TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE VULNERABILITIES & THREATS ENDPOINT SECURITY NEWS Operation DoppelBrand: Weaponizing Fortune 500 Brands The GS7 cyberthreat group targets US financial institutions with near-perfect imitations of corporate portals to steal credentials and gain remote access. Elizabeth Montalbano, Contributing Writer February 16, 2026 3 Min Read SOURCE: THOMAS BETHGE VIA ALAMY STOCK PHOTO An elusive, financially motivated threat actor has been targeting Fortune 500 companies in a broad phishing campaign that turns the company's own brands against them with near-identical portals aimed at harvesting credentials. The campaign — dubbed Operation DoppelBrand — by a threat actor called GS7 is ongoing but was observed between December 2025 and January 2026, though the group itself has a history stretching back to 2022, according to a whitepaper by SOCRadar published today. The campaign targets top financial institutions — including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank — as well as technology, healthcare, and telecommunications firms worldwide. The secret to the success of Operation DoppelBrand is a sophisticated phishing infrastructure consistently rotated by GS7 and constructed to mimic legitimate login portals, replicating official branding with unprecedented accuracy. This makes it difficult for victims to spot the scam, according to SOCRadar. LOADING... Related:Senegalese Data Breaches Expose Lack of Security Maturity The scam requires significant work on the front-end of the operation to choose targets and construct convincing pages as well as prepare the infrastructure to mount the attacks, according to the researchers. In fact, the threat actor registered more than 150 malicious domains in recent months alone, using registrars such as NameCheap and OwnRegistrar and routing traffic through Cloudflare to obscure back-end servers. Evolving IAB Activity? Once collected, login credentials — including usernames and passwords, IP addresses and geolocation data, device and browser fingerprints, and timestamps —are immediately exfiltrated to attacker-controlled Telegram bots. The researchers identified a Telegram group titled "NfResultz by GS" that they believe is operated by the group. LOADING... GS7's end game includes not only harvesting credentials, but also downloading remote management and monitoring tools on victim systems to enable remote access or the deployment of additional tools such as malware. In fact, SOCRadar believes the group may even act as an initial access broker (IAB), selling access to infrastructure to ransomware groups or other affiliates. Other potential malicious activity conducted by the group as part of Operation DoppelBrand includes stealing data beyond the initial credentials from the user, the machine, or the infrastructure through the use of stealers, as well as performing lateral movement once access is gained through credentials, according to SOCRadar. Targeting English Speakers Related:Protests Don't Impede Iranian Spying on Expats, Syrians, Israelis GS7 primarily has focused on English-speaking markets in recent months, with the US being the largest target market by far. Meanwhile, the group also is expanding and maintaining DoppelBrand activity in Europe and other regions. The threat actor doesn't discriminate against targets based on geography, however, and instead targets Fortune 500 and other "high-value entities" with a broad geographic reach. "In recent attacks, assets, domains, and records associated with different companies operating in very diverse sectors and locations have been identified," according to the whitepaper. Someone claiming to be a member of GS7 told SOCRadar researchers that the group has operated for nearly a decade, providing screenshots of phishing panels signed with the group's handle as proof of its longtime activity, according to the whitepaper. The individual also demonstrated a phishing demonstration with a portal mimicking Fidelity, which resulted in the download of remote-management tools once the login form was completed. The researchers did not say where the group is based, though they did uncover links between GS7 and underground Telegram channels and Brazilian cybercrime forums where stolen credentials and financial data were traded. "These venues represent key locations for selling harvested information or acquiring data to fuel further campaigns," according to the whitepaper. Related:Big Breach or Smooth Sailing? Mexican Gov't Faces Leak Allegations Phishing Continues to Evolve Given that GS7 has remained active for years and amassed a significant infrastructure for its phishing operation without security researchers noticing until now is a testament to the continued sophistication of organized phishing operations. GS7's particularly convincing brand impersonation makes its phishing pages difficult to spot, but people should be careful to take steps to ensure that when they are logging in to their financial institution's homepage, it is the authentic site. They can do this by setting up multi-factor authentication (MFA) and praticing safe online behavior in general. To help defenders track Operation DoppelBrand and GS7's activities, SOCRadar provided an extensive list of TTPs and IoCs for both the campaign and the group in its whitepaper. About the Author Elizabeth Montalbano, Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models Healthcare Security: Protecting Patient Data and Clinical Operations Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Ghost Ransomware Targets Orgs in 70+ Countries by Elizabeth Montalbano, Contributing Writer FEB 20, 2025 CYBERATTACKS & DATA BREACHES Critical Fortinet Vuln Draws Fresh Attention by Jai Vijayan, Contributing Writer MAR 19, 2025 CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson, Contributing Writer FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan, Contributing Writer FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson, Contributing Writer FEB 12, 2026 5 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST Healthcare Security: Protecting Patient Data and Clinical Operations THURS, APRIL 9,2026 AT 1PM EST Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR More Webinars White Papers The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use