Une question ? Contactez notre standard : 01 41 91 58 61 - Un incident de sécurité ? Faites-vous assister : 01 47 28 38 39

Doppelgänger: New disinformation campaigns spreading on social media through Russian networks

par | Fév 27, 2025 | Non classifié(e), Cyber Threat Intelligence, Threat Intelligence Report

ecrime

Key findings

This report presents:

  • The intrusion set commonly known as Doppelgänger continues to spread disinformation narratives on social medias such as X, through bot accounts specifically made for such campaigns.
  •  As for its previous campaigns, Doppelgänger pushes its anti-western narrative on pages spoofing the medias of the targeted countries, such as France, Germany, Italy, Ukraine, and Israel. The disinformation campaign aims to manipulate public opinion by exploiting sensitive issues and exacerbating social and geopolitical divisions.
  • The linguistic characteristics of the articles suggest that some of them were translated from Russian or edited by Russian natives, reinforcing the hypothesis that they are of Russian origin.
  •  In order to bypass both manual and automatic moderation on social media platforms, Doppelgänger continues to leverage Kehr[.]io, a redirection provider advertised on Russian speaking underground forums. This service hosts its infrastructure on IPs announced by English companies managed by Ukrainian and Belarusian individuals that we could connect with a high level of confidence to bulletproof network hosting solutions.
  • The disinformation campaigns remain ongoing.

Introduction

In early January 2025, a disinformation campaign that we could link to the Doppelgänger intrusion set was launched on X through various bot accounts.

This campaign is based on the usual tactics already documented by a large majority of editors or state agencies such as VIGINUM in France.[1] The disinformation strategy in question relies on the development of sophisticated digital replicas designed to visually mimic the interfaces of influential media outlets or recognised national institutions of a targeted country.

These fake sites are hosted on domains that use the technique of typosquatting, a practice that involves using slightly modified but visually similar URLs to those of authentic sites. This approach is particularly effective in misleading less informed internet users, who can easily confuse these fraudulent platforms with their legitimate counterparts.

The articles are then posted on social networks (like X in this case) to achieve a certain level of virality.

What’s interesting about this campaign is the timing of its launch. In fact, it’s appeared at a particularly difficult time in Europe, with the fear of economic warfare with the arrival of President Trump for his second mandate, and a particularly difficult political context in France (political crisis since the dissolution of the assembly in June 2024) and in Germany with the federal elections in February.

In this context, Europe declares that it will continue to support Ukraine in its war with Russia. Some newspapers[2] are already discussing the deployment of European troops (some media are talking about a force of 20,000 soldiers) on the battlefield.

As a result, this campaign seems to be polarising internal issues in the targeted countries in order to influence opinion and challenge (or even prevent) European initiatives in support of Ukraine. The articles analysed in this investigation are all designed to show that the leaders of France, Germany, Italy, Ukraine and Israel are forgetting the problems of their own people and concentrating on supporting Ukraine, which should not be a priority.

As for the Doppelgänger intrusion set, it was already attributed by Meta in 2022[3] to two Russian companies, Structura National Technologies, an information technology company, and Social Design Agency, a marketing and political consulting firm.

As reported by Qurium in November 2024, to operate such campaigns, Doppelgänger has been leveraging a traffic distribution system (TDS) provided by a service known as Kehr[.]io.[4] This provider advertises its solution on Russian-speaking underground forums and actively provides it to clients working in a variety of scam schemes. For this campaign, we discovered that Kehr has been hosting its infrastructure on multiple bulletproof hosting providers that tend to update their networks to avoid being listed in blocklists such as the one that Spamhaus provides.

Overall, this reports aims at analysing and understanding the disinformation narrative spread by Doppelgänger and the infrastructure that it leverages to operate it.

[1]https://www.sgdsn.gouv.fr/publications/maj-19062023-rrn-une-campagne-numerique-de-manipulation-de-linformation-complexe-et

[2]https://www.lecho.be/dossiers/conflit-ukraine-russie/l-idee-d-une-force-europeenne-pour-garantir-un-cessez-le-feu-en-ukraine-prend-forme/10583985.html

[3]https://about.fb.com/wp-content/uploads/2022/11/Quarterly-Adversarial-Threat-Report-Q2-2022-1.pdf

[4]https://www.qurium.org/forensics/when-kehr-meets-vextrio

Intrinsec’s CTI services

Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.

For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.

Intrinsec also offers various services around Cyber Threat Intelligence:

  • Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
      • an operational feed of IOCs based on our exclusive activities.
      • threat intel notes & reports, TIP-compliant.
  • Digital risk monitoring:
      • data leak detection & remediation
      • external asset security monitoring (EASM)
      • brand protection

For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.

Follow us on Linkedin and X

Full report here
Verified by MonsterInsights