Operation DoppelBrand: Large-Scale Brand Impersonation and RMM Abuse Campaign

Between December 2025 and January 2026, SOCRadar tracked high-impact phishing campaigns targeting Fortune 500 companies, particularly in the Financial and Technology sectors. The adversary, GS7, leverages sophisticated brand impersonation and abuses legitimate Remote Monitoring and Management (RMM) tools to gain persistent, unattended access to victim systems. The campaign is highly automated, using rotating infrastructure and social engineering to bypass traditional security controls.

Severity: High

Threat Actor Profile: Gs7

• Motivation: Financially driven (fraud, theft, and selling initial access).
• Sophistication: Described as “Script Kiddie” level but exhibits high automation and professionalized infrastructure rotation.
• Activity Period: Active since at least 2022, with recent surges in late 2025 and early 2026.
• Roles: Operates as an Initial Access Broker (IAB) and conducts direct credential harvesting.

Modus Operandi

The adversary follows a structured lifecycle for each campaign:

• Reconnaissance: Acquires victim data from underground markets, forums, and Telegram channels to customize attack lures.
• Infrastructure Preparation: Registers domains in batches (often via OwnRegistrar or NameCheap), configures Cloudflare for obfuscation, and automates SSL certificate issuance via Let’s Encrypt.
• Delivery: Sends targeted phishing emails using visual branding (logos, official fonts) and urgency-based lures (e.g., “action required,” “security update”).
• Exploitation (Phishing): Victims are directed to pixel-perfect replica login pages (up to 98% CSS similarity).
• Exfiltration: Stolen credentials and victim metadata (IP, geolocation, User-Agent) are sent in real-time to a Telegram bot.
• Post-Exploitation: Deploys RMM tools like LogMeIn, AnyDesk, or ScreenConnect to gain full remote control, perform lateral movement, or deploy additional malware.

Victimology

• Target Sectors: Primarily Finance (banking, credit unions), Technology, Retail, and Healthcare.
• Geography: Strong focus on the United States, with additional activity in LATAM and European countries.
• Targeted Entities: Specifically identified targets include Wells Fargo, USAA, Navy Federal, Fidelity, Credit Union of Colorado, and others.

Attribution & Correlation

• Self-Identification: The actor self-identifies as “GS” or “GS7” in Telegram groups (e.g., “NfResultz by GS”) and code comments.
• Telegram Presence: A primary administrator account was identified as GS7GEUP.
• Underground Activity: The alias “GS7” is active in Brazilian underground markets, where they trade harvested financial data.
• Financials: A monitored Bitcoin wallet associated with the actor has handled a total volume of approximately $50,000 USD.

Recommendations

1. Configure filters on Email Security Gateways to detect and block common GS7 lure themes: “mandatory security updates,” “pending verification,” or “immediate signature required”.
2. Only allow approved RMM tools on company devices. Block the execution of any unauthorized RMM binaries, especially those found in temporary or user-profile directories.
3. If internal traffic to Telegram API domains is not required for business, consider blocking it to disrupt the adversary’s real-time exfiltration channel.
4. Utilize Dark Web Monitoring service to monitor Brazilian and international underground markets for mentions of your company’s domain or credentials being traded, as GS7 is known to be active in these spaces.
5. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/85bf8f9d5cdf2a25b26031e4914923d08185abd2d077543a4ecd59f44d7217e3/iocs

Source:

• https://socradar.io/wp-content/uploads/2026/02/Operation-DoppelBrand_-Weaponizing-Fortune-500-Brands-for-Credential-Theft-and-Remote-Access.pdf

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.