Welcome to Memetic Warfare Weekly.

My name is Ari Ben Am, and I’m the founder of Telemetry Data Labs - a Telegram search engine and analytics platform available at Telemetryapp.io - and Glowstick Intelligence Enablement.

Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.

This week we’ll check out Recorded Future’s new, technical and in-depth report on continued Doppelganger activity. Next week or the week after we’ll do the same for Meta’s Q3 Adversarial Threat Report.

A Little Dop'll Do Ya

A good word when a good word is due: Recorded Future is ramping up their technical and OSINT-based IO research beyond high-level overview, and they’re doing a great job. I have to say though, that they missed the chance here to have a funny title and join the industry-wide inside joke of having meme titles for IO reports.

Their latest report, available here, expands upon Russia’s seemingly never-ending Doppelganger network. Yours truly was in fact honored by a link to Memetic Warfare Weekly in the report itself! Check it out on page 19 in the hyperlink on past Doppelganger activity.

I’ll share the key points below:

One of their more on-trend claims is that at least one outlet, Election Watch, is *probably* utilizing generative generative AI to target content. In the report, they refer to articles written and tested by ZeroGPT with an over 66 percent chance of having been generated.

While I think that they may well be right (simply by looking at the content itself) and the site is partially if not fully powered by generative AI, this particular claim is comparatively weak, so the “probably” in the claim is rightfully there.

ZeroGPT and other GPT-detection tools aren’t super accurate, to say the least, and I say that as someone who has used them in the past in this blog. Personally, I’d like to see a much higher rating from ZeroGPT and cross-checking with other tools before making claims.

Doppel Domains

Doppelganger is a unique network in that it utilizes various stages of domains to redirect the end user to a final website.

We’ve looked at past cases of this in this humble blog and have seen how this has been done, and Meta’s reporting has also shed light on the phenomena.

Hiding the end domain is useful for a few reasons - it helps get around potential platform blocks by obfuscating the end-target, users don’t know exactly where they’re going and so on.

The first-level redirect domains appear to be most vulnerable for investigation as they use Russian bulletproof hosting infrastructure, which has been investigated by many in the past and is comparatively easily investigated.

However, the end-level domains are increasingly difficult to investigate - checking for WordPress misconfiguration, hosting and infrastructure provider checks and so on weren’t useful. These domains were configured correctly with minimal information and on Western infrastructure, making our lives harder as on-platform presence on Meta and others has already been greatly limited.

Recorded Future then pulled a smart move and went to URLScan.io for this investigation. I’ll be honest, I don’t use URLScan as often as I should, and this case really drives the utility of it home.

RF used it here to find if a given domain has contacted any IP addresses (perhaps to display hosted content, references in scripts and so on), and if so which, and thus find new IPs and domains.

This is a different “reverse IP” query than we’re used to. Reverse IP queries check which domains are hosted on a given host using a specific IP address, whereas here the scope for an IP relation is broader, and not based on hosting.

The utility of this for network domain expansion is high in this type of redirect-based operation. As always for these kind of operations, especially mass-scale operations, operational security and compartmentalization are defenestrated in favor of a much faster operational tempo.

Essentially, Recorded Future has used URLscan here to easily find new, presumably affiliated domains previously unrecognized via this vector.

Additionally, URLScan’s built-in redirect feature pulls a lot of weight:

Second-layer domains appear to be more complex and hosted on Western infrastructure, using proxies like Namecheap or false identities and proton email addresses.

This shows the importance of not accepting suspect email providers as a hosting service and implementing basic KYC. Running some cursory registration checks, reverse WHOIS checks and email resolution checks brought up nothing, so probably burner infra.

There’s also some great use of domains hosted on the same CIDR and subnet range, including of course at least one case of domains being registered on the same day - an easy to implement heuristic for the non-technical that often bears fruit:

Recorded Future’s technical chops also come in to play by decoding and deobfuscating JavaScript payloads hosted on the redirect sites.

This led to what appears to be evidence of campaign IDs below - some really fascinating stuff and a great find:

The importance of reverse engineering capabilities, even at a low level, for specialized IO teams is becoming increasingly important as adversaries adapt and develop, and this is a great case of that in point.

The utilization of a traffic distribution tool, as discovered by Qurium, was confirmed by Recorded Future, who found an admin panel for Keitaro TDS. This could be presumably pivoted upon via Censys, Shodan or other tools to hunt for identical login panels, but I haven’t had the time to do so unfortunately.

That’s it for this week - read the report in its entirety if of interest, as it’s truly excellent. This overall is a great sign for us in the IO space as far as it overlaps with CTI and technical research - I can count on one hands, maybe two if I’m being generous, organizations that carry out and publish *technical* IO research that isn’t overly Twitter-oriented, so having some fresh blood in the space is great.