Fortune 500 companies have been the target of a widespread phishing campaign by an elusive, profit-driven threat actor known as GS7, which uses spoof websites to harvest credentials from the companies' own brands. Operation DoppelBrand is an ongoing campaign that was initially noticed in December and January. However, according to a whitepaper released today by SOCRadar, the group itself has a history dating back to 2022.

Top financial institutions such as Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank are among the targets of the campaign, along with global technology, healthcare, and telecommunications companies.

A highly developed phishing infrastructure that is regularly rotated by GS7 and designed to resemble authentic login portals is the key to Operation DoppelBrand's success. It replicates official branding with previously unheard-of accuracy. Multi-factor authentication (MFA) and generally safe online conduct are two ways they can achieve this.

Related: Smooth Sailing or Big Breach? The Mexican government is accused of leaking In its whitepaper, SOCRadar offered a comprehensive list of tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs) for both Operation DoppelBrand and GS7 to assist defenders in monitoring the group's and the campaign's activities.