Massive Phishing Campaign Targets Over 500 Organizations

Post Views: 21

Operation HookedWing: A Sophisticated Phishing Campaign

Since 2022, Operation HookedWing has been active, compromising over 500 organizations across various sectors, including aviation, finance, and government.

Tactics and Expansion

The threat actor behind this campaign has stolen more than 2,000 user credentials over the past four years, primarily targeting organizations with access to sensitive information.

According to SOCRadar, “the campaign’s tactics have evolved over time, with the threat actor initially using GitHub domains with English content and compromised servers as infrastructure.”

Campaign Evolution and Expansion

In 2024 and 2025, the threat actor expanded its targeting to include French content and added more themes, deploying additional landing pages.
This expansion included obfuscating GitHub domain naming and creating more complex phishing lures.

Identified Infrastructure

SOCRadar identified two dozen command-and-control (C&C) servers associated with Operation HookedWing, as well as over 100 GitHub domains, and over a dozen distribution domains on other platforms.

Targeting Pattern

Analysis of recovered logs and identified infrastructure reveals a targeting pattern that is not random, focusing on infrastructure of high geopolitical relevance.

Landing Pages and Phishing Emails

The campaign relies on phishing emails impersonating human resources or colleagues, or posing as notifications.
These messages have a simple structure and are designed to convey authority and urgency without raising suspicion.
Many of the emails contain links to GitHub repositories, with some pointing to intermediaries hosted on other platforms.

Simulated Sign-In Process

Landing pages simulate Microsoft Outlook behavior through a full-screen pre-loader and personalize the displayed text based on the victim organization.

Attackers’ Goal

When the victim clicks the sign-in button on the page, the attacker receives the victim’s password, IP address, full geolocation, source URL, and the victim organization domain in a single record.

Consequences and Recommendations

The campaign’s success highlights the need for organizations to prioritize security awareness training, implement robust email filtering solutions, and regularly monitor their networks for suspicious activity.

By doing so, they can minimize the risk of falling victim to this type of campaign and protect their sensitive information from being compromised.