Brand impersonation is not a new tactic. Criminals have been spoofing bank login pages since the early days of consumer internet banking. What is new — and what makes Operation DoppelBrand worth paying close attention to — is the degree to which one financially motivated operator has systematized the process. Threat actor GS7 is not running a makeshift phishing scheme. The operation documented by SOCRadar's Threat Hunting Team in February 2026 reflects a multi-year investment in automation, infrastructure, and monetization that functions less like a cybercrime operation and more like a low-overhead credential supply chain.
The campaign targets the most recognized financial and technology brands in the United States — Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, Citibank, Microsoft, Apple, and Citibank among them — and the targeting is deliberate. These are names that generate an immediate, conditioned response of trust when users see their login page. GS7 exploits that trust at industrial scale.
GS7: A Profile of a Financially Motivated IAB
GS7 is not a household name in threat intelligence circles alongside groups like Lazarus or FIN7, but the actor has been active since at least 2022 and claims a longer operational history dating back roughly a decade. SOCRadar's researchers were able to engage directly with someone presenting as GS7, who shared phishing panel screenshots bearing the group's signature — evidence that corroborates the multi-year timeline reflected in the campaign's infrastructure patterns.
The actor self-identifies as "GS" or "GS7" in Telegram communities and embeds the handle directly into phishing kit code comments, a form of digital branding that serves both as attribution and as advertising within underground markets. The primary Telegram administrator account associated with the campaign operates under the handle GS7GEUP and manages a collection channel called "NfResultz by GS" where incoming credential logs are triaged and distributed.
SOCRadar places GS7's technical sophistication at the script kiddie tier. That classification is not a dismissal — it is a meaningful observation about the threat model. GS7 does not write custom exploits or develop novel malware. The operation's power comes entirely from its process: automated infrastructure generation, convincing brand clones, and the abuse of legitimate tools that defenders have been trained to trust. The sophistication is operational, not technical, and that distinction matters because it means the playbook is transferable to other financially motivated actors with similar resources.
GS7 operates as an Initial Access Broker (IAB) — a cybercriminal who specializes in breaching organizations and selling the resulting access to other threat actors rather than conducting the full attack chain independently. IABs are a structural enabler of the ransomware economy: they handle the costly, time-intensive work of establishing footholds, then sell those footholds to groups that specialize in extortion, data theft, or sabotage. A Bitcoin wallet linked to GS7 shows approximately $50,000 in total transaction volume, with activity peaks that correlate directly to observed campaign waves.
The Infrastructure: Built for Scale and Survivability
The first thing that distinguishes Operation DoppelBrand from typical phishing campaigns is the infrastructure volume. Between December 2025 and January 2026 alone, SOCRadar identified more than 150 malicious domains tied to the campaign, with nearly 200 additional domains exhibiting matching infrastructure fingerprints. That is not a small operation — it reflects an investment in automated domain provisioning and rotation that is designed to outlast takedown attempts.
The domain infrastructure follows a consistent, identifiable pattern. Domains are registered through NameCheap or OwnRegistrar on one-year terms, SSL certificates are issued almost immediately through Let's Encrypt or Google Trust Services, wildcard DNS records (*.domain) enable rapid subdomain creation without reconfiguration, and all traffic is routed through Cloudflare's CDN to obscure the backend server's true location. A single domain can host convincing spoofed portals for multiple banks simultaneously by assigning brand-specific subdomains — wellsfargo.example[.]com, usaa.example[.]com — all resolving to the same backend infrastructure.
# GS7 infrastructure fingerprint (SOCRadar research, Feb 2026)
Registrars: NameCheap | OwnRegistrar
Registration: 1-year terms
SSL issuance: Let's Encrypt | Google Trust Services
— typically issued within hours of domain registration
DNS: Wildcard records (*.domain) for subdomain flexibility
CDN: Cloudflare — conceals backend server IPs
Subdomains: Brand-targeted (wellsfargo.*, usaa.*, fidelity.*, etc.)
JARM: Consistent TLS fingerprint across campaign infrastructureThe Cloudflare routing layer is particularly consequential for defenders. Takedown requests directed at Cloudflare require demonstrating abuse before the CDN will act, and by the time a domain is actioned, GS7 has typically already rotated to new infrastructure. The JARM TLS fingerprint — a tool-based signature of a server's TLS configuration — remains consistent across domains and provides a detection opportunity for organizations running network-level TLS inspection, but this requires active monitoring rather than reactive response.
The Phishing Pages: 98% Visual Similarity and a Pre-Qualification Step
The campaign's name refers directly to the quality of its brand impersonation. SOCRadar's analysis found the cloned login portals achieving up to 98% visual similarity with their legitimate counterparts — matching logos, color palettes, CSS layouts, typography, and form structures closely enough that the spoofed page is effectively indistinguishable from the real one without carefully checking the URL bar. This level of fidelity is achievable because modern phishing kit tooling makes it straightforward to scrape and mirror a live site, and because most users simply do not scrutinize URLs after the visual pattern match triggers their trust response.
A notable tactical addition in some DoppelBrand campaign variants is a fake Microsoft OneDrive pre-authentication step presented before the target banking portal. The victim is first asked to verify their Microsoft account, and only after that confirmation succeeds are they redirected to the spoofed bank login. This two-stage flow accomplishes two things simultaneously: it pre-qualifies victims by ensuring they have a valid Microsoft identity before consuming the more valuable banking credential prompt, and it adds a layer of apparent legitimacy that makes the final login request feel like a routine cross-service authentication rather than an unsolicited credential demand.
A visually perfect login page is not evidence of legitimacy. GS7's cloned portals achieve near-identical visual replication. The only reliable trust signal is the URL — not the logo, not the color scheme, not the form layout. Train users to verify the domain in the browser address bar before entering any credentials, regardless of how familiar the page looks.
Real-Time Exfiltration via Telegram and the RMM Persistence Layer
When a victim submits credentials on a DoppelBrand phishing page, the data does not sit in a log file waiting for GS7 to check in. It is exfiltrated immediately to attacker-controlled Telegram bots. The data package includes username, password, IP address, geolocation, device fingerprint, browser details, and a precise timestamp — everything needed to assess the value of the compromised account, assign it to a category (banking, email, enterprise SSO), and move it toward monetization within minutes of capture.
Telegram has become a favored exfiltration and command-and-control channel across financially motivated threat actors for a straightforward reason: its bot API enables fully automated data collection and forwarding, its encrypted transport complicates network-level monitoring, and it is difficult for enterprise security teams to action rapidly compared to attacker-controlled web infrastructure. The "NfResultz by GS" Telegram channel identified by SOCRadar functions as a live feed of incoming credential logs, enabling real-time triage of captured accounts.
Credential theft alone would make this a significant campaign. But GS7 goes further. In many observed campaign variants, victims who interact with the phishing page are also prompted to download what is presented as a mandatory software update or security verification tool. The download delivers an MSI package accompanied by a VBS loader script. The loader handles privilege escalation, performs a silent installation of a legitimate Remote Monitoring and Management (RMM) tool, and cleans up artifacts to minimize forensic footprint. The RMM tools deployed include LogMeIn Resolve, AnyDesk, ScreenConnect, and Atera — all configured for unattended access, meaning GS7 (or whoever purchases the access) can connect to and control the victim machine at any time without requiring any further action from the victim.
This is the part of the attack chain that converts a credential theft operation into an initial access brokerage. The victim's machine becomes a product: a pre-established, persistent foothold inside a real organization, available for sale to ransomware operators, data theft groups, or any other actor willing to pay. Because RMM tools are legitimate software trusted by many endpoint detection platforms and allowlisted in many corporate environments, this persistence mechanism frequently survives standard malware scanning.
Operation DoppelBrand is an active, ongoing campaign. SOCRadar identified over 150 malicious domains in the December 2025 to January 2026 wave alone, with nearly 200 additional matching-fingerprint domains identified concurrently. Historical campaign timing suggests GS7 operates in two-to-three month cycles, placing the next major wave potentially already in preparation. Defensive measures should be treated as urgent, not backlog items.
Defensive Controls Across the Kill Chain
Every stage of GS7's attack chain presents a specific defensive opportunity. No single control will stop this campaign in its entirety, but layered defenses that address multiple stages significantly raise the cost and complexity of a successful compromise.
Harden the email delivery surface
Phishing lures are delivered through email. Enforce DMARC (ideally at the p=reject policy), SPF, and DKIM on all outbound mail domains to reduce the effectiveness of spoofed sender addresses that impersonate your own organization. Configure inbound email security gateways to flag or quarantine messages containing DoppelBrand lure patterns — language around mandatory security updates, pending verifications, and urgent account actions. Conduct phishing simulation training that specifically replicates brand impersonation scenarios rather than generic phishing tests.
Implement proactive domain monitoring
Organizations in financial services, healthcare, insurance, and technology should treat proactive domain monitoring as a standard security control, not a premium add-on. Monitor certificate transparency logs and newly registered domain feeds for strings that match your brand name, common variants, and likely misspellings. SOCRadar's white paper includes detailed infrastructure fingerprints — including JARM TLS signatures, SSL issuance timing patterns, and subdomain naming conventions — that can be operationalized to detect GS7 infrastructure before campaigns reach victims. The VirusTotal IOC collection for this campaign is publicly available.
Control RMM tool execution
Maintaining a strict allowlist of approved remote access tools — and blocking the execution of all others — is the highest-impact single control against GS7's persistence mechanism. Document which RMM tools your IT operations team actually uses and enforce that list at the endpoint level through application control policy. Pay particular attention to RMM binaries appearing in non-standard installation paths: %TEMP%, %USERPROFILE%\Downloads, and %APPDATA% are common staging locations for malicious MSI installations. If your organization has no operational requirement for AnyDesk, ScreenConnect, or Atera, block their executables entirely.
# Paths to monitor for unauthorized RMM MSI staging
%TEMP%\*.msi
%USERPROFILE%\Downloads\*.msi
%APPDATA%\*.msi
%LOCALAPPDATA%\Temp\*.msi
# Flag or block if not IT-approved:
LogMeIn*.exe | AnyDesk*.exe | ScreenConnect*.exe | Atera*.exe
# VBS loader activity — high-confidence indicator of compromise
wscript.exe launching msiexec.exe from user-writable pathsBlock Telegram at the network layer
If your organization does not have a documented business need for Telegram, block outbound access to Telegram's API infrastructure at the DNS resolver or web proxy layer. Note that port-based firewall rules are insufficient — Telegram's MTProto protocol can traverse non-standard ports, so effective blocking requires domain-level controls. Disrupting the Telegram exfiltration channel does not prevent credential capture, but it delays GS7's ability to act on stolen credentials in real time, which reduces the window in which harvested credentials are useful before victims or organizations detect the compromise.
Monitor for unauthorized RMM connections
Threat hunting for unauthorized remote access tool activity should be part of any environment that cannot enforce strict application allowlisting. Alert on outbound connections to known RMM service infrastructure (LogMeIn, AnyDesk, ScreenConnect, Atera cloud relay endpoints) from endpoints that are not managed by the IT operations team. Cross-reference against your IT ticketing system: if a remote access session is not correlated to an open helpdesk ticket, it warrants immediate investigation.
Watch underground channels for access listings
GS7 sells harvested credentials and RMM-enabled access through Brazilian underground markets and Telegram channels. Organizations with threat intelligence capabilities should monitor these channels for mentions of their domains, employee credential fragments, or access listings that reference their infrastructure. Early detection of an access listing in an underground market is one of the few opportunities to contain a compromise before a ransomware operator activates the foothold.
Key Takeaways
- Operational sophistication, not technical sophistication, is the threat: GS7 does not use custom exploits or novel malware. The danger is in the automation, the infrastructure scale, and the systematic integration of brand impersonation, Telegram exfiltration, and RMM abuse into a repeatable pipeline. This playbook is reproducible by other actors — treating it as a one-off campaign misses the broader pattern.
- The RMM persistence layer converts phishing into an access brokerage: Credential theft is stage one. The installation of LogMeIn, AnyDesk, ScreenConnect, or Atera in unattended mode is what transforms a compromised endpoint into a product for sale. Organizations that do not control RMM tool execution are leaving this attack stage entirely unaddressed by conventional malware detection.
- Telegram exfiltration demands a network-layer response: Real-time credential forwarding to Telegram bots is the mechanism that makes harvested credentials immediately actionable. Blocking Telegram at the domain level — not just the port level — disrupts this exfiltration channel and narrows the window between capture and exploitation.
- Brand monitoring is a defensive control, not a marketing function: Organizations that are plausible impersonation targets — financial institutions, technology companies, healthcare providers, insurers — need proactive certificate transparency monitoring and domain surveillance as part of their security program. Waiting for victim reports to discover an active brand impersonation campaign means responding after the damage is already distributed.
- The campaign is ongoing: SOCRadar identified over 150 active domains in the most recent wave with roughly 200 additional matching-fingerprint domains in parallel. GS7's historical operating pattern suggests recurring waves on a two-to-three month cycle. Defensive measures should be implemented now, not scoped for a future sprint.
Operation DoppelBrand is a reminder that the cybercrime economy does not require cutting-edge technical capability to cause serious organizational harm. GS7 has built a credential-to-access pipeline that generates revenue at each stage: from stolen banking credentials sold in underground markets, to persistent RMM footholds sold to ransomware operators. The individual components — phishing pages, Telegram bots, RMM tools — are all well understood. What GS7 has done is chain them together into a business. Defenders need to address every link in that chain, because disrupting only one of them still leaves the rest of the pipeline intact.
Sources: SOCRadar • Infosecurity Magazine • Dark Reading • National Law Review • Ampcus Cyber • VirusTotal IOC Collection