258/69 Tuesday, May 12, 2026
SOCRadar has disclosed details of a long-running phishing campaign known as “Operation HookedWing,” which has reportedly operated continuously for more than four years and impacted over 500 organizations worldwide. The campaign is believed to have stolen more than 2,000 sets of user credentials from victims across critical sectors including aviation, critical infrastructure, energy, finance, government, logistics, public administration, and technology. Researchers noted that the campaign demonstrates deliberate target selection rather than indiscriminate mass phishing activity.
The operation primarily relied on phishing emails impersonating human resources departments, coworkers, or notifications from popular online services to lure victims into visiting fraudulent websites. Most of the phishing infrastructure was reportedly hosted on GitHub, alongside other platforms such as Vercel and compromised corporate servers. These phishing pages were carefully designed to imitate legitimate Microsoft and Outlook login portals, often displaying full-screen loading interfaces and customized messages tailored to the victim organization’s branding in order to increase credibility and persuade users to submit their credentials.
Once victims entered their login information, attackers could obtain sensitive data including email addresses, passwords, IP addresses, geolocation information, referrer URLs, and organizational domain details. SOCRadar reported identifying infrastructure linked to the campaign including more than 20 command-and-control (C2) servers, over 100 GitHub-hosted distribution domains, and at least 12 additional domains hosted across other platforms. Due to the campaign’s long operational duration and its focus on strategically important organizations, researchers assess Operation HookedWing as a highly organized threat operation supported by substantial planning and resources.
Source https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/