SOCRADAR’S Threat Hunting Team uncovered Operation DoppelBrand, a sophisticated phishing operation targeting Fortune 500 firms and their customers, attributed to a financially motivated actor known as GS7.
The campaigns ran between December 2025 and January 2026 and impersonated major financial institutions and technology companies, including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, Microsoft, and Citibank, amassing hundreds of malicious domains with more than 150 identified in recent months. GS7 reportedly operates as an initial access broker, selling harvested credentials and access to compromised systems, and using Telegram bots for real-time credential exfiltration.
Bitcoin wallet analysis shows approximately $50,000 USD in observable transactions, with activity peaking mid-April to early July 2025 and again mid-August to mid-October 2025, indicating a recurring two-to-three-month campaign cadence. The attack chain spans five stages—reconnaissance, automated infrastructure deployment, targeted phishing, high-fidelity credential harvesting, and deployment of legitimate remote monitoring and management tools to achieve persistent remote access. Target sectors include financial services, technology, healthcare, and consumer services, with a US and Western European focus.