Key data
This article explores Netcraft’s research into Xiū gǒu (修狗), a phishing kit in use since at least September 2024 to deploy phishing campaigns targeting the US and UK, Spain, Australia, and Japan. Insights include:
- A branded mascot and interactive features added for entertainment
- Over 2,000 phishing websites identified using the kit
- Campaigns targeting the countries around the globe
- Organizations being targeted across the public sector, postal, digital services, and banking sectors
Doggo Background
Netcraft has observed a phishing kit being used in campaigns targeting the US, UK, Spain, Australia, and Japan since September 2024. Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection. This research builds on existing intelligence shared in September by security researchers BushidoUK and Fox_threatintel.
“Doggo”
The kit, which uses Mandarin Chinese throughout, provides users with an admin panel (exposed at the /admin path) to configure and manage phishing campaigns. The word “xiū gǒu”, which is referenced in the kit source code, is derived from the admin panel title “xiū gǒu yuánmǎ” (修狗源码). Xiū gǒu roughly translates from Mandarin Chinese internet slang as “doggo” (small dog) and xiū gǒu yuánmǎ as “doggo source code”. This “doggo” concept comes to life as the avatar for the kit’s admin panel and Telegram account—a cartoon dog holding a bottle of soda. “Easter egg” functionality has been developed in the admin panel, allowing users to transform this mascot into a “thug life” version by clicking the avatar.
This article has been indexed from NetcraftRead the original article: