ACCORDING to SOCRadar, more than four years into a phishing campaign, hundreds of victims across multiple sectors have been affected, with the campaign dubbed Operation HookedWing. The operation was first documented in 2022, and over four years more than 2,000 user credentials from over 500 organisations in aviation and travel, critical infrastructure, energy, financial, government, logistics, public administration, and technology sectors were stolen.
Between 2022 and 2024, the attackers used GitHub domains with English content and compromised servers as infrastructure, and the attacks largely featured Microsoft and Outlook themes. In 2024 and 2025, the threat actor expanded its targeting with French content while continuing to use GitHub, compromised servers, and previously observed phishing themes, and starting in 2025 broadened both the active infrastructure and lures, obfuscating GitHub domain naming and adding more landing pages. SOCRadar identified two dozen command-and-control servers, over 100 GitHub domains, and more than a dozen distribution domains on other platforms.