ACCORDING to SOCRadar, Operation HookedWing is a four-year, multi-sector phishing campaign active from 2022 to the present that has compromised more than 2,000 credentials from users at over 500 organisations, with logs indicating more than 2,500 unique victims across those organisations. The campaign targets high-value sectors such as Aviation, Government, Energy and Critical Infrastructure, and includes extensive cross-border activity across Africa and Asia.
It relies on a two-layer infrastructure: a distribution layer hosted on legitimate platforms like GitHub[.]io (with more than 100 distribution domains) and other platforms, and a backend C2 layer with more than 20 distinct C2 domains plus additional compromised or attacker-created servers. The phishing flow uses landing pages and lures tied to HR, Microsoft, or Google, with credentials exfiltrated via POST requests to attacker-controlled PHP endpoints, and the kit realises geolocation data via ipdata[.]co.
The operation employs dynamic form injection, URL fragment harvesting to extract the victim’s email, and variant campaigns that reuse the same C2 infrastructure across multiple waves, making attribution difficult.