A phishing campaign tracked as Operation HookedWing has stolen credentials from more than 2,500 individual accounts across over 500 organizations in the aviation, critical infrastructure, energy, financial, logistics, public administration, and technology sectors over four years. SOCRadar's threat research team published its analysis this week, exposing a campaign that began in 2022, has never been attributed to a known threat actor, and continues to operate as of 2026 — sustained by infrastructure specifically designed to evade reputation-based and signature-based detection by abusing GitHub's free static hosting platform.
Operation HookedWing: Technical Details
Operation HookedWing is a credential-harvesting operation — a class of attack in which the goal is capturing usernames and passwords rather than deploying malware or ransomware directly. The phishing kit at its core is custom-built and previously undocumented, with no overlap to known threat actor tooling in public repositories.
The attack chain works in four stages:
Stage 1 — Lure delivery. Victims receive phishing emails (T1566.002 — Spearphishing Link) impersonating human resources departments, colleagues, or automated system notifications. Messages are engineered to project authority and urgency without triggering suspicion, a social-engineering technique known as pretexting.
Stage 2 — GitHub-hosted pre-loader. Email links direct victims to pages hosted on github.io — GitHub's free static site hosting. These pages contain no visible forms, no credentials, and no direct references to the attackers' command-and-control (C2) servers. Because they sit under github.com's domain, they inherit GitHub's domain reputation, bypassing domain-reputation blockers and many secure email gateways. GitHub pages with valid SSL certificates and multi-year-old domain histories generate significantly fewer security alerts than freshly registered phishing domains.
Stage 3 — Dynamic C2 injection. The pre-loader runs a background JavaScript file (srv.js) that fetches the real phishing payload at runtime from a separate C2 server (T1102 — Web Service). This two-layer design means that even if the C2 IP is blocked, attackers can update srv.js to point to a new server without changing the landing-page URL. The GitHub page can remain active indefinitely — GitHub does not scan static repository content for phishing infrastructure at runtime.
Stage 4 — Credential capture. Victims are shown a fake Microsoft Outlook login page, personalized with their organization's branding. A pre-loader script injects a credential capture form (T1056.003 — Web Portal Capture) that collects the username and password along with the victim's IP address, full geolocation data, source URL, and the organization domain — logging everything in a single structured record per victim.
SOCRadar identified 24 C2 servers, more than 100 GitHub domains, and approximately a dozen distribution domains in the Operation HookedWing infrastructure. The C2 logs recovered during the investigation contained 2,500+ unique victim entries across 500+ organizations. Investigators note this is a lower bound — the data reflects only what was accessible in exposed .txt log files on reachable servers at the time of analysis.
The campaign shifted its targeting language between 2024 and 2025, moving from English-only lures to French-language content, indicating a deliberate geographic expansion toward Francophone organizations.
Exploitation Status and Threat Landscape
Operation HookedWing is not attributed to a nation-state or any known criminal group. The campaign uses a bespoke phishing kit with no publicly documented prior use, which limits the utility of existing threat-actor playbooks for defenders.
Three factors explain the campaign's four-year persistence without public exposure:
No malware on disk. There is nothing for endpoint detection and response (EDR) products to scan. The attack is entirely browser-based credential theft with no file artifacts, no process execution, and no network connections to known-malicious IPs.
Legitimate hosting infrastructure. Abusing GitHub Pages — a platform used legitimately by millions of developers — means security teams face the impossible choice of blocking a trusted platform or tolerating its abuse.
Dynamic payload staging. The srv.js indirection ensures static GitHub pages are "clean" at rest, containing no phishing content until a victim actually loads them with the correct parameters.
The 2024–2025 expansion to French-language lures is particularly notable, as it suggests the operator is resourced enough to invest in new language targeting — likely motivated by access to high-value Francophone critical infrastructure targets in Europe and West Africa.
Who Is Affected
Sectors confirmed compromised:
- Aviation and travel operators
- Critical infrastructure organizations
- Energy companies
- Financial institutions
- Government and public administration agencies
- Logistics and transportation companies
- Technology sector companies
Geographic exposure: Victim data shows the highest concentration of individual affected users in Sub-Saharan Africa and South Asia, with Nigeria, Nepal, Uganda, Sri Lanka, and Senegal leading by victim count. The English-phase targeting reached organizations globally; the French-phase expansion added European and West African targets.
The sector profile matters. Aviation and logistics organizations hold flight schedules, cargo manifests, and supply-chain routing data. Energy companies control operational technology (OT) environments where credential access can translate into physical disruption. Government and public administration agencies hold citizen data and internal policy documents. Credential access to any of these environments can serve as a springboard for espionage, lateral movement, or follow-on intrusion campaigns.
What You Should Do Right Now
- Search email gateway logs for messages originating from or linking to
github.iodomains from unexpected external senders. Legitimate internal communications rarely link to GitHub Pages static sites. - Block outbound workstation connections to
github.ioif your organization does not use GitHub Pages for legitimate business purposes. This eliminates the pre-loader delivery stage entirely. - Enforce phishing-resistant MFA — FIDO2 passkeys or hardware security keys (YubiKey or equivalent) — on all email and Microsoft 365 accounts. Captured credentials are useless to an attacker who cannot also provide a physical token.
- Run a targeted phishing-awareness exercise focused on personalized fake Outlook login pages. Teach users that the URL bar — not the page's visual appearance or branding — is the authoritative indicator of legitimacy.
- Check your domain exposure using SOCRadar's free campaign tracking tools to see whether your organization's domain appears in Operation HookedWing victim data.
- Proactively rotate credentials for employees in aviation, logistics, energy, or government roles who clicked on unfamiliar email links during the past 12–18 months, particularly if those links led to Microsoft login-style pages.
Background: Understanding the Risk
Credential-phishing against cloud identity providers has become the dominant initial-access vector across industries precisely because it is harder to detect than malware. Traditional security products excel at scanning files, processes, and known-malicious network indicators. A credential-capture form on a GitHub-hosted page generates none of those artifacts.
The abuse of legitimate hosting platforms — GitHub Pages, Microsoft OneDrive, Google Sites, Notion — to stage phishing infrastructure is well-documented in academic and threat-intelligence literature, but Operation HookedWing demonstrates how effective it remains in practice at scale. The 24 C2 servers and 100+ GitHub domains represent a well-managed infrastructure with a deliberate operational security (OPSEC) posture: the operator apparently never made the kind of infrastructure mistake — reusing IPs, leaking attribution data, or deploying known tools — that would have allowed attribution.
The choice to target aviation, energy, and logistics is consistent with the objective profile of nation-state intelligence collection or strategic pre-positioning. These sectors are interconnected: a logistics company credential can provide insight into supply chains; an energy company credential can provide access to billing systems and, in weakly-segmented environments, OT networks. The campaign does not appear to be financially motivated in the conventional sense — there is no ransomware deployment, no extortion — which further suggests intelligence or access-brokering as the end goal.
The four-year timeline without disruption is itself an intelligence indicator. Well-resourced operators with clear collection objectives do not burn campaigns unnecessarily. The transition from English to French lures indicates ongoing investment and adaptation, not a campaign that has peaked and is winding down.
Conclusion
Operation HookedWing is an active, unattributed credential-theft campaign that has quietly compromised over 500 organizations across critical sectors for four years. Organizations in aviation, energy, logistics, and government should immediately audit GitHub Pages exposure in email traffic, enforce FIDO2-based MFA on cloud accounts, and treat any Microsoft Outlook login page reached via email link as suspect until the URL is verified. The absence of malware in this campaign is not a sign of lower risk — it is a sign of a more sophisticated operator.
For any query contact us at contact@cipherssecurity.com
