In the last 24 hours, security researchers have observed a notable increase in high-fidelity impersonation tactics. Current data points to a dual threat targeting enterprise environments: a campaign focused on administrative gateways within Fortune 500 networks, and a broad effort to introduce unauthorized data collection tools into the browser ecosystem. These developments indicate that threat actors are moving away from easily identifiable phishing lures. Instead, they are deploying exact replicas of daily workflow tools, making it increasingly difficult for users to distinguish between a legitimate login prompt and an unauthorized data collection event.
Operation DoppelBrand and Enterprise Targeting
The first major development involves a group tracked as GS7, currently executing a campaign designated "Operation DoppelBrand." This activity focuses on brand impersonation within the financial and technology sectors, utilizing visual precision that challenges standard verification methods. Although GS7 activity dates back to 2022, recent analysis shows a marked increase in volume over the current cycle. The group has registered more than 150 domains designed to mimic the login portals of institutions such as Wells Fargo, Citibank, and Fidelity Investments. The scale of this infrastructure suggests an intent to secure access credentials for major global entities.
This activity extends beyond credential collection. Researchers have identified GS7 operating as an Initial Access Broker (IAB). Once a user submits credentials to a fraudulent site, the workflow often pivots to establishing persistence by prompting the user to download remote management and monitoring (RMM) tools. This indicates that GS7 aims to commoditize enterprise access, likely selling these entry points to other unauthorized groups, including ransomware operators. While the geographic distribution of targets is currently centered on the United States and English-speaking markets, infrastructure analysis reveals expansion into Europe.
Browser Extension Risks and "AiFrame"
Parallel to the GS7 campaign, a second distinct trend has emerged within the Chrome Web Store. Over 30 unauthorized extensions have been identified masquerading as AI assistants. These tools, which have accumulated over 260,000 downloads, leverage the high demand for Large Language Model (LLM) integration.
The technical execution of these extensions is notable for its functional deception. rather than deploying non-functional software, these tools provide the promised AI services by proxying legitimate API responses from providers like ChatGPT and Claude through their own servers. This approach maintains the user's trust while operators capture input data, including proprietary code, internal business strategies, and authentication tokens.
Researchers refer to the mechanism behind these extensions as "AiFrame." The technique relies on iframe injection: when a user engages the extension, they interact with a full-screen iframe pointing to a domain controlled by the external party. Because the code executes on a remote server, it largely bypasses the static analysis standard in browser web store vetting processes. This evasion capability allowed several extensions to achieve "Featured" status. Similarly, GS7 utilizes Cloudflare to obscure backend infrastructure and routes collected data, such as device fingerprints and geolocation—directly to Telegram bots, complicating attribution and tracking.
Defensive Strategies for Identity Protection
For security teams, these findings reinforce the need to manage "shadow IT" and strengthen identity verification. The primary challenge with Operation DoppelBrand is that the unauthorized access is often immediate, or involves RMM tools that appear as legitimate software to antivirus solutions.
To mitigate these risks, we recommend prioritizing phishing-resistant Multi-Factor Authentication (MFA). Implementing FIDO2-based hardware keys significantly reduces the risk of credential harvesting by ensuring authentication occurs only on verified domains. Additionally, Security Operations Centers (SOCs) should refine detection logic to identify the unauthorized installation or execution of RMM utilities, such as AnyDesk or ScreenConnect—which are frequently used by IABs to maintain access.
Mitigating Browser-Based Data Loss
Regarding the risk from unauthorized AI extensions, the primary concern is the unmonitored egress of intellectual property. In an enterprise setting, an employee using an "AI Sidebar" to summarize internal documents or refactor code inadvertently exposes that data to external servers.
We advise defenders to implement strict browser extension policies, limiting installations to a pre-approved allow-list. Furthermore, network monitoring can identify early signs of data exposure. Teams should watch for connections to known command-and-control (C2) domains associated with these campaigns or unusual data transfers to external web applications that lack a clear business justification.
Outlook
Current observations suggest that unauthorized parties are increasingly focusing on the browser and the login portal as the primary perimeter. The association between GS7 and Brazilian cybercrime forums, combined with a decade-long operational history, indicates a resilient and experienced adversary. As AI tools become standard in professional workflows, the surface area for these impersonation techniques will likely expand.
While many fraudulent domains associated with GS7 have been identified, the group’s ability to rotate infrastructure suggests new indicators will emerge rapidly. Similarly, despite the identification of "AiFrame" extensions, delays in their removal from public stores leave a window of risk. Security teams should maintain a posture of verification, treating third-party AI tools and external login prompts with caution, even when they appear visually authentic.