Operation DoppelBrand weaponizes trusted brands to steal credentials

A sophisticated phishing operation has been uncovered targeting Fortune 500 financial, technology, and other major firms.

What happened

According to Infosecurity Magazine, researchers have identified a large phishing operation known as Operation DoppelBrand that uses convincing fake websites and cloned login pages to steal user credentials from major financial, technology, healthcare, and insurance organizations. The campaign, attributed to a financially motivated threat actor called GS7, operated between December 2025 and January 2026 and involved more than 150 malicious domains connected to infrastructure dating back to 2022. Victims receive phishing emails that redirect them to counterfeit login portals designed to capture usernames and passwords, which are then automatically sent to attacker-controlled Telegram bots. In some cases, attackers also install legitimate remote management software such as LogMeIn Resolve through silent installers, allowing ongoing remote access to compromised systems without alerting users.

Going deeper

Researchers identified infrastructure patterns showing the campaign was highly automated and built to operate at scale. The phishing domains relied on wildcard DNS records, which allow many fake subdomains to be created quickly, short-lived SSL certificates issued by providers such as Let's Encrypt and Google Trust Services to appear legitimate, and hosting behind Cloudflare to hide the real servers. Once victims entered credentials into spoofed login pages, backend automation collected usernames, passwords, IP addresses, location data, and device details and automatically forwarded them to Telegram channels for sorting and prioritization. Researchers said the additional delivery of legitimate remote access software using MSI installers and VBS scripts indicates the operation was not limited to credential theft but aimed at maintaining long term hidden access inside compromised systems.

What was said

Researchers said the threat actor primarily targets Fortune 500 companies and other “high value entities” with a broad geographic reach, noting that “in recent attacks, assets, domains, and records associated with different companies operating in very diverse sectors and locations have been identified.” The researchers did not determine where the group is based but uncovered links between GS7 and Brazilian cybercrime forums where stolen credentials and financial data were traded, adding that “these venues represent key locations for selling harvested information or acquiring data to fuel further campaigns.”

In the know

According to Dark Reading, researchers investigating the long-running Operation DoppelBrand campaign found that the threat group GS7 operated for years without detection while building a large phishing infrastructure that impersonated well-known brands and financial institutions. The convincing fake login pages made the attacks difficult to spot, prompting researchers to recommend enabling multifactor authentication and safer browsing practices, while releasing detailed tactics, techniques, and indicators of compromise to help security teams identify and monitor GS7 activity.

The big picture

Operation DoppelBrand’s use of wildcard DNS and short-lived certificates exploits a systemic "permissive" flaw in how email platforms handle identity. Unlike web browsers, which strictly block invalid certificates, email transport often favors deliverability, allowing connections to proceed even when certificate chains are broken or hostnames are mismatched. The structural weakness is pervasive across the industry; Paubox data shows that roughly 6% of healthcare email relays are directed at servers with unverifiable certificates, creating a "silent failure mode" where encryption is bypassed without any bounce notification or alert to the sender.

FAQs

How does Operation DoppelBrand differ from traditional phishing?

Unlike opportunistic mass phishing, Operation DoppelBrand uses highly tailored, automated infrastructure and near-perfect brand impersonation to target credentials at scale, making static blocking measures less effective.

What is GS7’s endgame with stolen credentials?

Researchers believe GS7 may act as an initial access broker, harvesting credentials and then deploying remote access tools or selling access to affiliates for monetization.

Why does the campaign use legitimate remote access software?

Using legitimate tools like LogMeIn Resolve helps attackers evade detection by blending with normal administrative software and avoiding the need for custom malware.

How can organizations improve defenses against such campaigns?

Enterprises can deploy behavior-based anomaly detection, multi-factor authentication, brand-aware phishing protection, and continuous monitoring of domain registrations that mimic corporate assets.

Are brand impersonation attacks a regulatory concern?

Regulators increasingly view targeted phishing and credential theft as systemic risk factors, and organizations may need to demonstrate controls such as phishing simulation training, domain monitoring, and incident response capabilities in regulatory and compliance reporting.