Operation HookedWing: 4-Year Multi-Sector Attack Analysis

Operation HookedWing is a long-running, multi-variant phishing campaign that leverages legitimate static hosting (primarily GitHub Pages) to present benign-looking loaders which dynamically inject credential-harvesting forms from attacker-controlled PHP backends hosted on compromised or adversary-registered servers; the kit extracts victim emails via URL fragments, collects geolocation via ipdata.co, forces retry cycles to improve credential capture, and has impacted over 2,500 unique victims across 500+ organizations with clear targeting of aviation, government, and energy sectors.