analyst @ nohacky :~/threat-actors $
cat / threat-actors / gs7
analyst@nohacky:~/gs7.html
active threat profile
type Cybercrime
threat_level High
status Active
origin Brazil — underground markets
last_updated 2026-03-13
G7
gs7

GS7

also known as: GS Operation DoppelBrand operator NfResultz by GS

A financially motivated cybercrime operator behind Operation DoppelBrand, a large-scale credential theft campaign that clones Fortune 500 brand login portals with up to 98% CSS similarity to the originals. GS7 harvests stolen credentials in real time via Telegram bots, deploys legitimate Remote Monitoring and Management (RMM) tools like LogMeIn Resolve for persistent access, and operates as an initial access broker (IAB) — selling compromised system access to ransomware operators and other criminal affiliates. SOCRadar identified over 150 malicious domains in the December 2025 – January 2026 campaign window alone, with infrastructure patterns dating back to 2022.

attributed origin Brazil (underground markets)
suspected sponsor None — financially self-directed
first observed ~2022 (claims ~10 years)
primary motivation Financial — credential theft / IAB
primary targets Banking, Finance, Insurance, Tech
malicious domains 150+ (recent campaign) / ~350 total
mitre att&ck group Unassigned
target regions USA, Western Europe, LATAM
threat level HIGH

Overview

GS7 is a financially motivated threat actor that SOCRadar identified as the operator behind Operation DoppelBrand, a large-scale phishing and credential theft campaign targeting Fortune 500 companies. The campaign was first formally documented between December 2025 and January 2026, but infrastructure analysis reveals activity dating back to at least 2022. In a direct exchange with SOCRadar researchers, an individual claiming to be GS7 stated the group had been operating for approximately ten years and provided screenshots of phishing panels bearing the GS7 handle as evidence.

What distinguishes GS7 from typical phishing operators is the professionalized, automated infrastructure behind the operation. The group constructs pixel-perfect replicas of legitimate login portals — achieving up to 98% CSS similarity with the real websites of targets like Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank. These are not crude imitations. The phishing pages replicate official branding with a level of accuracy that makes visual detection by end users extremely difficult.

GS7 operates as an initial access broker, meaning the group does not just harvest credentials — it monetizes compromised access through multiple channels. After capturing credentials via Telegram bots, the group deploys legitimate RMM tools (LogMeIn Resolve, AnyDesk, ScreenConnect) through silent MSI installers and VBS loaders, establishing persistent remote access to victim systems. This access can then be sold to ransomware operators, used for lateral movement, or leveraged for follow-on malware deployment.

Blockchain analysis of a Bitcoin wallet associated with the operation revealed approximately $50,000 USD in observable transactions, with activity patterns correlating directly to campaign timelines. Transaction volumes peaked during mid-April through early July 2025 and again between mid-August and mid-October 2025, revealing a recurring campaign cadence of roughly two to three months between major operations.

warning

GS7's use of legitimate RMM tools means that compromised systems may not trigger traditional malware detection. LogMeIn Resolve, AnyDesk, and ScreenConnect are all signed, trusted applications — their presence on a workstation looks like normal IT administration. Detection requires monitoring for unauthorized RMM installations, not RMM tools in general.

Target Profile

GS7 targets high-value brands whose login portals handle sensitive financial or personal data, maximizing the value of each harvested credential set.

  • Banking and financial institutions: The primary target sector. Confirmed targets include Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, Citibank, and Credit Union of Colorado. Phishing pages replicate online banking login flows to capture usernames, passwords, and MFA tokens.
  • Insurance providers: Cloned portals targeting insurance login pages, likely for access to policyholder data and financial account information tied to claims and payments.
  • Technology and SaaS companies: Microsoft and other enterprise SaaS portals impersonated for corporate credential harvesting, enabling downstream attacks against business email and cloud infrastructure.
  • Healthcare: Additional targeting of healthcare portals identified in the broader DoppelBrand infrastructure.
  • Geographic focus: Primarily the United States, with additional activity in Western Europe and Latin America. English-speaking markets account for the bulk of observed targeting.

Tactics, Techniques & Procedures

mitre id technique description
T1566.002 Phishing: Spearphishing Link Victims receive phishing emails containing links to pixel-perfect replica login portals. Pages achieve up to 98% CSS similarity with legitimate sites, using brand-specific subdomains and automated SSL certificates to appear authentic.
T1583.001 Acquire Infrastructure: Domains Over 150 malicious domains identified in the Dec 2025 – Jan 2026 window, with nearly 200 additional domains discovered. Uses NameCheap and OwnRegistrar with one-year terms, wildcard DNS records, and automated SSL certificates for rapid deployment.
T1056.003 Input Capture: Web Portal Capture Custom phishing kits capture credentials, IP addresses, geolocation, and User-Agent metadata from victims in real time. Data is transmitted instantly to attacker-controlled Telegram bots.
T1219 Remote Access Software Deploys legitimate RMM tools (LogMeIn Resolve, AnyDesk, ScreenConnect) via silent MSI installers and VBS loaders after credential capture. Enables persistent remote access that blends with normal IT administration software.
T1567 Exfiltration Over Web Service Stolen credentials and victim metadata exfiltrated in real time to Telegram bots controlled by GS7. The actor self-identifies in Telegram groups as "NfResultz by GS."
T1588.002 Obtain Capabilities: Tool Uses legitimate commercial RMM tools rather than custom malware, exploiting the inherent trust organizations place in signed administrative software to avoid triggering endpoint detection.
T1036.005 Masquerading: Match Legitimate Name Phishing infrastructure uses brand-specific subdomains, automated SSL certificates, and domain names closely resembling legitimate corporate URLs to bypass URL reputation filters and user scrutiny.

Known Campaigns

Operation DoppelBrand Dec 2025 – Jan 2026

Large-scale credential theft campaign impersonating Fortune 500 brands including Wells Fargo, USAA, Navy Federal, Fidelity, and Citibank. Over 150 malicious domains identified with near-perfect brand replication. Credentials exfiltrated via Telegram bots in real time. RMM tools deployed for persistent access. Documented by SOCRadar in a February 2026 white paper.

Read NoHacky briefing
Mid-2025 Campaign Surge Apr – Oct 2025

Bitcoin transaction analysis revealed two peak activity windows correlating with campaign operations: mid-April through early July 2025, and mid-August through mid-October 2025. Infrastructure rotation patterns and domain registration timelines confirm sustained operations across both periods targeting financial and technology sectors.

Early Infrastructure Build-Out 2022 – 2024

Domain registration and infrastructure patterns link GS7 activity back to at least 2022. The actor claims approximately a decade of operations. Early campaigns likely involved smaller-scale credential theft before evolving into the professionalized, automated infrastructure observed in Operation DoppelBrand.

Tools & Malware

GS7 favors legitimate tools over custom malware, making detection challenging for traditional endpoint security.

  • Custom phishing kits: Bespoke kits that replicate target brand login portals with up to 98% CSS similarity. Captures credentials, IP, geolocation, and browser metadata. Automated deployment across rotating domain infrastructure.
  • Telegram bots: Real-time credential exfiltration channel. Stolen data is transmitted instantly to Telegram bots controlled by GS7, enabling rapid monetization and distribution to affiliates.
  • LogMeIn Resolve: Legitimate RMM tool deployed via silent MSI installers following credential capture. Provides persistent, unattended remote access to victim systems.
  • AnyDesk / ScreenConnect: Additional legitimate RMM tools observed in the GS7 toolkit for remote access and lateral movement within compromised environments.
  • VBS loaders: Script-based loaders used to silently deploy RMM tool installers on victim systems, enabling privilege escalation and persistent access without triggering malware alerts.
  • Wildcard DNS + automated SSL: Infrastructure automation using wildcard DNS records and automated certificate provisioning to rapidly spin up brand-specific phishing subdomains at scale.

Mitigation & Defense

Defending against GS7 requires addressing both the phishing entry point and the RMM-based persistence mechanism.

  • Phishing-resistant MFA: Deploy FIDO2/WebAuthn hardware keys or passkeys for high-value accounts. GS7's phishing pages can capture traditional MFA tokens in real time — hardware-bound authentication prevents relay attacks because the authentication is tied to the legitimate domain.
  • Monitor for unauthorized RMM installations: Maintain an allowlist of approved RMM tools and alert on any installation of LogMeIn Resolve, AnyDesk, or ScreenConnect that was not initiated by IT. GS7 deploys these through silent installers that bypass user prompts.
  • Domain monitoring and takedowns: Continuously monitor for newly registered domains that impersonate your brand. GS7 uses NameCheap and OwnRegistrar with brand-specific subdomains and one-year registration terms. Coordinate takedowns through registrar abuse processes.
  • Browser-based URL verification: Train staff to verify URLs through bookmarks or direct typing rather than clicking email links. GS7's pages are visually near-identical to legitimate portals — the URL is the primary differentiator for users.
  • Telegram bot monitoring: For threat intelligence teams: monitor Telegram channels associated with credential trading for mentions of your organization's domains. GS7 self-identifies as "NfResultz by GS" in Telegram groups and actively trades harvested credentials.
  • Email authentication enforcement: Deploy DMARC, DKIM, and SPF with strict enforcement policies. GS7 exploits the permissive certificate handling in email transport — strict authentication reduces the effectiveness of spoofed sender domains.
analyst note

SOCRadar classified GS7's sophistication level as "Script Kiddie" despite the professionalized infrastructure. This reflects the reality that modern phishing-as-a-service ecosystems allow relatively low-skilled operators to deploy highly automated, effective campaigns. GS7's threat comes not from technical sophistication but from operational discipline: consistent infrastructure rotation, automated SSL provisioning, near-perfect brand replication, and a mature monetization model combining credential theft, RMM access brokerage, and potential affiliate resale. Organizations should not underestimate actors classified as low sophistication when their operational infrastructure is this well-automated.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile