Russian influence operation Doppelganger linked to fringe advertising company
13 June 2024
By: Elise Thomas
An infamous Russian influence operation has been operating like a scam campaign on social media. ISD’s new investigation may help explain why.
Since 2022, a steady stream of research and analysis has tracked the pro-Russian influence campaign generally referred to as Doppelganger. The campaign, which impersonates legitimate news outlets to promote pro-Kremlin narratives, was first reported on by T-Online and Suddeustche Zeitung; this was followed by in-depth reports from ISD, Meta, EUvsDisinfo and others.
In March 2024, the US Department of Justice sanctioned two Russian companies, Social Design Agency and Company Group Structura LLC, and their chief executives, Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin, for their roles in the campaign. Subsequent reporting by the Washington Post and Voice of America has shed further light onto the close links between Doppelganger and Russia’s Presidential Administration.
ISD has found new evidence which appears to link a third company, Argon Labs, to Doppelganger. Argon Labs is a Moscow-based company which claims to offer affiliate marketing and bespoke web development services to clients. In reality, Argon Labs and the individuals behind it are linked to shady monetisation tactics including infecting unsuspecting victims with advertising malware.
As AI Forensics’ report on Doppelganger noted in April 2024, the campaign’s efforts to circumvent Meta’s content moderation – cloaking links, delivering readers to faked news sites and publishing ads on the platform – are identical to those commonly deployed by cryptocurrency scammers.
This report highlights the need to understand state-linked influence campaigns and commercial operators as two sides of the same coin. Commercial actors consistently lead the way in pioneering techniques and tactics which states later copy. Increasingly, as well as inspiring influence operations, we are now seeing scammers and spammers directly hired by state actors.
Connecting Doppelganger to Argon Labs
In a report published on 21 May 2024, cybersecurity firm Sekoia discussed finding the real IP address of a Doppelganger propaganda website, newsroad[.]online. Through this, they discovered an exposed dashboard which was used to monitor 16 websites simultaneously. Six of these sites were connected to a Russian-language component of the Doppelganger campaign; Sekoia’s hypothesis was that Structura and SDA were managing Russian-language campaigns alongside Doppelganger’s international operations.
In reviewing this dashboard, ISD observed that at least seven of the remaining domains seem to be connected to the same company, albeit operating under multiple business names. Although Argon Labs is the most commonly used name, the same group also appears to operate under Bits Department and Argon Ads.
Taken together, the most likely hypothesis is that the dashboard is owned by Argon Labs – and that it may also have played a role in operating the Doppelganger sites.
At least one of the sites previously included a Russian company tax file number. This appears to have been removed in the current version as of May 2024, but is still visible in Google’s cached search results.
The number belongs to Argon Labs LLC (ООО “Аргон Лабс”) which was registered to an address in Moscow on 15 March 2023. The registered owner and director of the company is Maria Aleksandrovna Shubochkina. Since 2012, Shubochkina has also been the director of another company which she co-owns with an Andrey Evgenievich Shubochkin.
In July 2023, a report released by France’s Viginum agency into Doppelganger’s activities identified three key domains used as part of Doppelganger’s infrastructure to target international audiences as being registered to an Andrey Shubochkin in Moscow.
ISD has independently verified the registration for two domains in the Viginum report (urlbox[.]online and newsroad[.]online) to an email address which appears to belong to Mr Shubochkin.
While circumstantial, this is significant because it lends weight to the hypothesis that Argon Labs is involved in Doppelganger and suggests that Argon may be involved with both Russian-language and international distribution of the campaign.
Argon Labs
Argon Labs’ different sites offer a variety of services, ranging from affiliate marketing to website design to building social media bots on Discord or Telegram. Their blurbs emphasise Argon Labs’ flexibility and willingness to design bespoke solutions and encourage clients to get in touch with their ideas. Two sites notably claim to operate as UAE-registered companies.
The Russian-language Argonlabs[.]pro – which claims that its websites can provide “responsive design, optimize performance and improve the user experience” says it has more than 50 employees, although no individuals are listed on any of the current sites.
However, ISD found that a developer appears to have left a test version of the argonlabs[.]pro site publicly accessible, which led ISD to the developer’s Github account. This included content files for the site, with a now-removed folder including what appear to be pictures of several members of the team.Historical registration data also allowed ISD to identify another individual who appears heavily involved with Argon Labs and its predecessors.
There appears to have been a recent effort across Argon’s workforce to clamp down on their online presence. Multiple accounts across sites including Russian tech site Habr were locked down recently; their full version is still available in Google and Yandex search caches.
Another domain monitored from the dashboard, protodsp[.]ru, offers services in programmatic advertising, the automated buying and selling of digital ads based on targeted marketing. The process is how users instantly receive tailored ads based on their location, demographic or other factors as soon as they open a browser.
This Russian-language site boasts that they have 120 campaigns in action, from more than 30 clients and across eight unspecified countries. Although the site does not mention Argon Labs or Bits Department, it is monitored from the same dashboard as Argon Labs’ other sites, offers similar services and has a strikingly similar design aesthetic.
The domain proto-dsp[.]ru (as opposed to protodsp[.]ru, no hyphen) connects to an Argon Labs login page. Taken together, it seems likely that ProtoDSP is yet another name under which the Argon Labs team operates.
“Non-standard solutions to internet advertising”Based on open-source data identified by ISD across social media and other sites, it appears that at least four Argon Labs employees previously collaborated under at least two other company names, Digital Pine LLC (officially closed in 2022) and Coin32. There are close links between the two, with recruitment ads for Coin32 giving contact details for Digital Pine – and to Argon Labs: that includes shared domain infrastructure and the fact that some of Digital Pine’s key products are still listed as examples of Argon Labs’ work on argonlabs[.]pro.
On its English-language LinkedIn page, Digital Pine LLC (which registered in Moscow in 2012) still promises “non-standard solutions in internet advertisizing [sic]” and offers site owners a way to earn money through their websites.Coin32 appears to have been one of Digital Pine’s product lines, offering webmasters a way to monetise their sites and advertisers a way to reach audiences. Specifically, they reference users “installing programs”, with site owners being paid per “installation.” However, it is unclear whether the people downloading the programs knew quite what they were getting.
Advertising malware, sometimes referred to as adware, are programs which infect victims’ computers and bombard them with pop-up advertising. Users are often tricked into downloading it disguised as legitimate or innocuous products.Digital Pine asked other site owners to install the programs via their Coin32 program; they also appear to have run several of their own sites designed to trick users into downloading what they thought were new browsers or social media files.
One example, the ‘Unidownloader’ project, appears to have started when the company was called Digital Pine but continued into the Argon Labs era. The screenshots below show domains registered by an Argon Labs employee using the email address [email protected], including unidownloader[.]com; an archived copy of Unidownloader, which promises downloads of YouTube videos; and example projects listed on the test version of the Argon Labs site including Unidownloader and other download-related projects.
A malware analysis of Unidownloader is available at Any Run, an online malware sandbox, which found that it immediately attempts to install a malicious executive file and also suspected it may attempt to steal personal data. Multiple other URLs linked to Digital Pine/Argon Labs appear in malware analyses or lists of adware sites.
Coin32’s own domain has been linked to Trojan.Agent malware and may be doing more than just adware; it is listed on cybersecurity exchange AlienVault’s platform under the category of Spyware.
The use of malicious advertising software appears to have been a consistent line of activity for Digital Pine and Coin32 for perhaps ten years, overlapping and interacted with Argon Labs’ digital infrastructure.
Discussion
It seems plausible that Argon Labs is just one of several contractors with experience in spamming or scamming working for Doppelganger. Multiple domains which have been used by the campaign to smuggle links to banned domains onto social media platforms by redirecting from a different URL appear to have been recycled from spam or scam activities. Some appear connected to each other, although ISD has not linked them to Argon Labs. It may be that, like Argon Labs, other groups also recycle domains previously used for other shady activities for Spamouflage.
Analysing the history and past activities of these companies, as ISD has done in this case study, is valuable because it allows us to make some educated guesses about what they might do next. If social media companies crack down on Doppelganger, it is likely that they will respond in the way that many scammers do: to continue using new accounts, domains and assets, and wait for the platforms to lose interest in playing whack-a-mole with them. Simple persistence beyond platforms’ short attention spans has worked very well for scammers and state actors alike in the past.
Another potential next step which researchers and platforms should watch for is if Doppelganger emulate cryptoscammers’ tactic of enhancing their Facebook ads strategy with spoofed domains. If combined with Doppelganger’s practice of mirroring media sites, this could prove significantly more convincing to users.
Doppelganger could also follow cryptoscam ads into placing programmatic advertising on other sites, including legitimate news websites. Scammers have been doing this for years, and it would be an obvious next step for Doppelganger to take as well. Given the byzantine nature of the programmatic advertising ecosystem, researchers would likely struggle to identify or monitor this tactic at scale. As mentioned above, it appears Argon Labs in particular may already have experience with programmatic advertising.
This case study underscores the fact that there is no neat line dividing state-linked influence operations from commercially motivated operators like Argon Labs and others. It is becoming increasingly common for state operations to be outsourced to third party contractors.
This does come with a silver lining. There is an opportunity to kill two birds with one stone; by cracking down on the methodologies used by scammers, platforms and players in the digital ad ecosystem can help to defend their users against both fraud and potential influence operations. It’s a win-win, and tech companies and regulators should work together to make it happen.