Direct answer
What is campaign DNA? It is a structured profile of repeated campaign features such as infrastructure, kit markers, timing, language and monetization routes.
Campaign DNA signals
Useful signals include CT cert timing, redirect patterns, ASN and hosting recurrence, registrar choice, favicon and DOM hashes, JS markers, lure language, email/SMS headers, mule routes and deployment windows.
Operator-style clustering
Clusters should be labeled as inferred operational clusters unless analyst-confirmed. The goal is prioritization and evidence, not unsupported public attribution.
Why it matters
When campaigns migrate across domains, TLDs or brands, reusable DNA helps defenders recognize the same machinery earlier.
How PhishNet uses this
Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.
Selected sources and research
These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.
Common questions
What is campaign DNA?
It is a structured profile of repeated campaign features such as infrastructure, kit markers, timing, language and monetization routes.
Is operator discovery the same as legal attribution?
No. Operator discovery is inferred clustering until supported by analyst and legal evidence.