INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Operation DoppelBrand Weaponizes Fortune 500 Brands
| 2026-02-16 18:05 CRITICAL HIGHExecutive Summary AI-generated
GS7, a sophisticated and elusive threat actor, has been targeting Fortune 500 companies in a broad phishing campaign that turns the company's own brands against them. The group, which has remained active for nearly a decade, consistently rotates its phishing infrastructure to mimic legitimate login portals, replicating official branding with unprecedented accuracy. GS7 may even act as an initial access broker selling access to infrastructure to ransomware groups or other affiliates. This campaign is ongoing and has been observed between December and January, with the group's history stretching back to 2022.
Technical Mitigations AI-generated
* Implement robust password policies and multi-factor authentication to prevent attackers from gaining access through compromised credentials.
* Regularly update software, operating systems, and applications to ensure they have the latest security patches and features.
* Use secure communication channels (e.g. HTTPS) when transmitting sensitive information or accessing websites that may be impersonated by GS7.
* Educate users about phishing attacks and how to identify suspicious emails or links; provide guidance on safe browsing practices.
* Monitor for signs of compromised accounts, such as unusual login activity or changes in account settings, and take action to secure affected accounts.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation DoppelBrandOperation DoppelBrand
Lazarus GroupLazarus Group
Medusa RansomwareMedusa Ransomware
Target & Sectors
EUROPE
EUROPE
NORTH_AMERICA
NORTH_AMERICA
healthcarehealthcare
technologytechnology
telecommunicationstelecommunications
Incident Timeline
December 2025
Threat actors used compromised infrastructure linked to earlier activity dating back to 2022 to target Wells Fargo and USAA.
Click on any entity below to view its context and source!
organisation
Wells Fargo
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
organisation
USAA
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
general_metric
500 companies
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
campaign
Operation DoppelBrand
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
January 2026
Threat actors used compromised infrastructure linked to earlier activity dating back to 2022 to target Wells Fargo and USAA.
Click on any entity below to view its context and source!
organisation
Wells Fargo
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
organisation
USAA
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
general_metric
500 companies
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
campaign
Operation DoppelBrand
SOCRadar dubbed the campaign
Operation DoppelBrand
and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.
2026-02-16
GS7 deployed legitimate remote access software such as LogMeIn Resolve to establish unattended access.
Click on any entity below to view its context and source!
organisation
SOCRadar
The group itself, however, has a history stretching back to 2022, according to
a white paper
by SOCRadar published today.
In a direct exchange with SOCRadar, the individual claiming to be GS7 reportedly stated they had been operating for around ten years and provided screenshots of phishing panels bearing their handle.
organisation
Credential Theft
GS7
Targeting English Speakers for Credential Theft
GS7 primarily has focused on English-speaking markets in recent months, with the US being the largest target, by far.
organisation
Wells Fargo
The campaign targets top financial institutions — including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank — as well as technology, healthcare, and telecommunications firms worldwide.
organisation
USAA
The campaign targets top financial institutions — including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank — as well as technology, healthcare, and telecommunications firms worldwide.
organisation
Navy Federal Credit Union
The campaign targets top financial institutions — including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank — as well as technology, healthcare, and telecommunications firms worldwide.
organisation
Fidelity Investments
The campaign targets top financial institutions — including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank — as well as technology, healthcare, and telecommunications firms worldwide.
organisation
Citibank
The campaign targets top financial institutions — including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank — as well as technology, healthcare, and telecommunications firms worldwide.
organisation
Fidelity
The individual also gave a phishing demonstration with a portal mimicking Fidelity, which resulted in the download of RMM tools once the log-in form was completed.
organisation
Telegram
Victims are lured through phishing emails and redirected to counterfeit pages where credentials are harvested and transmitted to Telegram bots controlled by the attacker.
Once collected, login credentials — including usernames and passwords, IP addresses and geolocation data, device and browser fingerprints, and timestamps — are immediately exfiltrated to attacker-controlled Telegram bots.
organisation
CSS
The phishing pages replicate visual elements of legitimate sites, including logos, CSS styles and login form layouts.
organisation
Operation DoppelBrand
To help defenders track Operation DoppelBrand and GS7's activities, SOCRadar provided an extensive list of tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) for both the campaign and the group in its white paper.
organisation
Credential Theft
Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft.
organisation
IAB
In fact, SOCRadar believes the group may even act as an
initial access broker (IAB)
, selling access to infrastructure to ransomware groups or other affiliates.
threat_actor
Lazarus Group
Related:
Lazarus Group Picks a New Poison: Medusa Ransomware
organisation
DoppelBrand
Meanwhile, the group also is expanding and maintaining DoppelBrand activity in Europe and other regions.
organisation
NameCheap
In fact, the threat actor registered more than 150 malicious domains in recent months alone, using registrars such as NameCheap and OwnRegistrar, and routing traffic through
Cloudflare
to obscure back-end servers.
The infrastructure is highly automated, using rotating registrars such as Namecheap and OwnRegistrar, Cloudflare hosting and short-lived SSL certificates issued within hours of domain registration.
organisation
OwnRegistrar
In fact, the threat actor registered more than 150 malicious domains in recent months alone, using registrars such as NameCheap and OwnRegistrar, and routing traffic through
Cloudflare
to obscure back-end servers.
The infrastructure is highly automated, using rotating registrars such as Namecheap and OwnRegistrar, Cloudflare hosting and short-lived SSL certificates issued within hours of domain registration.
organisation
Cloudflare
In fact, the threat actor registered more than 150 malicious domains in recent months alone, using registrars such as NameCheap and OwnRegistrar, and routing traffic through
Cloudflare
to obscure back-end servers.
The infrastructure is highly automated, using rotating registrars such as Namecheap and OwnRegistrar, Cloudflare hosting and short-lived SSL certificates issued within hours of domain registration.
infrastructure
150 malicious domains
In fact, the threat actor registered more than 150 malicious domains in recent months alone, using registrars such as NameCheap and OwnRegistrar, and routing traffic through
Cloudflare
to obscure back-end servers.
Infrastructure Built for Scale
SOCRadar identified more than 150 domains tied to the latest wave of activity, with nearly 200 additional domains showing similar characteristics.
organisation
SSL
The infrastructure is highly automated, using rotating registrars such as Namecheap and OwnRegistrar, Cloudflare hosting and short-lived SSL certificates issued within hours of domain registration.
organisation
Infrastructure Built for Scale
SOCRadar
Infrastructure Built for Scale
SOCRadar identified more than 150 domains tied to the latest wave of activity, with nearly 200 additional domains showing similar characteristics.
infrastructure
200 additional domains
Infrastructure Built for Scale
SOCRadar identified more than 150 domains tied to the latest wave of activity, with nearly 200 additional domains showing similar characteristics.
organisation
Evolving Initial Access Broker Activity
Evolving Initial Access Broker Activity?
organisation
IP
Once collected, login credentials — including usernames and passwords, IP addresses and geolocation data, device and browser fingerprints, and timestamps — are immediately exfiltrated to attacker-controlled Telegram bots.
Once credentials are submitted, data including IP address, geolocation and device details are forwarded to a Telegram group, allowing the attacker to filter and prioritise targets.
organisation
GS
The researchers identified a Telegram group titled "NfResultz by GS" that they believe is operated by the group.
organisation
RMM
GS7's end game includes not only harvesting credentials, but also downloading remote management and monitoring (RMM) tools on victim systems to enable remote access or the deployment of malware.
organisation
MFA
They can do this by setting up multifactor authentication (MFA) and practicing safe online behavior in general.
organisation
MSI
Installers are delivered as MSI files, often accompanied by small VBS loaders that handle privilege escalation, silent installation and cleanup.
organisation
OneDrive
Some campaigns route victims through fake OneDrive interfaces before presenting spoofed banking portals.
organisation
Remote Access and Monetization
Beyond
Remote Access and Monetization
Beyond credential theft, GS7 deploys legitimate remote access software such as LogMeIn Resolve to establish unattended access.
organisation
BTC
Financially, blockchain analysis of a wallet shared during the investigation showed roughly 0.28 BTC received, equivalent to between $25,000 and $32,000 depending on market price at the time.
February 16
Threat actors used lookalike domains and cloned login portals to target Fortune 500 brands.
Click on any entity below to view its context and source!
industry
Technology
The campaign, described in a new
report
published on February 16, relies on lookalike domains and cloned login portals that closely imitate legitimate banking, insurance and technology websites.
Tactical Metrics
Metrics
infrastructure
150
Malicious Domains
Click for context!
In fact, the threat actor registered more than 150 malicious domains in recent months alone, using registrars such as NameCheap and OwnRegistrar, and routing traffic through
Cloudflare
to obscure back-end servers.
Infrastructure Built for Scale
SOCRadar identified more than 150 domains tied to the latest wave of activity, with nearly 200 additional domains showing similar characteristics.
Metrics
infrastructure
200
Additional Domains
Infrastructure Built for Scale
SOCRadar identified more than 150 domains tied to the latest wave of activity, with nearly 200 additional domains showing similar characteristics.
Intelligence Sources
Dark Reading
2026-02-16
Infosecurity-Magazine
2026-02-16
Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:57
Comprehensive Tactical Telemetry
Highly Correlated Entities
28x
organisation
Identified Entity
Credential Theft
GS7
entity
5x
timeline
Temporal Reference
2026-02-16
date
4x
tactic
Cyber Operation Type
Phishing
tactic
3x
source region
Origin Country
China
country
3x
industry
Targeted Sector
Technology
sector
2x
target region
Target Country
Japan
country
Contextual Telemetry
Context Block
11 METRICS
attribution
Attributing Entity
Smear Japan PM
authority
general metric
Companies
500
companies
campaign
Campaign
Operation DoppelBrand
operation
tactic
MITRE ATT&CK Technique
T1566 - Phishing
technique
threat actor
APT Group
Lazarus Group
actor
malware
Malware Payload
Medusa Ransomware
tool
target region
Target Region
EUROPE
region
infrastructure
Malicious Domains
150
malicious domains
source region
Origin Region
EUROPE
region
infrastructure
Additional Domains
200
additional domains
general metric
Btc
0
btc
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.