Operation TwinBrand: Massive Fortune 500 Brand Impersonation Campaign Uncovered

SOCRadar’s Threat Hunting Team has uncovered a sophisticated phishing operation that has been targeting Fortune 500 companies and their customers for years. The campaign, attributed to a financially-motivated threat actor known as GS7, represents a significant evolution in credential theft operations—combining precision brand impersonation, custom phishing infrastructure, and the abuse of legitimate remote management tools to establish persistent access to victim systems.

Between December 2025 and January 2026, extensive campaigns impersonating major financial institutions and technology companies including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, Microsoft, Citibank, and others conducted. The operation has amassed hundreds of malicious domains, with over 150 identified in recent months alone, all following consistent infrastructure patterns that reveal a highly automated deployment capability.

Who is GS7?

GS7 or GS is a financially-motivated actor that has been allegedly operating for approximately ten years, continuously refining tactics and rotating infrastructure. Through our investigation, we’ve identified the actor’s presence in Brazilian underground markets where they actively trade stolen credentials and corporate information. The threat actor maintains multiple Telegram bots for credential exfiltration and operates across various Dark Web marketplaces offering access to compromised accounts from banks, financial institutions, payment platforms, and streaming services.

Our analysis reveals that GS7 likely operates as an Initial Access Broker, creating phishing infrastructure and deploying remote management tools on behalf of clients or affiliates. This business model allows the actor to monetize operations through multiple channels: selling harvested credentials, providing access to compromised systems for ransomware operators or other criminal groups, and deploying additional malware through established remote access.

Bitcoin wallet analysis shows approximately $50,000 USD in observable transactions, with activity patterns that correlate directly with campaign timelines. Transaction volumes peaked during mid-April through early July 2025, and again between mid-August and mid-October 2025, revealing a recurring campaign pattern of approximately two to three months between major operations.

How the Attack Works?

GS7’s campaigns follows a five-stage modus operandi.

1. Reconnaissance

The actor gathers victim information from underground markets and data leaks, including:

• Leaked databases with usernames and passwords
• Corporate directories with employee details
• Email naming patterns ([email protected])
• Information about commonly used enterprise software

2. Infrastructure Deployment

Domains are registered in automated batches with remarkable consistency:

• Naming pattern: brand-action.com (e.g., media-auth.com, wellsfargo-verify.com)
• Registrars: OwnRegistrar or NameCheap
• Hosting: Cloudflare CDN (obfuscates origin servers)
• SSL certificates: Let’s Encrypt or Google Trust Services, issued within 6-24 hours
• Subdomain structure: Consistent patterns including rss.*, tyd.*, dfr.*, plus brand-specific subdomains like wellsfargo.*, usaa.*

3. Phishing Delivery

Victims receive targeted emails leveraging urgency and legitimacy:

• “Security update mandatory” or “Account verification needed”
• HTML emails with official logos, fonts, and branding
• Personalized references to organizational tools or colleagues
• Links to domains like wellsfargo.media-auth.com

Some campaigns use fake OneDrive interfaces presenting multiple service provider options before redirecting to the appropriate phishing panel—broadening the victim pool while maintaining legitimacy.

4. Credential Harvesting

Landing pages are sophisticated replicas achieving up to 98% similarity with legitimate portals:

• Identical logos, CSS stylesheets, and form layouts
• Functional “Forgot Password” and “Remember Me” options
• Privacy footer links (often non-functional)

When credentials are submitted, the backend PHP scripts:

• Capture username/password and victim IP address
• Perform geolocation lookup and log ISP information
• Format data with emoji indicators and brand identification
• Exfiltrate to Telegram bots in real-time (groups named “NfResultz by GS”, “WfResultz by GS”)
• Redirect victim to the legitimate website

5. RMM Tool Deployment

After credential theft, many campaigns deploy legitimate Remote Monitoring and Management tools:

Delivery methods:

• Fake “security update” or “certificate installation” prompts
• Fraudulent Comodo/Itarian security validation pages
• VBS loader scripts (3-6KB) that download MSI installers (21-25MB)

Installation process:

• VBS script checks for administrator privileges
• Performs persistent UAC elevation loops if needed
• Downloads legitimate LogMeIn/AnyDesk/ScreenConnect installer
• Executes silent installation via msiexec.exe
• Deletes installation files to hide evidence

Result: The attacker gains full remote access with capabilities including:

• Real-time screen viewing and mouse/keyboard control
• File upload/download and execution
• Credential dumping and lateral movement
• Deployment of additional malware (ransomware, stealers)

Who Is Being Targeted?

Targeting is financially driven and strategically focused on high-value sectors. Financial institutions represent the primary objective, followed by technology, healthcare, and consumer services.

Primary Target Sector: Financial Services

• Wells Fargo
• USAA
• Navy Federal Credit Union
• Fidelity
• Citibank
• Santander
• MetroBank

Why financial institutions? Because stolen banking credentials have immediate resale value. In addition, compromised systems within financial organizations can be resold to ransomware operators.

Other Targeted Sectors

• Technology and Cloud Services: Microsoft, Apple, Yahoo
• Healthcare and Pharma: AstraZeneca, GE Healthcare, Boston Scientific
• Consumer and Media: Procter & Gamble, Pandora, Booking.com

Geographic emphasis centers on the United States and Western Europe, with English-language phishing templates dominating recent campaigns. English-language phishing templates dominate, indicating priority targeting of high-value Western markets.

How Was GS7 Attributed?

Attribution resulted from correlation across phishing panel code, embedded Telegram bot tokens, domain naming conventions, and underground marketplace activity. Identified Telegram groups and administrative accounts aligned with infrastructure artifacts. Direct interaction with the actor further validated operational claims and confirmed the access-broker model.

How Has the Infrastructure Evolved Over Time?

Infrastructure analysis showed multi-year operational continuity with phased evolution. Earlier campaigns relied on .online domains and Namecheap, while recent large-scale operations shifted to .com domains, OwnRegistrar, and Google Trust Services certificates. Despite registrar and TLD changes, consistent subdomain structures, TLS fingerprints, and automated certificate issuance patterns enabled large-scale pivoting across nearly 200 related domains.

Phase 1

• .online TLD preference
• Registrar: Namecheap
• SSL: Let’s Encrypt

Phase 2

• Continued .online use
• Infrastructure scaling
• Increased domain volume

Phase 3 (Dec 2025 – Jan 2026)

• Shift to .com domains for higher legitimacy
• Registrar: OwnRegistrar
• SSL issuer: Google Trust Services
• Heavy Cloudflare CDN use

Despite these changes, consistent fingerprints remain:

• Same JARM TLS patterns
• Identical subdomain structures such as rss.*, tyd.*, dfr.*
• 365-day registrations
• SSL certificates issued within hours of domain creation
• 90-day certificate validity cycles

By pivoting on these patterns, nearly 200 related domains were identified, with 40 high-confidence matches sharing infrastructure and creation timing.

Conclusion

Operation TwinBrand demonstrates how modern phishing campaigns have evolved into structured access-broker ecosystems. GS7 combines automated infrastructure deployment, high-fidelity brand impersonation, real-time Telegram-based credential exfiltration, and the abuse of legitimate RMM tools to achieve persistent remote access.

The operation is not limited to credential theft. It enables long-term system control, access resale, and follow-on attacks, including ransomware and data exfiltration. The consistent infrastructure patterns, multi-year activity timeline, and monetization strategy confirm a mature and financially driven threat model.

Initial IoCs are provided in the whitepaper. For the complete and continuously updated indicator set, refer to the SOCRadar Platform, which offers freeaccess. For full technical analysis, infrastructure breakdown, attribution details, TTP mapping, and comprehensive IoCs, please refer to the whitepaper.