Operation DoppelBrand: Massive Fortune 500 Brand Impersonation Uncovered
Security researchers at SOCRadar have unmasked a multi-year, highly automated cyber operation dubbed Operation DoppelBrand. Attributed to a financially motivated threat actor known as GS7, the campaign weaponizes the reputations of Fortune 500 companies to conduct large-scale credential theft and establish persistent remote access to corporate networks.
While the group has roots dating back to 2022, the operation saw a massive surge between December 2025 and February 2026, amassing hundreds of malicious domains designed to mimic financial institutions, technology giants, and healthcare providers with near-perfect accuracy.
The Target List: Weaponizing Trust
The attackers have focused their efforts on high-value sectors where user trust is paramount. The primary targets identified in recent months include:
- Financial Institutions: Wells Fargo, Chase, Citibank, USAA, and Navy Federal Credit Union.
- Investment & Insurance: Fidelity Investments and major Western European insurance providers.
- Technology & Productivity: Microsoft (specifically fake OneDrive and Outlook portals) and major telecommunications firms.
Technical Modus Operandi: The Five-Stage Attack
Operation DoppelBrand is not a simple "spray-and-pray" phishing attempt. It follows a structured, professionalized workflow:
1. Deep Reconnaissance
GS7 gathers victim data from underground markets and previous data leaks. They analyze email naming patterns (e.g., firstname.lastname@company.com) and identify which enterprise software tools a target organization uses to make their lures more convincing.
2. High-Fidelity Phishing Delivery
Victims receive "Security Update" or "Account Verification" emails featuring official logos, fonts, and CSS styles. Some advanced variants route users through fake OneDrive interfaces that offer multiple login options (e.g., "Sign in with Office 365" or "Sign in with Corporate ID") to maximize the chances of harvesting valid credentials.
3. Precision Credential Harvesting
The landing pages are sophisticated replicas achieving up to 98% visual similarity with legitimate portals. These pages capture more than just passwords; they harvest IP addresses, geolocation data, and device fingerprints to help the attacker bypass basic risk-based authentication.
4. Real-Time Exfiltration via Telegram
As soon as a victim enters their data, it is transmitted instantly to attacker-controlled Telegram bots (such as the group "NfResultz by GS"). This allows the GS7 actors to attempt live logins or sell the "fresh" access to other criminal groups within minutes.
5. Persistent Access via RMM Tools
In many cases, the attack doesn't stop at credentials. The actors trick victims into downloading legitimate Remote Management and Monitoring (RMM) tools, such as LogMeIn or AnyDesk, masquerading as "security scanners." This grants the attackers full mouse/keyboard control and a foothold for lateral movement.
Infrastructure Automation
The scalability of Operation DoppelBrand is driven by a highly automated backend. Researchers observed the following infrastructure patterns:
| Infrastructure Element | Tactics Observed |
|---|---|
| Domain Registration | Frequent use of Namecheap and OwnRegistrar with 1-year terms. |
| SSL Certificates | Automated issuance via Let's Encrypt or Google Trust Services within hours of registration. |
| Hosting | Heavy reliance on Cloudflare to hide true origin servers and bypass IP-based blocklists. |
| DNS Strategy | Wildcard DNS records used to create infinite subdomains (e.g., wellsfargo.media-auth[.]com). |
The End Game: Initial Access Brokerage
GS7 appears to operate as an Initial Access Broker (IAB). While they monetize some credentials directly through banking fraud, their primary business model involves selling persistent remote access to ransomware-as-a-service (RaaS) affiliates. By providing a pre-established foothold in a Fortune 500 network, GS7 enables faster and more devastating extortion attacks.
How to Defend Against DoppelBrand
- Hardware Security Keys: Move beyond SMS or app-based MFA toward FIDO2/WebAuthn (like YubiKeys) which are inherently resistant to the "cloned portal" attacks used in this campaign.
- RMM Execution Policies: Block or strictly monitor the execution of RMM tools (AnyDesk, LogMeIn, ScreenConnect) on end-user workstations unless explicitly authorized.
- Subdomain Monitoring: Use threat intelligence platforms to monitor for newly registered domains that incorporate your brand name as a subdomain (e.g.,
[YourBrand].verification-portal[.]net).
