 suspicious domains and a recurring VAPID public key linking multiple campaigns, indicating a large-scale, organized operation.
Potential Impact
Victims may be deceived into providing sensitive information or subscribing to costly premium services. The abuse of browser notifications and history manipulation can trap users in fraudulent sites, increasing the likelihood of successful phishing and financial fraud. The campaign's use of trusted link-aggregation services complicates detection and blocking efforts. The operation targets users in Algeria and the broader Middle East and North Africa region, potentially causing financial loss and privacy breaches.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign rather than a software vulnerability. Defenders should block known malicious domains and IPs associated with SniperDz, monitor for suspicious browser notification abuse, and educate users about the risks of unsolicited offers and the tactics used by this campaign. Since the campaign uses trusted link-aggregation services, additional scrutiny of redirected URLs is recommended. There is no indication that vendor or platform-level mitigations have been implemented; therefore, vigilance and user awareness are key.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/inside-sniperdz-phaas-ecosystem/"]
- Adversary
- SniperDz
- Pulse Id
- 6a2aa0d6db4e2c52648e2ed7
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainaff.bnaosf1he.shop | — | |
domainwin.anababayala.com | — | |
domainwin.feezossl.xyz | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip184.154.10.254 | CC=US ASN=AS32475 singlehop llc | |
ip65.60.9.236 | CC=US ASN=AS32475 singlehop llc |
Threat ID: 6a2ac705815e7002b8f931f9
Added to database: 6/11/2026, 2:32:37 PM
Last enriched: 6/11/2026, 2:45:01 PM
Last updated: 6/12/2026, 4:09:37 AM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.