Introduction
The “Xiu Gou” (修狗) phishing kit has emerged as a significant threat, actively targeting users across several countries, including the United States, United Kingdom [1], Spain [1] [2] [3], Australia [1] [2] [3], and Japan since at least September 2024 [2]. This sophisticated tool, developed by cybercriminals [2], is designed to facilitate large-scale phishing attacks, particularly against individuals in the public sector, postal services [1] [2] [3], digital services [1] [2] [3], and banking [1] [2] [3].
Description
A phishing kit named “Xiu Gou” (修狗) has been actively targeting users in the US [2], UK [1] [2] [3], Spain [1] [2] [3], Australia [1] [2] [3], and Japan since at least September 2024 [2]. Developed by cybercriminals [2], this kit includes over 1,500 associated IP addresses and phishing domains [1], facilitating the creation of more than 2,000 phishing websites aimed at individuals in the public sector, postal services [1] [2] [3], digital services [1] [2] [3], and banking [1] [2] [3].
Xiu Gou features a distinctive “doggo” mascot and employs advanced technology [2], including a Vue.js frontend and Golang backend [2], which sets it apart from traditional PHP-based phishing kits [2]. To evade detection [1] [2] [3], attackers utilize Cloudflare’s anti-bot services and domain obfuscation [2], often deploying phishing sites on domains like “top” that contain scam-related keywords [2]. Specific targeting of UK victims has been observed [1], with at least eight variations of the domain “yingguo[top [1]],” where “Yingguo” translates to “United Kingdom,” and over 18 variations of the domain “f^¢kgb[top [1] [2] [3]]” have been recorded.
The kit includes a custom admin panel for campaign management [2], allowing users to configure and manage their phishing operations [3]. It employs Rich Communications Services (RCS) instead of SMS for sending phishing lures and integrates with Telegram bots for data exfiltration [2], enabling attackers to maintain access to stolen information even if the phishing sites are taken down [2]. Tutorials on setting up these Telegram bots for data exfiltration [2], complete with step-by-step instructions [2], have been provided by the kit’s creators.
Notable targets of the Xiu Gou kit include organizations such as USPS [2], gov.uk [1] [2], DVSA [1], Services Australia [1], Evri [1], Lloyds Bank [2], New Zealand Post [1], and Linkt [1]. Attackers often use fake notices regarding fines [2], government payments [1] [2] [3], or parcel releases to trick victims into revealing sensitive information [2]. For instance [2], one campaign impersonates the UK government site gov.uk to mimic penalty charge notices [2], directing victims to phishing sites that closely resemble official pages [2].
Research has identified numerous subdomains associated with Xiu Gou [2], indicating that its creators operate on multiple fronts [2]. The kit’s creator is believed to monitor installations through referrer headers [2], enhancing their ability to adapt and evolve their tactics in response to ongoing investigations. The phishing kit is primarily presented in Mandarin Chinese [3], reflecting its origins and the target demographic.
Conclusion
The Xiu Gou phishing kit represents a sophisticated and evolving threat to global cybersecurity, with its advanced features and strategic targeting posing significant risks to individuals and organizations. Mitigation efforts must focus on enhancing detection capabilities, increasing public awareness, and fostering international collaboration to combat such threats. As cybercriminals continue to innovate, it is imperative for security professionals to remain vigilant and proactive in developing countermeasures to protect sensitive information and maintain digital trust.
References
[1] https://www.netcraft.com/blog/doggo-threat-actor-analysis/
[2] https://www.infosecurity-magazine.com/news/new-xiugou-phishing-kit-targets-us/
[3] https://itnerd.blog/2024/10/31/new-mandarin-chinese-phishing-kit-uk-us-es-au-jpn-victims-across-public-postal-banking-sectors/
