Operation TwinBrand: How Fortune 500 Brands Are Weaponized for Credential Theft

When trusted brands become the attack surface.

Operation TwinBrand exposes a financially motivated campaign run by the threat actor known as GS7, targeting major organizations including Wells Fargo, USAA, Navy Federal, Fidelity, Microsoft, Apple, and more. Between December 2025 and January 2026, the actor deployed highly convincing phishing portals, harvested credentials via Telegram bots, and leveraged legitimate remote management tools such as LogMeIn to establish persistent access.

This whitepaper delivers a full technical breakdown of the campaign’s lifecycle — from reconnaissance and domain registration to credential exfiltration and post-exploitation. It details how wildcard DNS, Cloudflare fronting, automated SSL issuance, and rotating registrars were used to evade detection. It also analyzes the VBS loader scripts, MSI deployment patterns, CompanyID pivoting techniques, and Telegram bot infrastructure that enabled scalable operations.

Key Highlights:

• More than 150 domains linked to GS7 campaigns across multiple TLDs

• Brand impersonation targeting Fortune 500 financial and technology firms

• Credential exfiltration through Telegram bots with structured victim profiling

• Use of legitimate RMM tools (LogMeIn, AnyDesk, Atera) for stealthy persistence

• Infrastructure pivoting via JARM fingerprints, SSL timing, and naming conventions

• Bitcoin wallet tracing revealing campaign monetization patterns

This report is essential for threat hunters, SOC teams, fraud analysts, and brand protection professionals seeking to understand how credential theft operations evolve into remote access footholds inside enterprise environments.

➡️ Download the full whitepaper to explore the infrastructure, tooling, attribution evidence, and detection strategies behind Operation TwinBrand.