Cybersecurity researchers have unveiled a new phishing kit called Xiū gǒu, used in recent campaigns across Australia, Japan, Spain, the United Kingdom, and the United States.
This kit, active since at least September 2024, has enabled cybercriminals to set up more than 2,000 phishing sites, primarily targeting sectors such as government, postal services, digital platforms, and banking.
A report describes how threat actors using Xiū gǒu often rely on techniques like Cloudflare’s anti-bot features and hosting obfuscation to evade detection.
This setup, detailed by researchers in September, is designed to streamline the phishing process, enabling even less-skilled attackers to launch campaigns that capture sensitive user data.
The Xiū gǒu kit was created by a Chinese-speaking developer and offers features like an admin panel with tools for extracting credentials and personal data.
The kit’s backend is powered by Golang and Vue.js, and it uses the “.top” domain for hosting phishing pages, which relay stolen information directly to attackers via Telegram.
These phishing schemes are often distributed through Rich Communications Services (RCS) messages, warning recipients of parking fines or missed package deliveries. The message prompts users to click a shortened link, leading to a fake payment page where they are prompted to provide personal information.
RCS, available via Apple Messages and Google Messages, supports advanced messaging options, including file sharing and optional end-to-end encryption (E2EE).
Recently, tech companies have begun rolling out additional phishing protections within these platforms, including machine-learning-driven scam filters and global pilot programs aimed at alerting users in certain regions, such as India, Thailand, Malaysia, and Singapore, about messages containing suspicious links. New features will also allow users to block messages from unknown international numbers by automatically redirecting them to a spam folder.
As researchers revealed these findings, other phishing threats have surfaced. For example, a separate campaign targets Facebook business users in Taiwan with malware embedded in a fake PDF, designed to lure users into downloading stealer malware from Dropbox or Google-hosted sites.
Another phishing effort, impersonating OpenAI, targeted over 1,000 business recipients, urging them to update their payment details through a fraudulent link embedded in the email. This email was carefully crafted to evade detection by using multiple hyperlinks and passing DKIM and SPF checks, which help verify sender legitimacy.
To combat the growing prevalence of phishing kits like Xiū gǒu, organizations should implement multi-factor authentication (MFA) and continuously train employees on phishing awareness, helping them spot suspicious messages or URLs.
Additionally, organizations should employ automated monitoring for unusual activity across digital communications to mitigate the risk of credential theft.