Campaigns
Operation HookedWing

Operation HookedWing

Operation HookedWingPhishingCredential HarvestingAviationHookedWing
A persistent phishing operation active since 2022, leveraging a custom kit deployed on github.io, vercel.app and on-fleek.app to harvest corporate credentials. Lures impersonate HR, Microsoft, Outlook and Google Drive notifications, redirecting victims to landing pages that dynamically inject PHP forms from compromised C2 servers. The campaign targets aviation operators, civil aviation authorities, ground handling, ministries and energy infrastructure across air corridors linking West and East Africa with the Persian Gulf, South Asia and Southeast Asia. Over 2,500 victims and 500 organizations identified across 22 C2 servers and 100 distribution domains.

Indicators of Compromise

file-712.github.io
pdf-viewer-online.github.io
e578eb340bebd4fe6q.github.io
archived-document-file-2026.github.io
excel-file-document-2024.github.io
google-file-document.github.io
onedrive1-preview.github.io
microsoft-file.github.io
bc1qxy2kgdygjrsqtzq2n0yrf2493.github.io

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTION

Technique ID

Technique Name

Tactic

Detection Method

Log Sources

T1566.002

Spearphishing Link

Initial Access

Monitor inbound emails containing links to *.github.io, *.vercel.app, *.on-fleek.app, or *.netlify.app with URL fragments matching #[email]@[domain] pattern. Alert on lures referencing "OPEN IN PDF", "Sign in", "Please find below in Pdf", or French equivalents (restriction-de-compte).

Email gateway logs, Proofpoint/Mimecast URL rewriting telemetry, M365 Defender for Office 365, Sysmon EID 1, EDR browser process telemetry

T1583.001

Acquire Infrastructure: Domains

Resource Development

Detect newly observed domains with Let's Encrypt certificates valid ~3 months, names mimicking DocuSign/Newmax/Microsoft, or hosting /genl/ directories with list.txt, error_log, and pseudo-random PHP filenames (e.g., djjejjeennemme.php, hfhfjmreneeeneneme.php).

Passive DNS, Certificate Transparency logs, urlscan.io, SOCRadar threat intelligence, web crawler / asset discovery tools

T1584.006

Compromise Infrastructure: Web Services

Resource Development

Hunt for github.io repositories containing index.html with preloader_container_stef identifier, srv.js files exposing window.stef.srv_loc, and Google-color preloader SVGs (Pulse-1s-200px.svg). Alert on subdomains containing microsoft, office365, pdf, document, excel, onedrive, drive, mail with year suffixes.

GitHub API monitoring, Public Code Repos search (SOCRadar), web reputation services, threat intel feeds

T1059.007

Command and Scripting Interpreter: JavaScript

Execution

Detect JavaScript executing window.location.href.split parsing URL fragments for # and @ symbols, fetch calls with Base64-encoded paths starting with L2dlbm (decoded: /genl), and DOM injection via getEl__("#docBody").innerHTML.

Browser EDR telemetry, JavaScript runtime monitoring, browser isolation logs, network proxy logs with TLS inspection

T1546

Event Triggered Execution

Persistence

Identify github.io repositories that have been dormant but show recent commits to srv.js only (without HTML/asset changes), indicating C2 reactivation. Monitor for repository name patterns matching prior Operation HookedWing waves.

GitHub commit history monitoring, OSINT pivoting, threat intelligence platforms

T1027

Obfuscated Files or Information

Defense Evasion

Detect Base64 strings decoding to /genl/ paths, the stef namespace, and PHP filenames with .php extensions following pseudo-random consonant-vowel patterns. Alert on atob() calls combined with fetch() to externally-loaded srv_loc variables.

Web proxy logs, EDR JavaScript inspection, YARA rules on web responses, SSL/TLS inspection

T1036

Masquerading

Defense Evasion

Alert on landing pages displaying organization names dynamically via <p id='child_preloader'> elements, fake Microsoft Outlook preloaders, or Microsoft AAD clones loading CSS from aadcdn.msauth.net while hosted on non-Microsoft domains.

Web proxy logs, browser DOM inspection, phishing detection sandboxes (urlscan.io, ANY.RUN)

T1556

Modify Authentication Process

Defense Evasion

Detect web pages presenting "Account does not exist. Email is invalid" or similar error messages prior to user input, and forms containing the hidden field auth_status_ or counter logic incrementing on submit.

DOM analysis tools, browser EDR, phishing analysis sandboxes

T1056.003

Input Capture: Web Portal Capture

Credential Access

Monitor outbound POST requests with form fields em-field, em-field2, pwd-field, pidt-field, ocdt-field, icdt-field, oldt-field, aldt-field, auth_status_, __winHref, UrlDom_main to non-allowlisted domains.

Web proxy logs (decrypted), DLP solutions, SWG/CASB form-data inspection, EDR network telemetry

T1598

Phishing for Information

Credential Access

Detect submissions of corporate credentials to external *.php endpoints under /genl/, /hl/, /zm/ paths. Correlate browser sessions visiting github.io with subsequent POSTs to compromised legitimate domains (e.g., HostGator-hosted sites in Pakistan, Brazil, Chile, Senegal).

DLP logs, secure web gateway, browser EDR, network flow analysis

T1185

Browser Session Hijacking

Collection

Monitor for browser-side requests to api.ipdata.co?api-key= from sessions that did not originate from legitimate geolocation-dependent applications, particularly when followed by POSTs containing IP/lat/long hidden fields.

Web proxy logs, DNS query logs, EDR network telemetry, browser isolation logs

T1041

Exfiltration Over C2 Channel

Exfiltration

Alert on HTTP POST requests to URIs containing /genl/, /hl/, /zm/, /inde-s.php, /result.php, /New.php, or /login.php?[long_token]. Detect outbound traffic patterns where a single submission contains both email and password fields plus geolocation metadata.

Web proxy logs, NetFlow/Zeek, EDR network monitoring, TLS inspection logs

T1102

Web Service

Command and Control

Detect anomalous GET requests to *.github.io/*/srv.js followed by fetch chains to third-party domains, and traffic to known Operation HookedWing C2 domains (more than 22 distinct C2 servers identified). Alert on requests retrieving list.txt from publicly indexed directory listings.

Proxy logs, DNS logs, threat intel-enriched SIEM rules, IOC feeds (SOCRadar)

T1071.001

Application Layer Protocol: Web Protocols

Command and Control

Detect HTTPS sessions where the Host header is a github.io subdomain but where JavaScript subsequently initiates POSTs to unrelated, low-reputation domains hosting /genl/ or similar paths. Hunt for User-Agent strings paired with geoiptool.com referrer in collected logs.

TLS inspection logs, web proxy, EDR network telemetry, JA3/JA4 fingerprinting

Observed Countries11

DE (366)
FR (681)
GB (724)
IN (6)
NG (53)
NP (942)
PK (306)
SN (264)
UG (737)
US (629)
VN (19)