Doppelgänger Disinformation Network Targeted German Audiences
Researchers reported that the suspected Russia-aligned Doppelgänger influence operation ran a coordinated propaganda campaign against German audiences from at least late 2023, using a large network of coordinated X accounts, impersonated media brands, and custom-built websites to push anti-government and anti-Ukraine narratives. The messaging focused on politically sensitive issues including strikes, immigration, inflation, and elections, with the activity assessed as part of a broader effort to shape public opinion in Germany.
The operation relied on multi-stage redirection infrastructure and evasive technical measures, including Base64-obfuscated JavaScript, tracking identifiers, rotating first-stage and second-stage domains, geofencing on destination sites, and infrastructure linked to Keitaro traffic distribution systems. SentinelLABS and ClearSky said the campaign’s tactics and infrastructure overlap with findings previously reported by the German Ministry of Foreign Affairs, Der Spiegel, Recorded Future, and Meta, underscoring a persistent influence effort tied to upcoming European, municipal, state, and federal elections in Germany.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Doppelgänger campaign begins targeting German audiences
SentinelLABS and ClearSky reported that the suspected Russia-aligned influence operation Doppelgänger has been running a coordinated propaganda and disinformation campaign targeting German audiences since at least late November 2023. The campaign used coordinated X accounts, redirection infrastructure, and impersonated or custom-built websites to spread anti-government and anti-Ukraine narratives.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Signal Account Takeover Campaign Targeting German Officials
A **social-engineering campaign targeting Signal and WhatsApp accounts** has hit prominent German officials and security figures, including former BND vice president **Arndt Freytag von Loringhoven**. Attackers reportedly impersonated **Signal support** and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as **security-relevant** and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts. The campaign appears to be part of a broader **espionage-focused operation** affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to **Russian hybrid activity**. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is **not related** to the account-takeover campaign and should be excluded.
Apr 30, 2026
Operation Overload Impersonates Media to Influence the US Election
A Russia-aligned influence operation known as **Operation Overload**—also tracked as **Matryoshka** and **Storm-1679**—has used fake news sites, bogus fact-checking resources, AI-generated audio, and impersonation of trusted media brands to shape narratives around the US presidential election. Researchers said the campaign has heavily targeted journalists, fact-checkers, and researchers with deceptive verification requests designed to draw false claims into mainstream reporting, while coordinated inauthentic social media activity amplified the same narratives directly to the public. The operation has sought to undermine trust in the election process, inflame fears of political violence, and exploit polarizing issues to deepen social divisions. Reported themes included fabricated scandal narratives aimed at **Vice President Kamala Harris**, attacks portraying Ukrainians and the **LGBTQIA+** community negatively, and messaging intended to weaken support for Ukraine; the campaign had also previously attempted similar interference around the French elections and the Paris Olympics and was expected to intensify as the US vote approached.
Oct 23, 2024
German Government Accuses Russia of Cyberattack and Election Disinformation
Germany publicly accused Russia of orchestrating a cyberattack against Deutsche Flugsicherung, the state-owned air traffic control authority, and conducting a coordinated disinformation campaign aimed at influencing the upcoming federal election. The German Foreign Ministry stated it had clear evidence linking the August 2024 cyberattack to APT28 (Fancy Bear), a group associated with Russia’s GRU military intelligence, and attributed the election interference to the Storm 1516 threat actor. In response, Germany summoned the Russian ambassador, announced plans for countermeasures in coordination with EU partners, and supported new sanctions targeting those involved in hybrid attacks. The Russian embassy has denied the allegations, while European officials have warned of a broader campaign of Russian cyber operations targeting critical infrastructure and political processes across the continent. These developments come amid heightened concern over nation-state cyber threats in Europe, with both France and Germany reporting recent attacks attributed to foreign actors. The French Ministry of Interior is investigating a suspected nation-state breach of its email servers, though details remain limited. European authorities have documented a surge in nation-state-backed cyberattacks, with the EU Agency for Cybersecurity reporting 46 such incidents between July 2024 and July 2025. Officials across Europe have condemned Russia’s use of hybrid tactics, including cyberattacks and disinformation, as part of a broader strategy to destabilize Western democracies.
Mar 21, 2026