Operation HookedWing: 4-Year Phishing Campaign Hit 500+ Organizations

Security firm SOCRadar has published a detailed analysis of Operation HookedWing, a phishing campaign that has quietly compromised over 500 organizations across eight sectors over four years. First documented in 2022, the operation has continuously adapted its infrastructure while maintaining core attack patterns that enabled researchers to track it.

The scale is notable: more than 2,000 user credentials stolen from aviation, critical infrastructure, energy, financial services, government, logistics, public administration, and technology organizations. This wasn't a spray-and-pray operation—it was targeted and persistent.

Campaign Evolution

The threat actor demonstrated operational discipline across three distinct phases:

2022-2024: GitHub domains with English content and compromised servers served as primary infrastructure. Phishing lures focused on Microsoft and Outlook themes.

2024-2025: French-language content was added while maintaining previous infrastructure. The actor expanded lure diversity.

2025 onwards: Infrastructure escalated with obfuscated GitHub domain naming, additional themes, and deployment of more landing pages.

The consistent use of GitHub infrastructure is worth noting. Unlike traditional phishing campaigns that rely on lookalike domains, HookedWing abused a trusted platform for hosting malicious content.

Attack Methodology

Phishing emails impersonated HR departments, colleagues, or system notifications. Landing pages simulated Microsoft Outlook login portals with full-screen preloaders and personalized organizational text to enhance credibility.

Each successful compromise yielded:

• Email address and password
• IP address and full geolocation
• Source URL
• Victim organization domain

This intelligence-gathering approach suggests the operation served as an initial access broker or fed into larger espionage campaigns.

Infrastructure at Scale

SOCRadar identified substantial infrastructure supporting the campaign:

• 24 command-and-control servers
• 100+ GitHub domains
• 12+ distribution domains on other platforms

The most affected sectors were aviation, public administration, energy, and critical infrastructure—sectors frequently targeted by nation-state threat actors.

Why This Matters

Four years of sustained activity against 500+ organizations without public exposure or disruption suggests either a well-resourced operator or one that deliberately stayed below detection thresholds.

The targeting profile—aviation, energy, government—aligns with strategic intelligence collection rather than financial crime. While SOCRadar hasn't attributed the campaign to a specific nation-state, the victim selection pattern is consistent with APT operations we've tracked previously.

Detection Guidance

Organizations should search email logs for:

• Messages containing GitHub links to unfamiliar repositories
• HR or IT-themed notifications with external authentication links
• Microsoft/Outlook login prompts hosted on non-Microsoft domains

Security teams can also monitor for:

• Outbound connections to GitHub domains not associated with known development activity
• Authentication attempts from unusual geographic locations following phishing email receipt

For broader context on phishing defense, review our guide to recognizing phishing emails and consider simulation exercises targeting the specific lures documented in this campaign.