The GS7 cyber-threat group targets US financial institutions with near-perfect imitations of corporate portals to steal credentials and gain remote access.

DR (DZone Research) offers insights into software development trends, industry surveys, and technology adoption patterns, providing reports, whitepapers, and analyst insights to help businesses make informed decisions and stay competitive in the ever-evolving tech landscape. By exploring DR's curated content, developers can gain insights into emerging technologies, developer preferences, and industry best practices for building innovative and market-leading software solutions. Whether you're a startup founder, product manager, or tech executive, DR offers resources to guide your strategic planning and drive business success.

Dark Reading

SOCRadar has published a white paper exposing Operation DoppelBrand, an ongoing phishing campaign by the financially motivated threat group GS7. Active since at least 2022, GS7 targets Fortune 500 companies — particularly US financial institutions like Wells Fargo, USAA, Fidelity, and Citibank — using near-perfect imitations of corporate login portals. The group registered over 150 malicious domains, routes traffic through Cloudflare to hide back-end servers, and exfiltrates stolen credentials (including device fingerprints and geolocation data) to Telegram bots. Beyond credential harvesting, GS7 deploys remote management tools on victim systems and may operate as an initial access broker selling access to ransomware groups. Links to Brazilian cybercrime forums were also uncovered. SOCRadar has released TTPs and IoCs to help defenders track the campaign.

Operation DoppelBrand: Weaponizing Fortune 500 Brands

Targeting English Speakers for Credential Theft