New Xiu Gou Phishing Kit Targets US, Other Countries with Mascot


A new phishing kit dubbed “Xiu Gou” (修狗), developed to deploy phishing attacks globally, has been targeting users across the US, UK, Spain, Australia and Japan since at least September 2024.

Uncovered by cybersecurity firm Netcraft, the kit features a unique “doggo” mascot and includes over 2000 phishing websites that target individuals in the public sector, postal services, digital services and banking.

Advanced Technology Makes Xiu Gou Hard to Detect

Distinctive aspects of the Xiu Gou kit include its interactive cartoon mascot and “easter egg” features, where users can transform the avatar by clicking it. It also incorporates advanced software, such as a Vue.js frontend and Golang backend, distinguishing it from typical PHP-based phishing kits.

To stay under the radar, attackers use Cloudflare’s anti-bot services and domain obfuscation, deploying phishing sites on domains like “.top” that include keywords linked to scam types.

Key Features and Technical Specifications

Key technical features of this malware include:

  • A custom admin panel exposed at the /admin path for easy campaign management

  • Use of Rich Communications Services (RCS) instead of SMS to send phishing lures

  • Integration with Telegram bots for data exfiltration, ensuring continued access to stolen information even if sites are shut down

Read more on phishing kits: New Tycoon 2FA Phishing Kit Raises Cybersecurity Concerns

The Xiu Gou kit has primarily targeted well-known organizations such as USPS, gov.uk, Lloyds Bank and New Zealand Post. Attackers use fake notices related to fines, parcel releases or government payments to lure victims into providing sensitive information.

For example, one of the campaigns impersonates the UK government site gov.uk to mimic penalty charge notices, leading victims to phishing sites styled identically to official pages.

Netcraft’s researchers also identified numerous subdomains linked to Xiu Gou, such as “usps0007[.]xiugou[.]icu” and “ai[.]xiugou[.]icu,” suggesting that the kit’s creators operate across multiple fronts. The kit’s creator, thought to own “xiugou.icu,” monitors kit installations through referrer headers.

By gaining access to a tutorial on Xiu Gou, Netcraft observed how fraudsters set up Telegram bots for data exfiltration, with step-by-step instructions included in the kit.

“Understanding how phishing tradecraft are developed is essential to preventing phishing attacks,” the firm explained. “By analyzing phishing kits in-depth, it’s possible to improve the speed and accuracy with which threats can be detected, classified and taken down.”



Source link