Operation DoppelBrand Phishing Campaign Impersonating Fortune 500 Brands
SOCRadar reported a long-running phishing operation dubbed Operation DoppelBrand, attributed to a financially motivated actor tracked as GS7, that uses high-fidelity replicas of Fortune 500 and major consumer brands to harvest credentials and enable follow-on access. The activity observed most recently (Dec 2025–Jan 2026) impersonated major financial and technology organizations (including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity, Microsoft, and Citibank) and relied on a highly automated domain and infrastructure pipeline, with researchers identifying hundreds of malicious domains and 150+ newly identified domains following consistent patterns. The operation is assessed as monetization-focused, with GS7 linked to trading stolen credentials and access in underground markets and using Telegram bots for credential handling/exfiltration; reporting also notes abuse of legitimate remote management tooling to help establish persistence after credential capture.
Dark Reading’s coverage of the SOCRadar findings emphasized the campaign’s effectiveness stemming from near-perfect portal impersonation and rapid infrastructure rotation, increasing the likelihood of successful credential theft against both enterprises and their customers. For defenders, the reporting highlights the need to treat this as an ongoing, scalable credential-harvesting and initial-access operation: prioritize monitoring for lookalike domains and brand-abuse infrastructure, strengthen anti-phishing controls around customer/employee authentication flows, and review remote management tool governance to reduce the impact of stolen credentials being converted into durable access.
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
3 weeks ago
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Today
Identity-Driven Intrusions Fueled by Infostealer Credentials and MFA-Aware Phishing
Threat actors are increasingly achieving initial access through **identity compromise** rather than software exploitation, with infostealer malware and phishing infrastructure supplying large volumes of valid credentials for automated login attempts against enterprise authentication front doors. Defused Cyber reported a large-scale credential-stuffing campaign targeting **F5 BIG-IP** and other SSO-adjacent services (including **ADFS**, **STS**, and **OWA**), where honeypots observed high-confidence corporate email/password pairs being submitted at scale from `219.75.254.166` (OPTAGE Inc., Japan). Correlation against Hudson Rock’s infostealer telemetry indicated the majority of observed credentials were harvested from **infostealer-infected employee endpoints**, suggesting a pipeline from endpoint infection to external SSO gateway intrusion attempts impacting major enterprises and public-sector entities. In parallel, Datadog Security Labs documented the evolution of the **1Phish** kit into an operationally mature, **MFA-aware** phishing framework targeting *1Password* users, shifting from simple credential capture to multi-stage workflows that explicitly collect **2FA codes**—consistent with real-time authentication attempts even without confirmed reverse-proxy session hijacking. Broader incident-response telemetry in Sophos’ Active Adversary Report reinforces the same trend: **identity-related techniques** (compromised credentials, brute force, phishing) accounted for a majority of observed root causes, and attackers often pivot quickly to **Active Directory** after initial access. A separate finance-sector “2026” threat landscape post is largely high-level and does not add specific, verifiable details to the infostealer/SSO or 1Phish activity described elsewhere.
2 weeks ago