Keypoints
- Xiū gǒu is a modern phishing kit (Vue.js front end, Golang back end via SynPhishServer) rather than a traditional PHP kit.
- The kit integrates Telegram bots to exfiltrate stolen credentials and victim metadata to threat actors.
- Attackers send RCS lure messages with shortened tracking links that lead users to realistic spoofed sites for payments or personal-data capture.
- Netcraft found over 2,000 phishing websites and linked more than 1,500 IP addresses/domains to the kit, indicating wide geographic reach (US, UK, Spain, Australia, Japan).
- Targets span public sector, postal, banking, and digital services, including USPS, UK Government (gov.uk/DVSA), Evri, Lloyds Bank, New Zealand Post, and Linkt.
- The kit’s author appears to operate xiugou.icu and several subdomains (e.g., test1234.xiugou.icu, usps0007.xiugou.icu), and uses Cloudflare to hinder detection.
- The admin panel (exposed at /admin) includes a playful “doggo” mascot and Easter-egg features, plus user tutorials for setting up Telegram exfiltration bots.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – RCS lure messages deliver shortened links that direct victims to spoofed sites (‘RCS message is sent to the victim containing a shortened link; this link often includes a tracking parameter’)
- [T1041] Exfiltration Over Command and Control Channel – Stolen credentials and victim metadata are sent to attackers via Telegram bots (‘Victim’s details (including their IP address and browser characteristics) are exfiltrated to Telegram via a bot set up by the fraudster running the phishing website’)
- [T1583.001] Acquire Infrastructure: Domain Registration – Actors register deceptive domains (commonly using the .top TLD) that reference the scam or target name (‘They also often use the “.top” top-level domain (TLD) and typically register domains related to the nature of their scam’)
- [T1102] Use of Web Service – The kit relies on messaging/web services (RCS and Telegram) to deliver lures and receive exfiltrated data (‘Threat actors using the kit use Rich Communications Services (RCS) rather than SMS to send lure messages’)
Indicators of Compromise
- [Domain] Kit author infrastructure and phishing hosts – xiugou.icu, ai.xiugou.icu (and subdomains like usps0007.xiugou.icu), plus multiple scam domains using the .top TLD (e.g., yingguo[.]top)
- [IP addresses] Network infrastructure tied to campaigns – over 1,500 IP addresses linked to Xiū gǒu activity (no single IP listed in the article)
- [Telegram bot] Data exfiltration channel – example bot name shown in the tutorial: xiugou_example_bot
- [Phishing page examples] Spoofed brand pages used in attacks – fake USPS package release pages, fake gov.uk payment/PCN pages, fake Lloyds Bank login forms
Netcraft’s research traces a phishing kit known as Xiū gǒu (literally “doggo” in Mandarin internet slang) to widespread campaigns active since at least September 2024. The kit departs from older, PHP-based phishing frameworks by employing a modern stack: Vue.js for the front end and a Golang back end exposed via an executable named SynPhishServer. Operators deploy the kit to create convincing spoof sites that mimic government, postal, banking, and public-sector services, tricking victims into sharing personal information or making payments to release parcels or pay bogus fines.
A distinctive part of Xiū gǒu’s presentation is its “doggo” branding: the admin panel (commonly reachable at an /admin path) uses a cartoon dog mascot with an Easter-egg that toggles a “thug life” avatar. The kit’s admin features also include tutorials and setup instructions for integrating Telegram bots, enabling fraudsters to receive stolen credentials and victim metadata (IP address, browser characteristics) in real time. Netcraft even obtained a tutorial showing a step‑by‑step configuration of a bot (e.g., xiugou_example_bot) used for data exfiltration.
Attackers typically initiate campaigns by sending Rich Communications Services (RCS) messages—rather than plain SMS—that contain shortened links with tracking parameters. When recipients click those links they are routed to phishing pages crafted to look like legitimate services such as gov.uk, USPS, Evri, Lloyds Bank, Linkt, Services Australia, and New Zealand Post. To frustrate automated detection, the kit serves benign content to bots and uses Cloudflare’s anti-bot and hosting obfuscation features so that security tools see legitimate pages while human victims encounter the fraudulent forms.
Netcraft identified more than 2,000 phishing websites running Xiū gǒu and linked upwards of 1,500 IP addresses and domains to the kit’s infrastructure. The kit’s author appears to operate xiugou.icu, which hosts images and resources used by deployed kits and helps the author track installations via referrer headers. Several subdomains—such as test1234.xiugou.icu, usps0007.xiugou.icu, store.xiugou.icu, and ai.xiugou.icu—suggest the author segments functionality across sites; ai.xiugou.icu, for example, hosts an open-source AI chat framework (LobeChat).
The campaign flow documented by Netcraft shows the full attack sequence: an RCS lure with a shortened link, a click that lands the victim on a tailored phishing page, collection of personal and payment details, and automated transmission of those details (and supporting metadata) to the attacker via Telegram. The kit’s operators often register domains that include words tied to the lure—such as “parking” or parts of the targeted organization’s name—and frequently use the .top top-level domain for scam sites. Netcraft also notes clusters of domains aimed at UK victims, including several variations of yingguo[.]top (yingguo meaning “United Kingdom”) and many instances of similarly themed domains.
Beyond technical tradecraft, Xiū gǒu demonstrates attention to user experience: the modern tech choices, the interactive admin UI, and the inclusion of tutorials all make the kit easier for fraudsters to deploy and maintain. The author’s tracking of kit installations and the playful doggo persona suggest an operator focused both on usability and iterative improvement to remain competitive. Understanding these choices helps defenders prioritize detection and takedown efforts, accelerate classification of phishing infrastructure, and refine countermeasures against rapidly evolving kit-based scams.
For more details and visual examples from Netcraft’s analysis, see the original post linked below.
Read more: https://www.netcraft.com/blog/doggo-threat-actor-analysis