Operation DoppelBrand Phishing Campaign Targets Fortune 500 Firms

Timeline

1. 16.02.2026 17:45 1 articles · 7h ago

   Operation DoppelBrand Phishing Campaign Targets Fortune 500 Firms

   A phishing campaign named Operation DoppelBrand has been targeting Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026. The campaign, attributed to a financially motivated threat actor known as GS7, uses lookalike domains and cloned login portals to harvest credentials. The operation also deploys remote management tools for persistent access and monetizes compromised accounts. The infrastructure is highly automated, with over 150 domains identified, and targets major US financial institutions, investment firms, and technology brands.

   Show sources

   • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

   Open in new tab

Information Snippets

• Operation DoppelBrand targeted Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• The campaign is attributed to a financially motivated threat actor known as GS7.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• The operation uses lookalike domains and cloned login portals to harvest credentials.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• Victims are lured through phishing emails and redirected to counterfeit pages where credentials are harvested and transmitted to Telegram bots.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• The campaign deploys remote management and monitoring tools for persistent access.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• Over 150 domains tied to the latest wave of activity have been identified, with nearly 200 additional domains showing similar characteristics.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• The infrastructure uses rotating registrars, Cloudflare hosting, and short-lived SSL certificates.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• The attacker deploys legitimate remote access software such as LogMeIn Resolve to establish unattended access.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45

• The primary targets include major US financial institutions, investment firms, insurance providers, and global technology and healthcare brands.

  First reported: 16.02.2026 17:45
  1 source, 1 article
  Show sources

  • Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft — www.infosecurity-magazine.com — 16.02.2026 17:45