SOCRadar Just Exposed Operation HookedWing—a Quiet Four Year Phishing Campaign That Pulled More Than 2,000 Credentials From 500 Organizations in Aviation, Energy, Government, and Finance Across Eight Sectors and Two Languages, Routed Through Two Dozen C2 Servers, Over 100 GitHub Domains, and a Custom Outlook Clone Nobody Has Attributed to a Known Threat Actor

For four years, somebody has been quietly running a single phishing kit. They picked sectors carefully. They rotated infrastructure. They built a fake Outlook login that looked exactly like the real one. And until SOCRadar published its analysis this month, the campaign sat outside every public threat intelligence catalog. The total cost so far: at least 2,000 credentials lifted from more than 500 organizations across eight industries.

Key Takeaways

• Operation HookedWing has been active since 2022 and is still running in 2026, according to SOCRadar's May 2026 analysis—four years of continuous credential theft against the same target profile.
• The campaign has stolen more than 2,000 user credentials from over 500 organizations spanning aviation, travel, critical infrastructure, energy, financial services, government, logistics, and technology.
• The phishing infrastructure includes two dozen command and control servers, more than 100 GitHub hosted phishing domains, and over a dozen distribution domains on third party platforms.
• Between 2022 and 2024 the lures were English and Microsoft Outlook themed; starting in 2024 the operator added French language content and additional themes, suggesting a deliberate expansion of target geography.
• No public threat intelligence service has attributed the campaign to a named actor; SOCRadar is publishing the report partly to seed attribution work across the industry.

What Is Operation HookedWing?

Operation HookedWing is the name SOCRadar assigned to a credential theft campaign that operates a custom phishing kit, has not been attributed to any known threat actor, and has been continuously active since at least 2022. The structure of the campaign is unusual for two reasons: it is run by what appears to be a single small team, and it has maintained the same core architecture across four full years without significant change.

According to SecurityWeek's coverage of the SOCRadar report, the operator runs its infrastructure as a slow, steady drip rather than a burst campaign. Lures go out in small volumes, the GitHub domains rotate every few weeks, and the C2 servers are quietly reconstituted when one is taken down. That cadence is what kept HookedWing under most defenders' radar for four years.

How Does the Phishing Kit Work?

The kit is a credible Outlook login replica that scripts run against any victim who lands on the page. SOCRadar's analysis describes the kit's working chain:

1. Lure delivery. An email arrives impersonating either a colleague (HR, IT, finance) or an automated notification. Most of the emails contain a link to a GitHub Pages domain. The structure is simple and conveys authority and urgency without obvious red flags.
2. Landing page rendering. The GitHub Pages domain renders a full screen Outlook clone, often with personalized organizational details (logo, color scheme, "powered by" line) injected from a backend lookup table.
3. Credential capture. When the victim enters credentials, background scripts collect email, password, IP address, full geolocation, source URL, and victim organization domain in a single POST request.
4. Validation. The kit then attempts to validate the credentials against the real Microsoft endpoint before storing them. Failed credentials are discarded; successful ones are queued for the operator's downstream pipeline.
5. Redirect. The victim is forwarded to a benign Outlook URL, leaving the impression that a transient glitch caused the failed login.

The use of GitHub Pages is what makes the kit hard to block. GitHub is a trusted domain, GitHub Pages URLs pass most email filters' reputation checks, and even when one domain is reported and taken down, the operator just spins up another inside the same GitHub organization.

Which Sectors Are Targeted?

SOCRadar groups HookedWing victims into eight sectors:

• Aviation and travel
• Critical infrastructure
• Energy
• Financial services
• Government
• Logistics
• Public administration
• Technology

The pattern is not random. Every sector in that list has high concentrations of users with access to sensitive operational systems or high privilege credentials worth selling. The operator does not appear to be running a smash and grab on consumer banking; the target list reads like a wholesale access broker's intake form.

How Big Is the Infrastructure?

SOCRadar's enumeration of HookedWing infrastructure surfaces:

• Two dozen command and control servers active across the campaign window
• More than 100 GitHub domains serving the phishing kit
• Over a dozen distribution domains on other platforms used as additional landing points

For a four year campaign, that is a small footprint. Most phishing operations of comparable scale use thousands of throwaway domains. HookedWing's discipline—use a domain quietly, rotate before detection, keep total infrastructure under 200 domains—is part of why it took until 2026 for the campaign to receive a public name.

When Did the Operator Add French Language Lures?

Sometime in 2024. Between 2022 and 2024, the operator stuck to English content and Microsoft and Outlook themes. From 2024 onward, the kit acquired French language landing pages and a second set of lures aimed at French speaking corporate environments. The expansion was timed with broader theme diversification: additional HR notification templates, more impersonation of internal IT helpdesks, and obfuscation of the GitHub domain naming so the URLs would no longer cluster around a single recognizable pattern.

The targeting change implies a market shift—the operator either sold to a customer that needed French language access, or shifted to direct exploitation of a francophone target list. Either way, the operational rhythm of the campaign barely changed; only the language and the themes rotated.

What Should You Do About It?

HookedWing is exactly the kind of campaign that no individual user can recognize from the email alone. The lures are not the cartoonish "your account has been suspended" templates that public phishing awareness training is built around—they are accurate HR and IT impersonations, on credible GitHub domains, with personalized organization details. The defense has to happen earlier in the pipeline.

1. Enforce phishing resistant MFA. WebAuthn or FIDO2 keys defeat HookedWing's real time validation flow because the kit cannot replay a hardware backed assertion.
2. Block GitHub Pages domains in your email gateway unless your organization has a documented reason to allow them. The legitimate use cases are narrow; the malicious use cases are growing.
3. Audit credential reuse. Any credential lifted by HookedWing is presumed in circulation. If your users authenticate to Microsoft, GitHub, and a dozen SaaS products with the same password, the breach is wider than the Outlook account.
4. Cut the reconnaissance pixel. HookedWing's lures, like every modern phishing kit, embed tracking pixels that confirm a victim opened the email. Blocking those pixels denies the operator the signal that tells them which user to target next.

The same pattern recurs everywhere: the Microsoft 365 Code of Conduct AiTM campaign that hit 35,000 users in 72 hours, the Kali365 phishing kit the FBI warned about, the ConsentFix v3 OAuth abuse. The lure starts in the inbox. So does the defense. Gblock blocks the invisible pixels phishing kits use to confirm which targets read which lures, denying operators the telemetry that lets them tune the next round of attacks.