Operation DoppelBrand: Sophisticated Phishing Campaign Targets Fortune 500 Firms
An elusive cyberthreat group known as GS7 has been running Operation DoppelBrand, a large-scale phishing campaign targeting Fortune 500 companies, financial institutions, and high-value entities worldwide. First observed between December 2025 and January 2026, the operation leverages near-perfect replicas of corporate login portals to steal credentials and deploy remote management and monitoring (RMM) tools for further exploitation.
Key Details of the Campaign
- Targets: Primarily U.S.-based financial institutions including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank alongside technology, healthcare, and telecommunications firms in Europe and other regions.
- Tactics: GS7 registers over 150 malicious domains via registrars like NameCheap and OwnRegistrar, routing traffic through Cloudflare to evade detection. Attackers exfiltrate stolen data usernames, passwords, IP addresses, geolocation, device fingerprints, and timestamps to Telegram bots controlled by the group.
- Infrastructure: The group has operated since at least 2022, with claims of activity dating back nearly a decade. Researchers linked GS7 to Brazilian cybercrime forums, where stolen credentials and financial data are traded.
- Impact: Beyond credential theft, GS7 installs RMM tools on victim systems, enabling remote access or malware deployment. The campaign’s sophistication including rotating infrastructure and meticulous branding mimicry has allowed it to evade detection until now.
Researcher Findings
Security firm SOCRadar uncovered the operation, identifying a Telegram group ("NfResultz by GS") tied to the threat actor. A self-proclaimed GS7 member provided screenshots of past campaigns, including a Fidelity Investments phishing demo that triggered RMM tool downloads upon login. SOCRadar released TTPs (tactics, techniques, and procedures) and IoCs (indicators of compromise) to help defenders track the group’s activities.
With English-speaking markets as the primary focus, GS7’s DoppelBrand campaign remains active, underscoring the growing threat of highly organized, financially motivated phishing operations.
Navy Federal Credit Union TPRM report: https://www.rankiteo.com/company/navy-federal-credit-union
USAA TPRM report: https://www.rankiteo.com/company/usaa-inc
Citibank TPRM report: https://www.rankiteo.com/company/citi
Fidelity Investments TPRM report: https://www.rankiteo.com/company/fidelity-investments
Wells Fargo TPRM report: https://www.rankiteo.com/company/wellsfargo
"id": "citwelnavusafid1771266975",
"linkid": "citi, wellsfargo, navy-federal-credit-union, usaa-inc, fidelity-investments",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Banking',
'location': 'U.S.',
'name': 'Wells Fargo',
'type': 'Financial Institution'},
{'industry': 'Banking',
'location': 'U.S.',
'name': 'USAA',
'type': 'Financial Institution'},
{'industry': 'Banking',
'location': 'U.S.',
'name': 'Navy Federal Credit Union',
'type': 'Financial Institution'},
{'industry': 'Investment',
'location': 'U.S.',
'name': 'Fidelity Investments',
'type': 'Financial Institution'},
{'industry': 'Banking',
'location': 'U.S.',
'name': 'Citibank',
'type': 'Financial Institution'},
{'industry': 'Technology',
'location': 'Europe, other regions',
'type': 'Technology Firms'},
{'industry': 'Healthcare',
'location': 'Europe, other regions',
'type': 'Healthcare Firms'},
{'industry': 'Telecommunications',
'location': 'Europe, other regions',
'type': 'Telecommunications Firms'}],
'attack_vector': 'Malicious domains, credential harvesting, RMM tools',
'data_breach': {'data_exfiltration': 'Yes, to Telegram bots',
'personally_identifiable_information': 'Usernames, passwords, '
'IP addresses, device '
'fingerprints',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials, device '
'fingerprints, geolocation, '
'timestamps'},
'date_detected': '2025-12-01',
'date_publicly_disclosed': '2026-01-01',
'description': 'An elusive cyberthreat group known as GS7 has been running '
'Operation DoppelBrand, a large-scale phishing campaign '
'targeting Fortune 500 companies, financial institutions, and '
'high-value entities worldwide. The operation leverages '
'near-perfect replicas of corporate login portals to steal '
'credentials and deploy remote management and monitoring (RMM) '
'tools for further exploitation.',
'impact': {'data_compromised': 'Usernames, passwords, IP addresses, '
'geolocation, device fingerprints, timestamps',
'identity_theft_risk': 'High',
'operational_impact': 'Remote access or malware deployment on '
'victim systems',
'systems_affected': 'Corporate login portals, victim systems with '
'RMM tools installed'},
'initial_access_broker': {'backdoors_established': 'RMM tools',
'data_sold_on_dark_web': 'Yes, on Brazilian '
'cybercrime forums',
'entry_point': 'Phishing portals',
'high_value_targets': 'Fortune 500 companies, '
'financial institutions'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain, data theft',
'post_incident_analysis': {'root_causes': 'Lack of multi-factor '
'authentication, social '
'engineering'},
'references': [{'source': 'SOCRadar'}],
'response': {'third_party_assistance': 'SOCRadar'},
'threat_actor': 'GS7',
'title': 'Operation DoppelBrand: Sophisticated Phishing Campaign Targets '
'Fortune 500 Firms',
'type': 'Phishing Campaign',
'vulnerability_exploited': 'Social engineering, lack of multi-factor '
'authentication'}