Fortune 500 Companies Impersonated in Widespread Phishing Campaign

Operation Doppelbrand: A Sophisticated Phishing Campaign

A sophisticated phishing campaign, dubbed Operation Doppelbrand, has been uncovered, involving the impersonation of prominent Fortune 500 companies. The campaign, which ran from December 2025 to January 2026, targeted leading U.S. financial organizations, investment companies, and insurance firms.

Research and Discovery

Researchers at SOCRadar discovered that the threat actor, GS7, had leveraged over 150 domains to facilitate credential harvesting and exfiltration. These domains were designed to spoof the websites of well-known banking, technology, and insurance companies, including Wells Fargo and USAA. The attackers used Telegram bots to control the domains and exfiltrate stolen credentials.

Infrastructure and Tools

Further investigation revealed nearly 200 additional domains with one-year registration terms, automated SSL certificates, wildcard DNS records, and brand-specific subdomains. These domains were likely used to support the phishing campaign and provide a layer of authenticity to the spoofed websites.

The attackers also employed legitimate remote monitoring and management (RMM) tools, such as LogMeIn Resolve, to gain unauthorized access to victim systems. The tools were delivered via MSI files and VBS loaders, which allowed the attackers to install malware, escalate privileges, and remove evidence of their presence.

Conclusion and Recommendations

The use of automated attack infrastructure, brand spoofing, and RMM tools made Operation Doppelbrand a particularly formidable threat. The campaign’s sophistication and scope highlight the need for organizations to remain vigilant and implement robust security measures to protect against such attacks.

About Author

Vaibhav

See author's posts