On February 16, 2026, cybersecurity intelligence firm SOCRadar published a white paper detailing a sophisticated, large-scale phishing operation that has been quietly targeting some of the biggest names in American banking and technology. The campaign, dubbed Operation DoppelBrand, is attributed to a threat actor who goes by the handle GS7 — an operator with roots in Brazilian underground markets and a playbook that blurs the line between opportunistic phishing and organized initial access brokerage.
While GS7 may lack the nation-state sophistication of groups like Lazarus or APT29, the operation reveals something arguably more unsettling for everyday organizations: you do not need to be a state-sponsored hacking crew to build an industrialized credential theft pipeline capable of impersonating Fortune 500 brands at scale. You just need automation, persistence, and a willingness to abuse legitimate tools for illegitimate purposes.
Who Is GS7?
GS7 is not a name that will ring bells alongside Volt Typhoon or Scattered Spider — at least not yet. According to SOCRadar's Threat Hunting Team, GS7 is a financially motivated threat actor that has been active since at least 2022, with the individual behind the alias claiming roughly a decade of operational history. The actor self-identifies as "GS" or "GS7" in Telegram groups and embeds the handle directly into code comments within their phishing kits. SOCRadar's attribution work also identified a primary Telegram administrator account operating under the handle GS7GEUP, which has been linked to the campaign's collection infrastructure and used to triage incoming credential logs in the "NfResultz by GS" channel.
SOCRadar's researchers were able to engage directly with someone claiming to be GS7, who provided screenshots of phishing panels bearing the group's signature as proof of their long-running operations. While these claims should be taken with healthy skepticism, the infrastructure evidence supports a multi-year operational timeline with consistent patterns dating back to 2022.
The alias 'GS7' is active in Brazilian underground markets, where they trade harvested financial data. A monitored Bitcoin wallet associated with the actor has handled a total transaction volume of approximately $50,000 USD. — SOCRadar, Operation DoppelBrand White Paper (Feb 2026)
SOCRadar classifies GS7's technical sophistication at the "script kiddie" level, which may seem surprising given the scale of the operation. But that classification highlights something important: this actor does not rely on custom zero-day exploits or complex malware chains. Instead, GS7 has built a highly automated infrastructure that generates convincing phishing pages at speed, deploys them across rotating domains, and leverages legitimate software to maintain access. The sophistication is in the process, not the code — and that distinction matters because it means this playbook is reproducible by other financially motivated actors with modest technical skill.
GS7 operates as what the industry calls an Initial Access Broker (IAB). Rather than carrying out the full attack chain themselves — from initial compromise to data exfiltration or ransomware deployment — GS7 specializes in the first stage: getting a foothold. They harvest credentials, establish remote access on victim machines, and then monetize that access by selling it to affiliates, ransomware operators, or other criminal groups. It is a business model, and the Bitcoin wallet activity correlated with campaign timelines confirms it is a profitable one.
What is an Initial Access Broker? An IAB is a cybercriminal who specializes in breaching organizations and then selling that access to other threat actors. Think of it as the cybercrime equivalent of a locksmith who picks the lock and then sells the open door to whoever pays. IABs are a critical enabler of the ransomware ecosystem — they lower the barrier to entry for groups who have the malware but lack the skills or infrastructure to break in on their own.
How the Attack Works: A Five-Stage Kill Chain
Operation DoppelBrand is not a single phishing email blast. It is a structured, repeatable campaign that follows a five-stage lifecycle, from target selection all the way through monetization. Each stage is designed for efficiency and scalability, which is why GS7 has been able to sustain this operation across multiple waves without running out of infrastructure.
Stage 1: Reconnaissance and Target Selection
GS7 begins by identifying high-value brands whose login portals will yield the most valuable credentials. The target list reads like a who's-who of American finance and tech: Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, Citibank, Microsoft, and Apple, among others. The actor focuses primarily on English-speaking markets — with the United States as the dominant target — while also expanding into Western Europe. Banking, insurance, investment services, technology, healthcare, and telecommunications are all within scope. While publicly available reporting has focused almost entirely on the financial institution and technology targets — where the credential value is most immediately obvious — SOCRadar's white paper notes that healthcare and telecommunications brands have also been identified among impersonated entities, though detailed campaign specifics for those verticals are less thoroughly documented in open-source reporting to date.
Stage 2: Infrastructure Deployment
This is where GS7's automation capabilities really show. Between December 2025 and January 2026 alone, SOCRadar identified more than 150 malicious domains tied to the campaign, with nearly 200 additional domains exhibiting the same fingerprints. The infrastructure follows a consistent pattern that reveals automated deployment at scale.
# Typical GS7 domain infrastructure fingerprint:
- Registrar: NameCheap or OwnRegistrar
- Domain term: 1-year registration
- SSL certificate: Let's Encrypt or Google Trust Services (issued within hours)
- DNS: Wildcard records (*.domain) for rapid subdomain creation
- CDN: Cloudflare (to obscure backend server IPs)
- Subdomains: Brand-specific (e.g., wellsfargo.*, usaa.*, fidelity.*)The use of Cloudflare is particularly notable. By routing traffic through Cloudflare's CDN, GS7 effectively hides the true location of their backend servers, making takedown efforts significantly harder. The wildcard DNS records allow the actor to spin up brand-specific subdomains on a single domain without reconfiguring anything — one domain can host spoofed pages for a dozen different banks simultaneously.
Stage 3: Credential Harvesting via Cloned Portals
The phishing pages themselves are what earned this campaign the "DoppelBrand" name. They replicate the visual identity of legitimate login portals with remarkable accuracy — SOCRadar's analysis found the cloned pages achieving up to 98% visual similarity with legitimate portals, matching logos, color schemes, CSS layouts, and form structures so closely that distinguishing the fake from the real requires careful inspection of the URL. Some campaigns route victims through a fake Microsoft OneDrive interface before redirecting them to the spoofed banking portal. This pre-authentication step is not merely decorative: by confirming that the victim has a valid Microsoft account before presenting the banking portal, GS7 effectively pre-qualifies targets and broadens the victim pool while adding a layer of perceived legitimacy that makes the final credential prompt feel routine rather than suspicious.
When a victim submits their credentials, the data package sent to GS7's collection infrastructure includes far more than just a username and password. It captures the victim's IP address, geolocation, device fingerprint, browser details, and a precise timestamp. All of this information is exfiltrated in real time to attacker-controlled Telegram bots. SOCRadar identified a Telegram group titled "NfResultz by GS" that appears to serve as the primary collection and triage channel.
Why Telegram? Telegram has become a preferred exfiltration and command-and-control channel for financially motivated threat actors because it provides encrypted communication, bot automation APIs, and is difficult for enterprise security teams to monitor at the network level. If your organization does not require Telegram for business operations, blocking Telegram API domains at the firewall is a meaningful defensive measure.
Stage 4: Remote Access Deployment
Credential theft alone is valuable, but GS7 does not stop there. In many observed campaigns, victims who land on the phishing pages are prompted to download what appears to be a required software update or security tool. In reality, these downloads install legitimate Remote Monitoring and Management (RMM) tools — specifically LogMeIn Resolve, AnyDesk, ScreenConnect, and Atera — configured for unattended remote access.
The installers are typically delivered as MSI packages accompanied by small VBS (Visual Basic Script) loader scripts. These loaders handle privilege escalation, silent installation, and cleanup to minimize forensic evidence. Once installed, the RMM tool gives GS7 (or whoever purchases the access) persistent, interactive control over the victim's machine — without deploying any traditional malware that would trigger endpoint detection.
This is a technique that has become increasingly popular across the threat landscape, not just with GS7. By abusing tools that are already trusted and allowlisted in many enterprise environments, attackers can establish footholds that blend in with normal IT operations. Your security monitoring may see a LogMeIn connection and assume it is legitimate helpdesk activity — when in reality, it is an attacker silently browsing your file shares.
Stage 5: Monetization
GS7 monetizes through multiple channels simultaneously. Harvested credentials are sold through underground markets and Telegram channels. Compromised systems with active RMM access are offered to ransomware operators, data theft groups, or other affiliates looking for pre-established footholds inside target organizations. SOCRadar's blockchain analysis of a Bitcoin wallet linked to GS7 showed approximately $50,000 in total transaction volume, with Infosecurity Magazine noting the wallet held roughly 0.28 BTC — equivalent to between $25,000 and $32,000 in net holdings depending on the market price at time of analysis. Activity peaks correlate directly to campaign timelines — mid-April through early July 2025, and again between mid-August and mid-October 2025 — suggesting a recurring operational cycle of roughly two to three months between major campaign waves.
Why This Campaign Matters
Operation DoppelBrand is not groundbreaking in the sense of introducing new zero-day exploits or novel malware families. Its significance lies in the operational maturity of the model. GS7 has built what amounts to a credential-theft-as-a-service pipeline that combines brand impersonation at industrial scale, automated infrastructure rotation to evade takedowns, real-time exfiltration through Telegram, and post-compromise persistence using tools that most endpoint security solutions will not flag.
The combination of brand impersonation, automated infrastructure, and legitimate remote management tools makes Operation DoppelBrand both scalable and difficult to disrupt. — SOCRadar, as reported by Infosecurity Magazine (Feb 2026)
For defenders, the challenge is that each individual component of this attack chain is well-understood, but GS7's integration of all of them into a streamlined, repeatable operation creates a threat that is greater than the sum of its parts. A phishing page by itself is a nuisance. A phishing page connected to Telegram-based real-time exfiltration, backed by rotating infrastructure behind Cloudflare, and followed by silent RMM deployment for persistent access — that is a serious compromise chain.
It also underscores a broader trend: the cybercrime economy is increasingly modular. GS7 does not need to build ransomware or run data extortion operations. They just need to be good at getting in. There will always be a buyer for that access.
Active campaign: Operation DoppelBrand is ongoing. SOCRadar identified more than 150 active domains in the December 2025 – January 2026 wave, with nearly 200 additional domains showing matching infrastructure signatures. GS7 has historically operated in two-to-three month cycles, meaning the next wave could already be in preparation. Organizations should implement the defensive measures outlined below immediately.
How to Defend Against Operation DoppelBrand
The good news is that every stage of GS7's kill chain presents an opportunity for detection and disruption. The defensive measures below are organized by the attack stage they address. No single control will stop this campaign, but layered defenses will significantly reduce the risk.
Email and Phishing Defenses
GS7 delivers its phishing lures through email, so this is your first line of defense. Configure email security gateways to flag messages containing known GS7 lure themes, including language around "mandatory security updates," "pending verification," and "immediate signature required." Deploy DMARC, SPF, and DKIM authentication to reduce the likelihood of spoofed emails reaching end users. Conduct regular phishing awareness training that specifically addresses brand impersonation attacks — showing employees that a visually perfect login page does not guarantee authenticity.
Domain and Brand Monitoring
If your organization is a potential impersonation target (and if you are in banking, insurance, healthcare, or technology, you are), proactive domain monitoring is essential. Watch for newly registered domains that contain your brand name, common misspellings, or related terms. SOCRadar's white paper includes detailed infrastructure fingerprints — including JARM signatures, SSL issuance timing patterns, and naming conventions — that can be used to identify GS7 domains before they go live. The Forbes Technology Council has published practical guidance on defending against web impersonation that is worth reviewing.
RMM Tool Control
This is arguably the highest-impact defensive measure for this specific threat. Maintain an allowlist of approved RMM tools in your environment and block the execution of any unauthorized remote access binaries. Pay special attention to RMM installations found in temporary directories, user profile paths, or locations that are not consistent with your IT department's standard deployment method. If your organization does not use LogMeIn Resolve, AnyDesk, or ScreenConnect, block their executables and MSI installers at the endpoint level.
# Example: Block unauthorized RMM tools via application control
# Monitor for MSI installations in non-standard paths:
%TEMP%\*.msi
%USERPROFILE%\Downloads\*.msi
%APPDATA%\*.msi
# Block or alert on known RMM binaries if not IT-approved:
LogMeIn*.exe | AnyDesk*.exe | ScreenConnect*.exe | Atera*.exeNetwork-Level Controls
If your organization does not have a business need for Telegram, block outbound traffic to Telegram API domains (api.telegram.org and related endpoints). One important nuance: Telegram uses its own MTProto protocol and can operate on non-standard ports, which means port-based blocking alone is insufficient. Effective disruption requires domain-level blocking at the DNS resolver or web proxy layer, not just firewall port rules. This disrupts the real-time credential exfiltration channel that GS7 relies on. Additionally, monitor for unexpected outbound connections to RMM service infrastructure, particularly from endpoints that are not managed by your IT team.
Dark Web and Underground Monitoring
GS7 is known to be active in Brazilian underground markets and Telegram channels where stolen credentials and initial access are traded. Organizations with threat intelligence capabilities should monitor these spaces for mentions of their domain, employee credentials, or access listings that reference their environment. SOCRadar's platform offers free access to the initial indicators of compromise (IOCs) associated with this campaign, and a VirusTotal collection of IOCs is also available.
The Bigger Picture: Why Brand Impersonation at Scale Is a Wake-Up Call
Operation DoppelBrand is not happening in isolation. has found that roughly two-thirds of identified phishing pages between 2023 and 2024 targeted financial institutions and their customers. The financial services sector consistently ranks among the top targets for credential theft, brand impersonation, and DDoS attacks. What GS7 has done is build a particularly efficient machine for exploiting that reality.
For organizations that are being impersonated, the damage extends beyond direct financial losses from compromised accounts. Brand abuse erodes customer trust, creates compliance headaches, and can result in legal liability. For individual consumers, the takeaway is straightforward but critical: never trust a login page just because it looks right. Always verify the URL. Always check for HTTPS with the correct domain. And if you are ever asked to download software from a banking or financial website, stop and call the institution directly.
The modular nature of the cybercrime economy means that GS7's playbook — even if it gets disrupted — will be replicated by other actors. The infrastructure patterns, the Telegram-based exfiltration, the RMM abuse: these are techniques that are transferable, teachable, and sellable in underground forums. Defending against Operation DoppelBrand is not just about one threat actor. It is about building resilience against an entire class of attack that will only become more common.
Key Takeaways
- GS7 operates as an Initial Access Broker: The threat actor specializes in credential harvesting and establishing remote access, then sells that access to ransomware operators and other criminal groups. The campaign has been active since at least 2022, with the latest wave running from December 2025 through January 2026.
- Over 150 malicious domains in one wave: GS7 uses automated infrastructure with rotating registrars, Cloudflare CDN, wildcard DNS records, and rapid SSL issuance to spin up convincing brand impersonation sites at industrial scale. Targets include Wells Fargo, USAA, Navy Federal, Fidelity, Microsoft, Apple, and Citibank.
- Credential exfiltration happens in real time via Telegram: Stolen usernames, passwords, IP addresses, device fingerprints, and geolocation data are immediately forwarded to Telegram bots, enabling GS7 to triage and monetize compromised accounts within minutes of capture.
- Legitimate RMM tools are the persistence mechanism: GS7 deploys LogMeIn Resolve, AnyDesk, ScreenConnect, and Atera in unattended mode via MSI installers and VBS loaders. These tools are trusted by many endpoint security solutions, making them an effective way to maintain access without triggering alerts.
- Defense requires layered controls: No single measure will stop this campaign. Organizations need email authentication (DMARC/SPF/DKIM), proactive domain monitoring, strict RMM tool allowlisting, Telegram API blocking where feasible, phishing awareness training, and dark web monitoring to cover the full kill chain.
Operation DoppelBrand is a reminder that cybercrime does not require cutting-edge sophistication to cause serious damage. A well-automated phishing pipeline, a few hundred dollars in domain registrations, and the abuse of legitimate tools that your security stack already trusts — that is all it takes. The question for defenders is not whether they will see this type of attack, but whether their controls are configured to catch it when they do.
Sources: SOCRadar • Infosecurity Magazine • Dark Reading • The National Law Review • Ampcus Cyber