VYPR
breachPublished May 11, 2026· Updated May 17, 2026· 1 source

Operation HookedWing Phishing Campaign Compromises Over 500 Organizations

A persistent, multi-year phishing campaign known as Operation HookedWing has compromised over 500 organizations across critical global sectors, resulting in the theft of thousands of sensitive credentials.

A persistent, multi-year phishing campaign dubbed "Operation HookedWing" has successfully compromised over 500 organizations across critical sectors, according to research from SOCRadar SecurityWeek. Active for more than four years, the campaign has resulted in the theft of over 2,000 user credentials, targeting industries including aviation, energy, government, finance, and logistics SecurityWeek.

The campaign utilizes a sophisticated, evolving infrastructure that has adapted significantly since its initial documentation in 2022. Early iterations relied heavily on GitHub domains and compromised servers to host phishing content themed around Microsoft and Outlook services. By 2025, the threat actors expanded their operations by obfuscating GitHub domain naming conventions, introducing new themes, and deploying additional landing pages to increase their reach SecurityWeek.

Technically, the attack relies on emails designed to impersonate human resources or colleagues, leveraging a sense of urgency to trick victims into clicking malicious links. These links often lead to intermediary pages that eventually direct users to a convincing Microsoft Outlook simulation. A key feature of these landing pages is a full-screen pre-loader that dynamically displays the victim's organization name, a psychological tactic intended to build trust before the credential-harvesting form appears SecurityWeek.

Once a user interacts with the page, a background script performs real-time validation of the email and URL. The script then injects a PHP form to capture credentials while simultaneously collecting the victim's IP address, full geolocation data, and source URL. This data is bundled into a single record and transmitted to the attacker, providing them with high-privilege access that can be sold or utilized for further intrusion SecurityWeek.

SOCRadar’s investigation identified over 100 GitHub domains, two dozen command-and-control (C&C) servers, and more than a dozen distribution domains used to facilitate these attacks SecurityWeek. The researchers noted that the targeting is not random, but rather focused on organizations of high geopolitical relevance, suggesting the threat actors are specifically seeking access to sensitive information or critical operational environments SecurityWeek.

The longevity and evolution of Operation HookedWing highlight a growing trend of persistent, low-and-slow phishing campaigns that prioritize high-value targets. By continuously refining their lures and infrastructure, these actors maintain a steady stream of compromised credentials. Organizations are advised to remain vigilant against emails that leverage organizational branding and to implement robust authentication measures to mitigate the risk of credential theft SecurityWeek.

Synthesized by Vypr AI