Operation DoppelBrand: Sophisticated Phishing Campaign Targets Fortune 500 Firms An elusive cyberthreat group known as GS7 has been running Operation DoppelBrand, a large-scale phishing campaign targeting Fortune 500 companies, financial institutions, and high-value entities worldwide. First observed between December 2025 and January 2026, the operation leverages near-perfect replicas of corporate login portals to steal credentials and deploy remote management and monitoring (RMM) tools for further exploitation. ### Key Details of the Campaign - Targets: Primarily U.S.-based financial institutions including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank alongside technology, healthcare, and telecommunications firms in Europe and other regions. - Tactics: GS7 registers over 150 malicious domains via registrars like NameCheap and OwnRegistrar, routing traffic through Cloudflare to evade detection. Attackers exfiltrate stolen data usernames, passwords, IP addresses, geolocation, device fingerprints, and timestamps to Telegram bots controlled by the group. - Infrastructure: The group has operated since at least 2022, with claims of activity dating back nearly a decade. Researchers linked GS7 to Brazilian cybercrime forums, where stolen credentials and financial data are traded. - Impact: Beyond credential theft, GS7 installs RMM tools on victim systems, enabling remote access or malware deployment. The campaign’s sophistication including rotating infrastructure and meticulous branding mimicry has allowed it to evade detection until now. ### Researcher Findings Security firm SOCRadar uncovered the operation, identifying a Telegram group ("NfResultz by GS") tied to the threat actor. A self-proclaimed GS7 member provided screenshots of past campaigns, including a Fidelity Investments phishing demo that triggered RMM tool downloads upon login. SOCRadar released TTPs (tactics, techniques, and procedures) and IoCs (indicators of compromise) to help defenders track the group’s activities. With English-speaking markets as the primary focus, GS7’s DoppelBrand campaign remains active, underscoring the growing threat of highly organized, financially motivated phishing operations.

The Vermont Office of the Attorney General disclosed a data breach at Wells Fargo Bank on September 19, 2024, stemming from unauthorized access to customer personal information by a former employee between May 2022 and March 2023. The breach involved the misuse of internal systems to exfiltrate sensitive data, though the exact number of affected individuals remains undisclosed. The compromised information may include personally identifiable details, exposing customers to potential identity theft, financial fraud, or phishing attacks. The prolonged duration of the breach—nearly a year—suggests systemic vulnerabilities in access controls and post-employment monitoring. While Wells Fargo has not confirmed the scope of the stolen data, the incident underscores risks associated with insider threats and delayed detection. Regulatory scrutiny and customer notifications are expected, with potential reputational damage and legal repercussions for the bank.

The California Office of the Attorney General reported a data breach involving Wells Fargo Bank, N.A. on May 5, 2022. The breach occurred on December 31, 2021, when a Wells Fargo employee emailed an encrypted file containing personal information to their personal email address, affecting an unspecified number of individuals. Types of personal information impacted may include names, addresses, phone numbers, email addresses, dates of birth, and social security numbers.

On November 6, 2019, Wells Fargo Bank, N.A. discovered a data breach linked to KDW Automotive, where an employee mistakenly sent an email containing sensitive personal information to an unintended financial institution. The exposed data included names and Social Security numbers of affected individuals, potentially putting them at risk of identity theft or fraud. The breach was reported to the California Office of the Attorney General in April 2020, highlighting a lapse in data handling protocols. While the incident did not involve malicious cyber activity, the unauthorized disclosure of personally identifiable information (PII) posed significant privacy concerns. The breach underscored the need for stricter email security measures and employee training to prevent similar errors in the future. No evidence suggested the data was misused, but the exposure alone created reputational and compliance risks for Wells Fargo.