Threats

GS7 Threat Group Targets Fortune 500 Financial Institutions With Near-Perfect Brand Impersonation in Operation DoppelBrand

Zero Day Wire

16 Feb 2026 — 2 min read

A financially motivated threat group tracked as GS7 has been running a large-scale phishing operation against Fortune 500 financial institutions, constructing near-perfect replicas of corporate login portals to harvest credentials and deploy remote access tools, according to research published by SOCRadar.

The campaign, dubbed Operation DoppelBrand, was first observed between December 2025 and January 2026, though SOCRadar's investigation indicates GS7 has been active since at least 2022.

Targets

Operation DoppelBrand targets major US financial institutions including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank. The campaign extends beyond finance into technology, healthcare, and telecommunications sectors, with a primary focus on English-speaking markets and expanding activity in Europe.

Infrastructure

GS7 registered more than 150 malicious domains in recent months using registrars including NameCheap and OwnRegistrar, routing traffic through Cloudflare to obscure backend servers. The phishing pages replicate official branding with high fidelity, making visual detection by victims extremely difficult.

The infrastructure is consistently rotated, demonstrating operational discipline designed to evade takedown efforts and domain blocklists.

Attack Chain

Harvested credentials — including usernames, passwords, IP addresses, geolocation data, device and browser fingerprints, and timestamps — are immediately exfiltrated to attacker-controlled Telegram bots. Researchers identified a Telegram group titled "NfResultz by GS" believed to be operated by the group.

Beyond credential theft, GS7 deploys remote management and monitoring (RMM) tools on victim systems to establish persistent remote access. A phishing demonstration provided by an individual claiming GS7 membership showed a Fidelity-impersonating portal that triggered RMM tool downloads upon login form completion.

Potential Initial Access Broker

SOCRadar assesses that GS7 may function as an initial access broker, selling compromised infrastructure access to ransomware groups or other affiliates. The researchers also uncovered links between GS7 and Brazilian cybercrime forums where stolen credentials and financial data are actively traded.

An individual claiming to represent GS7 told researchers the group has operated for nearly a decade, providing screenshots of phishing panels signed with the group's handle as evidence.

Recommendation

Financial institutions and Fortune 500 companies should review SOCRadar's whitepaper for the full IOC and TTP list associated with Operation DoppelBrand. Monitor for the identified malicious domains, enforce MFA across all customer-facing and employee login portals, and implement brand monitoring to detect impersonation domains early. Security teams should alert employees and customers to the campaign's high-fidelity phishing pages, which are difficult to distinguish visually from legitimate portals.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors