Over 500 Organizations Hit in Years-Long Phishing Campaign
Operation HookedWing is a prolonged phishing campaign active for over four years, targeting more than 500 organizations across multiple critical sectors including aviation, energy, logistics, and public administration. The campaign uses phishing emails impersonating trusted sources and leverages GitHub and compromised servers to host phishing infrastructure. Victims are lured to fake Microsoft Outlook login pages that personalize content to increase credibility and steal credentials along with geolocation data. The threat actor focuses on high-value targets with access to sensitive information and high-privilege credentials. The campaign has evolved over time, expanding its infrastructure, languages, and phishing themes to maintain effectiveness.
AI Analysis
Technical Summary
Operation HookedWing is a multi-year phishing campaign documented since 2022, targeting over 500 organizations and stealing more than 2,000 user credentials. It primarily targets sectors with high geopolitical relevance such as aviation, critical infrastructure, energy, financial, government, logistics, and technology. The campaign uses phishing emails that impersonate human resources or colleagues and contain links to GitHub-hosted repositories or intermediary platforms. The phishing landing pages simulate Microsoft Outlook login screens with personalized elements to enhance credibility. When victims submit credentials, attackers receive email, password, IP address, geolocation, source URL, and victim organization domain in a single record. The infrastructure includes two dozen command-and-control servers, over 100 GitHub domains, and multiple distribution domains. The campaign has adapted its tactics over time, including obfuscating domain names and expanding phishing themes and landing pages.
Potential Impact
The campaign has compromised credentials from over 2,000 users across more than 500 organizations in critical sectors, potentially exposing sensitive information and access to high-privilege environments. This can facilitate further unauthorized access, espionage, or credential resale. The targeted sectors include aviation, critical infrastructure, energy, financial, government, logistics, public administration, and technology, indicating a broad and high-impact threat landscape.
Mitigation Recommendations
Patch status is not applicable as this is a phishing campaign rather than a software vulnerability. Organizations should focus on user awareness training to recognize phishing attempts, implement multi-factor authentication to reduce the impact of credential theft, and monitor for suspicious login activity. Since the campaign uses GitHub and compromised servers for hosting phishing infrastructure, organizations should consider blocking or monitoring access to suspicious domains and URLs. Vendor advisories or specific mitigations were not provided; therefore, check relevant security advisories for updates. No official fix exists as this is a social engineering attack vector.
Over 500 Organizations Hit in Years-Long Phishing Campaign
Description
Operation HookedWing is a prolonged phishing campaign active for over four years, targeting more than 500 organizations across multiple critical sectors including aviation, energy, logistics, and public administration. The campaign uses phishing emails impersonating trusted sources and leverages GitHub and compromised servers to host phishing infrastructure. Victims are lured to fake Microsoft Outlook login pages that personalize content to increase credibility and steal credentials along with geolocation data. The threat actor focuses on high-value targets with access to sensitive information and high-privilege credentials. The campaign has evolved over time, expanding its infrastructure, languages, and phishing themes to maintain effectiveness.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation HookedWing is a multi-year phishing campaign documented since 2022, targeting over 500 organizations and stealing more than 2,000 user credentials. It primarily targets sectors with high geopolitical relevance such as aviation, critical infrastructure, energy, financial, government, logistics, and technology. The campaign uses phishing emails that impersonate human resources or colleagues and contain links to GitHub-hosted repositories or intermediary platforms. The phishing landing pages simulate Microsoft Outlook login screens with personalized elements to enhance credibility. When victims submit credentials, attackers receive email, password, IP address, geolocation, source URL, and victim organization domain in a single record. The infrastructure includes two dozen command-and-control servers, over 100 GitHub domains, and multiple distribution domains. The campaign has adapted its tactics over time, including obfuscating domain names and expanding phishing themes and landing pages.
Potential Impact
The campaign has compromised credentials from over 2,000 users across more than 500 organizations in critical sectors, potentially exposing sensitive information and access to high-privilege environments. This can facilitate further unauthorized access, espionage, or credential resale. The targeted sectors include aviation, critical infrastructure, energy, financial, government, logistics, public administration, and technology, indicating a broad and high-impact threat landscape.
Mitigation Recommendations
Patch status is not applicable as this is a phishing campaign rather than a software vulnerability. Organizations should focus on user awareness training to recognize phishing attempts, implement multi-factor authentication to reduce the impact of credential theft, and monitor for suspicious login activity. Since the campaign uses GitHub and compromised servers for hosting phishing infrastructure, organizations should consider blocking or monitoring access to suspicious domains and URLs. Vendor advisories or specific mitigations were not provided; therefore, check relevant security advisories for updates. No official fix exists as this is a social engineering attack vector.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/","fetched":true,"fetchedAt":"2026-05-11T03:51:23.152Z","wordCount":1079}
Threat ID: 6a01523bcbff5d86106bb8a1
Added to database: 5/11/2026, 3:51:23 AM
Last enriched: 5/11/2026, 3:51:30 AM
Last updated: 5/12/2026, 3:51:33 AM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.