Cybersecurity experts at Netcraft have identified a sophisticated phishing kit named “Xiū gǒu,” which has been active since September 2024 and is specifically targeting users in multiple countries, including the UK, US, Spain, Australia, and Japan. This malicious toolkit exploits a range of public and private sector services, such as government agencies, postal services, and banking institutions, by masquerading as legitimate online platforms to siphon off valuable personal and financial data from unsuspecting individuals.
The Xiū gǒu phishing kit is characterized by its distinctive branding and interactive design, with over 2,000 phishing websites identified utilizing the kit. Notably named after a popular Mandarin term for “doggo,” the kit weaves entertainment into its malicious ambitions by incorporating a cartoon dog mascot in its user interface. The kit primarily facilitates scams related to motor vehicle services, government benefits, and postal notifications, creating a façade of legitimacy that lures victims into false compliance.
Technical analysis reveals that the front end of the kit employs Vue.js for crafting phishing pages and managing the administration panel, while the backend is powered by Golang via a tool dubbed SynPhishServer. This architecture enhances the kit’s stealthiness, making it more challenging for security systems to detect and block these phishing attempts. Operational across an extensive range of over 1,500 IP addresses, the Xiū gǒu kit utilizes domain names rich with scam-related keywords in the “.top” top-level domain to further evade detection mechanisms.
Engagement with potential victims often begins through a Rich Communication Services (RCS) message containing shortened links. These links direct users to intricately designed phishing sites that imitate trusted government platforms, such as gov.uk. To obfuscate their activities further, automated bots are rerouted to benign sites, complicating the tracing process of the actual phishing attempts. When victims unwittingly submit personal information or payment details, their inputs are harvested and clandestinely transmitted to the fraudster’s designated Telegram account.
This evolving threat landscape emphasizes the necessity for business owners to be vigilant. Organizations across sectors engaging with the public or processing sensitive transactions are particularly vulnerable to Xiū gǒu attacks. The tactics employed align closely with several MITRE ATT&CK® framework categories, specifically initial access techniques such as social engineering through misrepresentation and credential harvesting. The usage of obfuscation tactics is evident in the management of domain names and the deceptive redirection paths used to confuse potential threats to their operation.
Netcraft’s research provides critical insights into the operational mindset of the authors behind Xiū gǒu. The hybrid functionality of the kit, combined with an apparent focus on user engagement and data analytics, indicates a calculated approach to malicious tool development. The integration of humor and persona within the phishing environment suggests an intention to establish a relatable brand identity, thereby increasing user interaction rates.
As the Xiū gǒu campaign continues to expand, it is paramount for individuals and businesses alike to enhance their cybersecurity awareness. Caution should be exercised when interacting with unsolicited contact, paired with solid practices such as verifying links, safeguarding personal information, and implementing multi-factor authentication. By keeping informed about phishing tactics and employing advanced security tools, organizations can better defend against the sophisticated maneuvers of adversaries using kits like Xiū gǒu, ensuring both individual and corporate security remains intact amidst a growing threat.
