Keypoints
- Xiū gǒu is a modern phishing kit in use since September 2024, with >2,000 phishing sites and 1,500+ related IPs identified.
- Architecture: Vue.js front end for phishing pages and admin panel; Golang back end delivered as the SynPhishServer executable (based on go-gin-api).
- Delivery uses Rich Communications Services (RCS) messages containing shortened links with tracking parameters to lure victims.
- Data exfiltration is implemented via Telegram bots; a tutorial exists showing setup and use of a bot (e.g., xiugou_example_bot) to receive stolen data.
- Evasion techniques include redirecting detection bots to legitimate pages, leveraging Cloudflare anti-bot/hosting obfuscation, and using easy-to-register TLDs (notably “.top”).
- Operators register scam-relevant domains and subdomains (e.g., xiugou.icu and test1234.xiugou.icu) and host assets centrally to track installations via referrer headers.
- Common impersonation targets include government and postal services and banks; landing pages collect personal, payment, and browser telemetry before exfiltration.
MITRE Techniques
- [T1566] Phishing – Used to deliver lures: [‘Sending RCS messages with links to phishing websites.’]
- [T1003] Credential Dumping – Implemented as credential exfiltration via Telegram bots: [‘Using Telegram bots to exfiltrate credentials.’]
- [T1483] Domain Generation Algorithms – Operators register themed domains and use “.top” TLDs for campaigns: [‘Registering domains related to scams, often using the “.top” TLD.’]
Indicators of Compromise
- [Domain] kit hosting and assets – xiugou[.]icu, yingguo[.]top (and other .top registrations)
- [Subdomain] function-specific hosts – test1234[.]xiugou[.]icu, usps0007[.]xiugou[.]icu
- [Telegram bot] exfiltration endpoint – xiugou_example_bot (tutorialed in the kit), other bot names shown in screenshots
- [TLD/Domain pattern] abuse of “.top” – examples include yingguo[.]top and f^¢kgb[.]top (obfuscated), plus many scam-related domain registrations)
- [Network] related infrastructure count – 1,500+ related IP addresses observed (used to serve phishing sites and infrastructure)
<li[/admin path] exposed admin interface – admin panel accessible at the /admin path (used to configure and manage campaigns)
Xiū gǒu is built as a modern, modular phishing platform: Vue.js renders both phishing pages and the admin UI, while a Golang backend (distributed as the SynPhishServer executable, apparently based on go-gin-api) handles server logic. The kit exposes an admin panel at /admin for campaign configuration and bundles assets hosted on an author-controlled domain (xiugou.icu) so the operator can track installations via referrer headers; multiple subdomains (e.g., test1234.xiugou.icu, usps0007.xiugou.icu, ai.xiugou.icu) are used for separate functions and tooling.
For delivery and evasion, operators send RCS messages containing shortened links with tracking parameters; victims who click land on phishing pages styled to mimic legitimate services. The kit implements detection-evasion measures: automated or suspicious clients are redirected to legitimate non-malicious pages, and Cloudflare anti-bot/hosting obfuscation is frequently used. Operators preferentially register easily obtainable domains (notably on the .top TLD) with scam-relevant names and have deployed over 2,000 phishing sites across 1,500+ IPs.
Captured data flows directly to Telegram: the kit includes a documented tutorial and scripts to configure a Telegram bot (examples: xiugou_example_bot) that receives submitted personal details, payment information, IP addresses, and browser telemetry. This exfiltration channel preserves stolen credentials even if individual phishing pages are taken down; the backend executable (SynPhishServer) and the Telegram integration form the core tooling for data collection and operator monitoring.
Read more: https://www.netcraft.com/blog/doggo-threat-actor-analysis/