Phishing

Broad phishing campaign involves Fortune 500 company impersonation

Wells Fargo, USAA, and other financial and technology firms on the Fortune 500 have been spoofed as part of the Operation Doppelbrand phishing campaign that ran from December 2025 to January 2026, reports Infosecurity Magazine.

Over 150 domains impersonating banking, technology, and insurance websites have been leveraged by financially motivated threat actor GS7 to facilitate credential harvesting and exfiltration via attacker-controlled Telegram bots, according to findings from SOCRadar. Researchers also discovered almost 200 other domains with one-year terms, automated SSL certificates, wildcard DNS records, and brand-specific subdomains.

Attacks by GS7 which were primarily aimed at leading U.S. financial organizations, investment companies, and insurance firms also entailed the delivery of LogMeIn Resolve and other legitimate remote monitoring and management tools, as well as installers in the form of MSI files and VBS loaders, which allowed clandestine installation, privilege escalation, and removal. Automated attack infrastructure, brand spoofing, and RMM tools have made Operation DoppelBrand a formidable threat, researchers said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds