GS7

GS7 is an elusive, financially motivated threat actor assessed to operate a long-running phishing and brand-impersonation operation dubbed “Operation DoppelBrand,” observed prominently from December 2025 through January 2026 (with reporting indicating activity history stretching back to at least 2022). The actor targets Fortune 500 and other high-value organizations—especially U.S. financial services (e.g., Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, Citibank) and also technology, healthcare, telecommunications, insurance, and investment firms—using high-fidelity cloned login portals and large-scale lookalike domain infrastructure. Operation DoppelBrand tradecraft includes registering and rotating hundreds of impersonation domains (over 150 identified in recent months, with ~200 additional related domains reported) and proxying traffic through Cloudflare to obscure origin infrastructure. Reported infrastructure patterns include one-year domain registrations, automated SSL issuance (e.g., Let’s Encrypt / Google Trust Services shortly after domain creation), wildcard DNS, and consistent subdomain/TLS fingerprinting patterns. Phishing pages capture credentials and victim telemetry (e.g., IP address, geolocation, device/browser fingerprinting, timestamps) and exfiltrate results in near real time via attacker-controlled Telegram bots/groups (e.g., “NfResultz by GS,” “WfResultz by GS”). Beyond credential theft, GS7 commonly abuses legitimate remote monitoring and management (RMM) tools—reported examples include LogMeIn/LogMeIn Resolve, AnyDesk, and ScreenConnect—delivered via MSI installers and VBS loader scripts that may attempt privilege elevation (UAC loops), perform silent installation (msiexec), and remove artifacts. Reporting assesses GS7 likely functions as an Initial Access Broker (IAB), monetizing via sale of harvested credentials and resale of compromised access on Telegram channels/underground markets, potentially enabling follow-on activity by other criminal groups including ransomware affiliates. The actor has been linked in reporting to underground Telegram channels and Brazilian cybercrime forums used for trading stolen credentials and financial data. No geographic attribution for GS7’s operators is provided in the content.