GS7 Operation DoppelBrand phishing campaign targeting Fortune 500 firms
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign dubbed Operation DoppelBrand is stealing credentials from Fortune 500 financial, insurance, technology and healthcare brands across the US and Western Europe. The operation is attributed to GS7 and uses lookalike domains and cloned login portals to harvest logins. In some cases, operators also deploy LogMeIn Resolve to extend access and move compromised accounts into downstream abuse.
Related Happenings
ShinyHunters voice-phishing campaign targeting SSO accounts for extortion
Campaign
First: 24.01.2026 01:35
Last: 24.01.2026 01:35
Sources 1
About this happening:
A **ShinyHunters**-linked extortion campaign is using **voice phishing** to target **Salesforce customers** and steal data for ransom, with the operation first surfacing in **May...
ShinyHunters voice-phishing campaign targeting SSO accounts for extortion
CampaignAbout this happening: A **ShinyHunters**-linked extortion campaign is using **voice phishing** to target **Salesforce customers** and steal data for ransom, with the operation first surfacing in **May...
Latest development: 27.04.2026 17:43
ShinyHunters breached ADT after compromising an employee's Okta single sign-on (SSO) account in a vishing attack, then used that access to reach ADT's Salesforce instance and steal data. Have I Been Pwned said the exposed data affected 5.5 million people and included names, phone numbers, addresses, and in a small percentage of cases dates of birth and partial Social Security numbers or Tax IDs; the group later leaked an 11GB archive after extortion failed.
Greenvelope phishing-to-LogMeIn Resolve dual-vector campaign
Campaign
First: 23.01.2026 13:18
Last: 23.01.2026 13:18
Sources 1
About this happening:
A **dual-vector phishing campaign** is using **fake Greenvelope invitations** and **stolen credentials** to establish **persistent remote access** on compromised hosts, turning le...
Greenvelope phishing-to-LogMeIn Resolve dual-vector campaign
CampaignAbout this happening: A **dual-vector phishing campaign** is using **fake Greenvelope invitations** and **stolen credentials** to establish **persistent remote access** on compromised hosts, turning le...
Salty2FA phishing campaign with staged Aha.io lures
Campaign
First: 09.09.2025 18:50
Last: 09.09.2025 18:50
Sources 1
About this happening:
The **Salty2FA** phishing campaign is using **staged login infrastructure** and **MFA simulation** to make fraudulent sign-in pages look legitimate and harder for defenders to blo...
Salty2FA phishing campaign with staged Aha.io lures
CampaignAbout this happening: The **Salty2FA** phishing campaign is using **staged login infrastructure** and **MFA simulation** to make fraudulent sign-in pages look legitimate and harder for defenders to blo...
Timeline
-
16.02.2026 17:45 2 articles · 3mo ago
SOCRadar discloses Operation DoppelBrand
Initial DisclosureSOCRadar disclosed Operation DoppelBrand, a phishing campaign attributed to GS7 that targeted Fortune 500 financial, insurance, technology and healthcare brands, including Wells Fargo and USAA, during December 2025 and January 2026. The campaign used lookalike domains and cloned login portals to harvest credentials, forwarded victim data to Telegram bots and a Telegram group, and in some cases deployed LogMeIn Resolve for unattended persistent access.
Show sources
- Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45
- Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45