Doppelgänger: backend artifacts map 100+ disinformation domains | 2026

Executive Summary

Researchers tracking Russia-linked influence operations say backend artifacts from infrastructure associated with Reliable Recent News (RRN) — a core brand long tied to the Doppelgänger ecosystem — helped expose a broader network of more than 100 domains used for fake news distribution and media impersonation. The most evidence-backed reporting comes from CORRECTIV, NewsGuard, and Gnida Project on German-language influence sites, while U.S. authorities had already seized 32 Doppelgänger domains in 2024. For defenders, the key point is that disinformation operations increasingly leave infrastructure clues that can be treated like threat intelligence: domain overlaps, backend account patterns, tracking IDs, hosting reuse, and migration behavior all help reveal the wider network.

What happened?

• 2022: EU DisinfoLab and partners first publicly exposed Doppelgänger as a Russia-linked operation using cloned media sites and spoofed domains.
• 2024: the U.S. Justice Department seized 32 domains tied to Doppelgänger, describing the operation as part of a Kremlin-backed influence effort run through organizations including Social Design Agency (SDA), Structura, and ANO Dialog.
• Late 2024 to early 2025: CORRECTIV, NewsGuard, and Gnida Project identified more than 100 German-language websites used in a related Russian influence campaign, with many domains apparently staged in advance for future use.
• 2025–2026: researchers behind the now-repurposed rrn.world domain began publishing infrastructure analysis and documents about the former RRN environment, claiming the site had switched hands after sanctions and enforcement pressure.
• 2026: DomainTools published analysis of the Doppelgänger / RRN ecosystem, including discussion of recovered WordPress artifacts, backend account provisioning, TLD migration, and coordinated infrastructure patterns.
• Important attribution note: the claim that a backend dump directly exposed the full network comes mainly from researcher reporting around former RRN infrastructure and subsequent analysis. The strongest independently corroborated facts are the existence of the broader domain ecosystem, the 100+ site cluster identified by CORRECTIV and partners, and the previously seized 32 domains.

Who is affected?

This is not a conventional network intrusion story, but it matters to several groups:

Directly affected audiences

• Journalists and publishers whose brands were cloned or imitated through typo and lookalike domains
• Election monitors, civil society groups, and fact-checkers tracking foreign influence operations
• Social platforms and ad systems that may be used to amplify staged narratives
• Security teams responsible for brand protection, domain monitoring, and trust-and-safety operations

Indirectly affected sectors

• Public-sector organizations targeted by narrative manipulation during elections or geopolitical crises
• Enterprises vulnerable to reputational harm when fake domains impersonate media or institutions
• Threat hunting teams monitoring domain registration abuse, redirection chains, and social engineering infrastructure

Initial access & kill chain (influence-ops view)

While Doppelgänger is not malware-centric, the operational flow still resembles a multi-stage attack chain.

Observed influence chain

1. Narrative preparation
   Operators prepare stories aligned to geopolitical objectives, often adapting them for specific countries or elections.
2. Infrastructure staging
   Lookalike and fake-news domains are registered in batches, sometimes weeks or months before active use.
3. Content publishing
   Articles are pushed through WordPress-style backends or alternative media brands linked to the same ecosystem.
4. Traffic redirection and cloaking
   Researchers have documented multi-stage redirect infrastructure designed to show benign pages to moderators while routing real users toward propaganda destinations.
5. Amplification
   Fake or coordinated accounts on X, Telegram, and other platforms push links, hashtags, or media assets.
6. Audience manipulation
   The final objective is not endpoint compromise but narrative seeding, trust abuse, and political polarization.

Example mapping

Phase	Observed behavior	Defensive lens
Recon / setup	Batch domain registration, brand mimicry, TLD swaps	Brand monitoring
Delivery	Fake outlet articles, spoofed media pages, redirects	Domain and web filtering
Evasion	Cloaking, staged domains, content variation	Sandbox and browser analysis
Amplification	Coordinated social posting and influencer seeding	Trust & safety telemetry
Objective	Narrative influence, reputational damage, election interference	Disinformation response

Indicators and detection

DNS / domain monitoring

• Hunt for domains that imitate major publishers through altered TLDs, semantic suffixes, or typographical variants
• Look for registration bursts across the same naming families or campaigns
• Track reuse of analytics IDs, CMS fingerprints, nameserver patterns, and registrar combinations
• Watch for second-level domains that survive enforcement by rotating TLDs

Network / web telemetry

• Review redirect chains that route from social posts to intermediate cloaking domains and then to final content pages
• Identify infrastructure using shared CMS assets, JavaScript snippets, or reused static resources
• Flag domains that present different content depending on geography, referrer, or browser characteristics

Threat-intel enrichment

• Correlate seized or known-bad domains with passive DNS, WHOIS changes, hosting pivots, and tracking identifiers
• Treat disinformation infrastructure like adjacent command-and-control analysis: the value often comes from graphing related infrastructure rather than looking at one domain in isolation

Example detection pattern (Splunk SPL — example pattern)

index=dns OR index=proxy
(query="*spiegel*" OR query="*guardian*" OR query="*washingtonpost*" OR query="*rrn*")
| eval suspicious_tld=if(match(query,"\.(so|cc|top|pics|beauty|expert|vip|ws)$"),1,0)
| stats count dc(src_ip) as hosts values(query) as domains by registered_domain, suspicious_tld
| where suspicious_tld=1 OR count > 5

Containment & remediation checklist

🔴 Immediate actions (0–24h)

• Add known Doppelgänger/RRN domains and newly identified lookalikes to monitoring and blocklists where appropriate
• Notify brand-protection, legal, and trust-and-safety teams if your organization or media partners are being impersonated
• Review referrals from social media to suspicious lookalike domains
• Preserve screenshots, HTML copies, and redirect data before domains disappear or rotate
• Share domain intelligence with election-security or misinformation-response partners when relevant

🟠 Hardening (24–72h)

• Expand typosquatting and lookalike-domain monitoring beyond a single TLD
• Correlate domain registrations with passive DNS, TLS certificates, analytics IDs, and hosting pivots
• Add workflows for suspected influence infrastructure alongside phishing and brand-abuse triage
• Coordinate with registrars, hosting providers, and platform abuse teams using evidence bundles rather than isolated domain reports
• Monitor for revived second-level names on alternate TLDs after takedowns

🟡 Longer-term controls (1–4 weeks)

• Build repeatable graphing for domain families, redirects, tracking IDs, and CMS fingerprints
• Integrate disinformation infrastructure tracking into executive risk and geopolitical monitoring
• Train analysts to distinguish confirmed attribution from infrastructure overlap or behavioral similarity
• Treat fake-news networks as a resilience problem, not a one-domain takedown problem
• Establish playbooks for election periods and major geopolitical events when these campaigns surge

Strategic analysis

This story matters because it shows how disinformation operations can now be investigated with methods familiar to infrastructure defenders. The breakthrough is not just that one fake site made a mistake; it is that backend artifacts, domain registration logic, and CMS telemetry can expose the operational depth behind a propaganda network.

The reporting also shows why enforcement rarely ends the campaign outright. Even after seizures and sanctions, researchers continued to track migration to new TLDs, new hosters, and new narrative fronts. That makes Doppelgänger less like a collection of isolated fake pages and more like a maintained ecosystem with contingency planning, staged capacity, and reusable tooling.

For defenders, the lesson is practical: disinformation infrastructure should be monitored with the same discipline used for brand abuse, affiliate fraud, and malicious web ecosystems. Infrastructure pivots, not just content review, are what reveal scale.

What was exposed?

Research and follow-on analysis tied to former RRN infrastructure helped map a wider set of domains connected to Russian influence operations, while separate reporting independently documented more than 100 related fake news sites.

Was the entire network proven from one backend dump?

No. That would overstate the evidence. The strongest public evidence comes from combining backend-related artifacts, domain analysis, investigative journalism, and prior law-enforcement actions.

How many domains are involved?

Public reporting varies by slice of the ecosystem. CORRECTIV and partners reported more than 100 German-language sites, while other researchers have described much larger infrastructure supporting Doppelgänger over time.

Why does this matter to security teams?

Because domain impersonation, redirect chains, cloaking, and hosting reuse can be detected and tracked using standard threat-hunting methods.

Is Doppelgänger still active?

Public reporting suggests the broader ecosystem has persisted through seizures, sanctions, and infrastructure migration, so defenders should assume continued activity.

References

1. CORRECTIV, NewsGuard, and Gnida Project, “Influence operation exposed: How Russia meddles in Germany’s election campaign,” January 2025. https://correctiv.org/en/fact-checking-en/2025/01/24/disinformation-operation-russian-meddling-in-german-election-campaign-exposed/
2. The Record, “DOJ seizes dozens of domains used in Russian influence campaigns targeting swing states,” September 2024. https://therecord.media/doj-seizes-russian-disinfo-domains-election
3. DomainTools Investigations, “Doppelgänger / RRN Disinformation Infrastructure Ecosystem 2026,” 2026. https://dti.domaintools.com/research/doppelganger-rrn-disinformation-infrastructure-ecosystem
4. Reset Tech, “News From Our Ongoing Investigation Into the Doppelganger Operation,” updated 2024. https://www.reset.tech/resources/reset-tech-investigation-doppelganger/
5. The Record, “Russian disinformation network’s infrastructure is spread across Europe, report says,” July 2024. https://therecord.media/doppelganger-disinformation-infrastructure-european-companies
6. VSquare, “Hacking Democracy: Russia’s Digital War on German and European Elections,” April 2025. https://vsquare.org/how-russian-disinformation-campaign-influenced-german-elections-afd-cdu-greens-cyberoperations/
7. rrn.world, “What Infrastructure Does Doppelganger/RRN Use?” 2026. https://rrn.world/what-infrastructure-does-doppelganger-rrn-use/
8. rrn.world, “About Us,” accessed 2026. https://rrn.world/about-us/

---

Published: 2026-03-11 Author: Invaders Cybersecurity Classification: Public / TLP:CLEAR Reading Time: 7 minutes