SOCRadar threat researchers have publishing an in-depth analysis of an ongoing cyber campaign against Fortune 500 companies including names such as Wells Fargo and USAA, by the threat actor known as GS7.
GS7 has been active for years, rotating its infrastructure and impersonating legitimate portals, and has amassed hundreds of malicious domains tied to its modus operandi. Its campaigns include operations targeting banking institutions, technology companies, payment platforms, and other entities.
The elements that distinguish this actor and its campaigns are the creation of highly similar portals used in phishing operations to redirect victims toward credential theft.
The research dives into:
How GS7 has quietly operated for years by rotating infrastructure and impersonating trusted Fortune 500 brands
Hundreds of malicious domains tied to GS7’s phishing ecosystem and how they’re deployed at scale
The use of near-identical, brand-spoofed portals designed to convincingly harvest credentials
Active campaigns targeting banks, financial institutions, technology companies, and payment platforms
The actor’s infrastructure rotation tactics and evasion techniques
Which industries, regions, and countries are being targeted most heavily
What makes this campaign distinct from typical phishing operations — and why it continues to succeed
You can read the research here: https://socradar.io/resources/whitepapers/operation-doppelbrand-fortune-500-access
Like this:
Like Loading...
Related
This entry was posted on February 16, 2026 at 8:09 am and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Operation DoppelBrand: Weaponizing Fortune 500 Brands for Credential Theft and Remote Acces
SOCRadar threat researchers have publishing an in-depth analysis of an ongoing cyber campaign against Fortune 500 companies including names such as Wells Fargo and USAA, by the threat actor known as GS7.
GS7 has been active for years, rotating its infrastructure and impersonating legitimate portals, and has amassed hundreds of malicious domains tied to its modus operandi. Its campaigns include operations targeting banking institutions, technology companies, payment platforms, and other entities.
The elements that distinguish this actor and its campaigns are the creation of highly similar portals used in phishing operations to redirect victims toward credential theft.
The research dives into:
How GS7 has quietly operated for years by rotating infrastructure and impersonating trusted Fortune 500 brands
Hundreds of malicious domains tied to GS7’s phishing ecosystem and how they’re deployed at scale
The use of near-identical, brand-spoofed portals designed to convincingly harvest credentials
Active campaigns targeting banks, financial institutions, technology companies, and payment platforms
The actor’s infrastructure rotation tactics and evasion techniques
Which industries, regions, and countries are being targeted most heavily
What makes this campaign distinct from typical phishing operations — and why it continues to succeed
You can read the research here: https://socradar.io/resources/whitepapers/operation-doppelbrand-fortune-500-access
Share this:
Like this:
Related
This entry was posted on February 16, 2026 at 8:09 am and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.