Over 500 organizations. That’s the toll of a relentless, four-year phishing campaign dubbed Operation HookedWing. This isn’t some fly-by-night operation; it’s a sustained effort, meticulously documented since 2022, yet its roots run deeper, adapting its infrastructure and tactics while maintaining its core, insidious patterns.
Here’s the raw data: In its multi-year run, HookedWing has pilfered more than 2,000 user credentials. These weren’t snatched from random individuals; they came from over 500 distinct organizations spanning critical sectors like aviation and travel, energy, finance, government, logistics, public administration, and of course, technology. Think about that for a second. That’s half a millennium of potential corporate espionage, credential theft, and downstream attacks enabled by this single, persistent threat actor.
From 2022 through 2024, the campaign’s digital breadcrumbs led to GitHub domains, cloaked in English content, and compromised servers. The lures? Predictably, they leaned heavily on Microsoft and Outlook themes. But this actor isn’t static. By 2024 and continuing into 2025, they expanded their reach, incorporating French content while sticking to their trusted infrastructure: GitHub, compromised servers, and those familiar phishing themes. This adaptability, this refusal to stand still, is what separates a mere nuisance from a genuine, long-term threat.
And it doesn’t stop there. As of 2025, the expansion accelerated. Active infrastructure ballooned, lures became more varied, GitHub domain naming grew more obscure, and additional landing pages sprung up. SOCRadar’s deep dive uncovered over two dozen command-and-control (C&C) servers, more than 100 GitHub domains, and a dozen other distribution domains. This isn’t a hobby project; it’s a well-resourced operation.
Analysis of recovered logs and identified infrastructure reveals a targeting pattern that is not random, as it focuses on infrastructure of high geopolitical relevance.
This observation from SOCRadar is key. It’s not just about collecting credentials for resale on the dark web—though that’s undoubtedly a part of it. Victim selection points to a strategic interest in entities holding sensitive information, controlling critical operations, or possessing high-privilege credentials that can be weaponized further. We’re talking about nation-state actors, or at least actors with sophisticated motives and resources, playing the long game.
The Deceptive Dance of the Landing Page
The mechanics of Operation HookedWing are deceptively simple, and therein lies their effectiveness. Phishing emails, impersonating HR departments, colleagues, or seemingly innocuous notifications, carry a concise structure. Authority and urgency are the watchwords, carefully crafted to bypass the recipient’s internal threat radar.
Many of these emails contain links pointing to GitHub repositories, often acting as intermediaries for other hosted content. The landing pages themselves are a masterclass in social engineering. They meticulously mimic Microsoft Outlook, complete with a full-screen pre-loader. And here’s the really clever bit: they personalize the displayed text using the victim’s own organization name. If a user is already looking at a loading screen and sees their company’s name or something contextually relevant to the email they just received, that reinforcement dramatically boosts the perceived credibility of the fake login page before the credential-harvesting form even appears. It’s a behavioral nudge, a psychological amplifier.
Meanwhile, a silent background script is busy validating email addresses and URLs. It injects a PHP form, often pre-populated with fields to harvest credentials, and crucially, captures geolocation data about the victim. The payoff for the attacker is swift and comprehensive: upon hitting the sign-in button, they receive not just an email and password, but also the victim’s IP address, full geolocation, the source URL, and the victim organization’s domain—all in a single, neatly packaged record.
Is This Just Another Phishing Campaign?
What makes Operation HookedWing stand out in the crowded landscape of cyber threats? It’s the sheer persistence and strategic evolution. While many phishing campaigns burn bright and fade fast, HookedWing has maintained sustained activity for years. It’s not just about the volume of victims; it’s about the quality of targets and the demonstrable intent behind the attacks. The focus on “infrastructure of high geopolitical relevance” isn’t accidental. This suggests a level of strategic planning and patience rarely seen in commodity cybercrime. It’s the digital equivalent of a seasoned spy, patiently observing, gathering intelligence, and waiting for the opportune moment.
The adaptability is also a key differentiator. The shift from English to French content, the obfuscation of GitHub domains, and the deployment of more varied lures demonstrate a proactive threat actor constantly refining their methods to circumvent defenses and exploit human psychology. In an era where many organizations update their security protocols quarterly, an attacker who can adapt over years is a significant problem.
My critique? The reliance on GitHub, while offering strong infrastructure, also provides a potential choke point if actively monitored. However, the actor’s sophistication in obfuscating domain naming suggests they’re aware of this and actively working to mitigate it. The broader market implication is clear: if your organization operates in any of the targeted sectors—and frankly, who doesn’t have some connection to them?—then you’re likely on HookedWing’s radar, whether you know it or not.
This isn’t just about stolen login details; it’s about the erosion of trust and the potential for cascading failures across critical infrastructure. The threat actor’s stated goal of collecting credentials that can be “sold or used by other adversaries” implies a sophisticated ecosystem where initial access brokers feed into larger, more damaging operations. The long tail of Operation HookedWing is likely still being written, and the next chapter could be far more disruptive than the last.
🧬 Related Insights
- Read more: Medusa Ransomware: Zero-Days to Encryption in Under 24 Hours
- Read more: AkzoNobel’s Paint Plant Hack: Ransomware Reality Check from Check Point’s Latest Report
Frequently Asked Questions
What is Operation HookedWing? Operation HookedWing is a phishing campaign that has been active for at least four years, targeting over 500 organizations across various sectors by stealing user credentials.
How does Operation HookedWing steal credentials? It uses phishing emails that impersonate colleagues or HR, leading victims to fake login pages that mimic Microsoft Outlook. A background script collects credentials, IP addresses, geolocation, and organization details when victims attempt to log in.
Which industries are most affected by Operation HookedWing? The campaign has targeted aviation and travel, critical infrastructure, energy, financial, government, logistics, public administration, and technology sectors.
