Operation HookedWing: 500+ Orgs Hit in 4-Year Phishing Campaign

A sophisticated phishing operation dubbed "Operation HookedWing" has been systematically targeting organizations across critical sectors for over four years, according to threat intelligence firm SOCRadar. The campaign, first documented in 2022, has successfully compromised more than 2,000 user credentials from over 500 organizations spanning aviation, travel, critical infrastructure, energy, financial, government, logistics, public administration, and technology sectors. Researchers have identified 24 command-and-control (C&C) servers, more than 100 GitHub domains, and over a dozen distribution domains associated with the threat actor's infrastructure.

The threat actor initially leveraged GitHub domains with English content and compromised servers between 2022 and 2024, primarily deploying Microsoft and Outlook-themed phishing lures. Starting in 2024, the operation expanded its targeting to include French content, and by 2025, the attackers began obfuscating GitHub domain naming conventions, introducing additional phishing themes, and deploying new landing pages. Analysis of recovered logs reveals a deliberate targeting pattern focused on infrastructure of high geopolitical relevance, suggesting the campaign prioritizes environments with access to sensitive information, critical operations, or high-privilege credentials.

The phishing emails impersonate human resources departments or colleagues, or pose as notifications, designed to convey authority and urgency without raising suspicion. The sophisticated landing pages simulate Microsoft Outlook behavior through a full-screen pre-loader that personalizes displayed text based on the victim's organization, with a background script performing email and URL validation before injecting a PHP form that collects victims' credentials along with geolocation data, IP addresses, and organizational domain information. Users concerned about potential exposure can check if their credentials have been compromised using tools like the email breach checker or verify their account security with a password strength checker.