{"id":214118,"date":"2026-02-16T10:45:00","date_gmt":"2026-02-16T15:45:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/16\/operation-doppelbrand-weaponizes-trusted-brands-for-credential-theft\/"},"modified":"2026-02-16T11:25:09","modified_gmt":"2026-02-16T16:25:09","slug":"operation-doppelbrand-weaponizes-trusted-brands-for-credential-theft","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/16\/operation-doppelbrand-weaponizes-trusted-brands-for-credential-theft\/","title":{"rendered":"Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/operation-doppelbrand-trusted\/\">Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/operation-doppelbrand-trusted\/\">https:\/\/www.infosecurity-magazine.com\/news\/operation-doppelbrand-trusted\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-16 10:45:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>A new phishing campaign targeting major financial and technology firms has been uncovered by cybersecurity researchers.<\/p>\n<p>SOCRadar dubbed the campaign\u00a0Operation DoppelBrand\u00a0and said it focused on Fortune 500 companies, including Wells Fargo and USAA, between December 2025 and January 2026, with infrastructure linked to earlier activity dating back to 2022.<\/p>\n<p>The cybersecurity firm\u00a0attributed the activity to a financially motivated threat actor known as GS7.\u00a0<\/p>\n<p>The campaign, described in a new report published on February 16, relies on lookalike domains and cloned login portals that closely imitate legitimate banking, insurance and technology websites.<\/p>\n<p>Victims are lured through phishing emails and redirected to counterfeit pages where credentials are harvested and transmitted to Telegram bots controlled by the attacker.<\/p>\n<p>In many cases, the operation goes further, deploying remote management and monitoring tools to gain persistent access to compromised systems.<\/p>\n<h2><strong>Infrastructure Built for Scale<\/strong><\/h2>\n<p>SOCRadar identified more than 150 domains tied to the latest wave of activity, with nearly 200 additional domains showing similar characteristics. The infrastructure is highly automated, using rotating registrars such as Namecheap and OwnRegistrar, Cloudflare hosting and short-lived SSL certificates issued within hours of domain registration.<\/p>\n<p>Common traits include:<\/p>\n<ul>\n<li>\n<p>Recently registered domains with one-year terms<\/p>\n<\/li>\n<li>\n<p>Automated SSL certificates from Let&#8217;s Encrypt or Google Trust Services<\/p>\n<\/li>\n<li>\n<p>Wildcard DNS records enabling rapid subdomain creation<\/p>\n<\/li>\n<li>\n<p>Brand-specific subdomains mimicking banks, insurers and technology providers<\/p>\n<\/li>\n<\/ul>\n<p>Read more on phishing infrastructure and remote access tools: Over 500 Scattered Spider Phishing Domains Poised to Target Multiple Industries<\/p>\n<p>The phishing pages replicate visual elements of legitimate sites, including logos, CSS styles and login form layouts. Some campaigns route victims through fake OneDrive interfaces before presenting&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/operation-doppelbrand-trusted\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Operation DoppelBrand Weaponizes Trusted Brands For Credential Theft https:\/\/www.infosecurity-magazine.com\/news\/operation-doppelbrand-trusted\/ Publish Date: 2026-02-16 10:45:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":214119,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/b6a66b9c-fa2c-44f0-8c19-db3c57fc79e5.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,25,34],"class_list":["post-214118","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214118"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=214118"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214118\/revisions"}],"predecessor-version":[{"id":214120,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214118\/revisions\/214120"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/214119"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=214118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=214118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=214118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}