Ddos 
In a newly published threat intelligence report, Hunt.io researchers have detailed an active and sophisticated phishing campaign targeting key sectors in Kuwait, including fisheries, telecommunications, and insurance. First identified in early 2025, the operation is ongoing and employs over 230 domains to deceive users and harvest sensitive credentials.
The attackers deployed the majority of their infrastructure on servers hosted by Aeza International Ltd, a hosting provider often associated with low-cost virtual private servers (VPS). Across IP addresses such as 78.153.136[.]29, 134.124.92[.]70, and 138.124.78[.]35, Hunt.io observed multi-tenant phishing portals imitating prominent Kuwaiti brands.
“Operational overlaps-including shared SSH authentication keys and common ASN usage-tie these assets together, enabling related servers to be identified across the campaign,” the report states.
Notably, the phishing assets were often linked via reused SSH key fingerprints, a technique that Hunt.io analysts used to track infrastructure expansion and domain clusters.
One of the campaign’s most deceptive techniques involves registering domains that loosely resemble real brand names—not through typosquatting, but through transliterations and generic references. Examples include:
- alwattnya[.]com
- wtanaya[.]com
- dalmonfishs[.]com
- zain-kw[.]pro
These domains closely mimic legitimate websites like the National Fishing Company of Kuwait, presenting fake storefronts complete with product listings and shopping carts to lure victims.
“The observed webpages closely replicated the appearance of the company’s online storefront, displaying seafood product listings, shopping cart features, and promotions,” the report notes.
The attackers are not stopping at fisheries. Hunt.io found pages designed to phish users of Zain, a leading Kuwaiti telecom provider. For instance, zain-kw[.]pro masqueraded as a mobile payment page, asking users to enter phone numbers and complete fake transactions.
This move raises further concern, as collected phone numbers could be used for SIM swapping, downstream phishing, or account takeovers involving mobile authentication.
The infrastructure isn’t limited to Kuwait. One of the linked servers (89.208.97[.]251) was caught hosting phishing sites spoofing Delmon Fish, a well-known Bahraini fishery. Domains like dalmon-bh[.]com followed the same impersonation playbook.
“Together, these assets form a cohesive operational cluster, pointing to centralized management and ongoing phishing staging across Gulf-region industries,” the report warns.
Donate