A financially motivated threat actor, tracked as GS7, is currently conducting a widespread credential collection campaign targeting Fortune 500 organizations. This activity, identified as Operation DoppelBrand, leverages high-fidelity brand impersonation to bypass user scrutiny and gather sensitive access data.
The campaign was first observed intensifying between December and January, though the group’s activity dates back to 2022, according to a whitepaper released by SOCRadar. The primary targets include major financial institutions—such as Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank—as well as global entities in the technology, healthcare, and telecommunications sectors.
Infrastructure and Methodology
The effectiveness of Operation DoppelBrand relies on a sophisticated and rotating infrastructure designed to mimic legitimate login portals with high precision. This attention to detail in replicating official branding creates a challenging environment for users attempting to distinguish between authorized and unauthorized sites.
To support these operations, the group has registered over 150 domains in recent months. The infrastructure utilizes registrars including NameCheap and OwnRegistrar, while routing traffic through Cloudflare to obscure the location of backend servers.
Once a user interacts with the impersonated portal, the site collects login credentials, IP addresses, geolocation data, device fingerprints, and timestamps. This data is immediately exfiltrated to Telegram bots controlled by the group. Researchers identified one such Telegram channel, "NfResultz by GS," which appears to be central to their data collection workflow.
Transition to Persistence
Beyond credential collection, GS7 demonstrates capabilities often associated with Initial Access Brokers (IABs). The campaign workflow includes the deployment of remote management and monitoring (RMM) tools onto targeted systems. This allows the group to establish persistent remote access or enable the introduction of additional software.
By securing this level of access, the group may be positioning itself to sell entry points to other affiliates or ransomware operators, rather than solely exploiting the data directly.
Geographic Focus and Attribution
Recent data indicates a strong focus on English-speaking markets, with the United States being the primary region of activity. However, the campaign maintains a presence in Europe and is expanding to other regions. The group targets high-value entities with broad geographic reach, affecting assets and records across diverse sectors.
While specific attribution remains ongoing, researchers have identified links between GS7 and Brazilian cybercrime forums where financial data and credentials are frequently traded. A distinct actor claiming membership in GS7 has asserted the group has been operational for nearly a decade, providing evidence of panels signed with the group’s handle. Additionally, demonstrations provided by the actor highlighted a portal mimicking Fidelity, which triggered the download of RMM tools upon form completion.
Defensive Recommendations
The longevity of GS7 and the scale of its infrastructure highlight the importance of sturdy identity protection and monitoring. The high quality of the brand impersonation makes visual detection difficult for end-users.
To mitigate the risks associated with Operation DoppelBrand, security teams should consider the following measures:
Enforce Multi-Factor Authentication (MFA): Implementation of phishing-resistant MFA reduces the utility of harvested credentials.
Monitor for Indicators of Compromise (IoCs): Security teams should integrate known TTPs (tactics, techniques, and procedures) and IoCs related to GS7 into their detection logic. SOCRadar has released a list of these indicators to assist defenders.
User Awareness: Encourage verification of URLs and the use of password managers, which typically refuse to autofill credentials on mismatched domains.
By understanding the mechanics of this campaign, organizations can better tune their defenses to detect unauthorized access attempts and protect their user base.