Netcraft Blog Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit

Key data  This article explores Netcraft’s research into XiÅ« gÇ’u (修狗), a phishing kit in use since at least September 2024 to deploy phishing campaigns targeting the US and UK, Spain, Australia, and Japan. Insights include: A branded mascot and interactive features added for entertainment Over 2,000 phishing websites identified using the kit Campaigns targeting the countries around the globe Organizations being targeted across the public sector, postal, digital services, and banking sectors Doggo Background  Netcraft has observed a phishing kit being used in campaigns targeting the US, UK, Spain, Australia, and Japan since September 2024. Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection. This research builds on existing intelligence shared in September by security researchers BushidoUK and Fox_threatintel. “Doggo”  The kit, which uses Mandarin Chinese throughout, provides users with an admin panel (exposed at the /admin path) to configure and manage phishing campaigns. The word “xiÅ« gÇ’uâ€�, which is referenced in the kit source code, is derived from the admin panel title “xiÅ« gÇ’u yuánmÇ�â€� (修狗æº�ç �). XiÅ« gÇ’u roughly translates from Mandarin Chinese internet slang as “doggoâ€� (small dog) and xiÅ« gÇ’u yuánmÇ� as “doggo source codeâ€�. This “doggoâ€� concept comes to life as the avatar for the kit’s admin panel and Telegram account—a cartoon dog holding a bottle of soda. “Easter egg” functionality has been developed in the admin panel, allowing users to transform this mascot into a “thug lifeâ€� version by clicking the avatar. Figure 1. Admin Panel Login with “Doggo” mascot Figure 2. Admin panel with alternative easter egg “doggoâ€� Key Characteristics Netcraft observed the following characteristics: They also ...