Phishing Kits & PhaaS
What Is Xiū gǒu?
Xiū gǒu (修狗, Mandarin internet slang roughly translating to "doggo") is a Chinese-developed phishing kit that emerged in September 2024, leveraging modern web technologies and Rich Communication Services (RCS) messaging to distribute phishing campaigns impersonating government agencies, postal se...
Xiū gǒu (修狗, Mandarin internet slang roughly translating to "doggo") is a Chinese-developed phishing kit that emerged in September 2024, leveraging modern web technologies and Rich Communication Services (RCS) messaging to distribute phishing campaigns impersonating government agencies, postal services, banking institutions, and digital service providers across multiple countries. The kit employs a Vue.js frontend, Golang backend infrastructure, and operates across more than 2,000 known phishing websites with connections to over 1,500 IP addresses, according to Netcraft's November 2024 threat intelligence analysis.
The platform distinguishes itself through its use of RCS messaging rather than traditional SMS for phishing link distribution, enabling richer formatting and improved tracking capabilities that make fraudulent communications appear more legitimate. Named after its Chinese-language admin panel title "xiū gǒu yuánmǎ" (修狗源码, meaning "doggo source code"), the kit demonstrates sophisticated technical implementation while maintaining accessibility for threat actors through its relatively straightforward deployment model.
How Does Xiū gǒu Work?
Xiū gǒu operates through a multi-component architecture that combines modern development frameworks with cloud infrastructure obfuscation to deliver phishing campaigns at scale. The kit's technical implementation reflects professional software engineering practices adapted for malicious purposes.
The attack workflow begins with distribution via Rich Communication Services, the enhanced messaging protocol that major mobile carriers have adopted as an SMS replacement. Unlike traditional SMS, RCS supports rich media, read receipts, typing indicators, and verified sender branding, making phishing messages appear significantly more legitimate. Xiū gǒu operators send messages impersonating government payment notices, postal delivery notifications, banking alerts, or public utility payment demands. These messages include shortened URLs or direct links to phishing pages hosted on Cloudflare's infrastructure.
When victims click these links, they reach phishing landing pages built using Vue.js, a modern JavaScript framework commonly used for legitimate web application development. The choice of Vue.js enables Xiū gǒu to create interactive, responsive phishing pages that closely mimic genuine government and banking portals. These pages include form validation, loading animations, and multi-step workflows that enhance credibility compared to simple static HTML phishing pages common in older kits.
The backend infrastructure utilizes an executable called "SynPhishServer" written in Golang. This server component handles credential capture, session management, and data exfiltration. Golang's efficient performance characteristics and cross-platform compatibility enable Xiū gǒu operators to deploy phishing infrastructure quickly across diverse hosting environments. The server architecture supports concurrent handling of multiple victim sessions, enabling campaigns to scale effectively.
Captured credentials are immediately exfiltrated through Telegram bot integration. When victims submit usernames, passwords, payment card details, or personal information on phishing pages, the SynPhishServer backend forwards this data to Telegram channels controlled by the operators. This approach provides real-time notification of successful compromises and creates a simple management interface for collected data without requiring operators to maintain separate credential storage databases that could be seized in law enforcement actions.
Infrastructure obfuscation represents a critical component of Xiū gǒu's operational security. The kit leverages Cloudflare's content delivery network, DDoS protection, and Turnstile anti-bot services to obscure the true origin of phishing servers. According to Netcraft's analysis, Xiū gǒu campaigns rotate across 1,500+ IP addresses, making network-level blocking difficult and enabling operators to quickly establish new infrastructure when existing servers are detected and blocked. This rotation strategy also complicates forensic investigation and attribution efforts.
The platform's targeting scope spans multiple countries and service categories. In the United States, Xiū gǒu campaigns impersonate the United States Postal Service (USPS) with fake delivery notifications and package tracking lures. UK-focused campaigns clone UK Government (gov.uk) websites, Driver and Vehicle Standards Agency (DVSA) pages, and Services Australia portals. Spanish campaigns target banking institutions, while Australian users encounter fake Services Australia notices. Additional campaigns have targeted Japan, New Zealand Post, and the Australian toll road operator Linkt, according to The Hacker News coverage from November 2024.
The kit's Chinese origins are evident in the admin panel interface, which displays in Mandarin Chinese. While this creates potential barriers for non-Chinese-speaking threat actors, the platform's growing adoption suggests either multilingual documentation exists or the technical simplicity allows deployment without deep understanding of the administrative interface.
How Does Xiū gǒu Differ From Other Phishing Kits?
Aspect | Xiū gǒu | Sniper Dz | V3B | GhostFrame |
|---|---|---|---|---|
Country of Origin | China | Unknown | EU/Unknown | Unknown |
Technology Stack | Vue.js + Golang | Traditional web stack | PHP-based | HTML/JS + iframes |
Distribution Channel | RCS messaging | SMS/Email | Email/SMS | Email attachments |
Infrastructure Scale | 2,000+ sites, 1,500+ IPs | 140,000+ sites | Unknown (hundreds estimated) | 1M+ attacks in 3 months |
Geographic Targeting | US, UK, Spain, Australia, Japan | Primarily US | EU (12 countries) | Global |
Launch Timeline | September 2024 | Pre-2023 | March 2023 | September 2025 |
Primary Impersonation | Government/postal/banking | Social platforms | Banking (54 institutions) | Microsoft 365/Google |
Cloudflare Dependency | Heavy (core infrastructure) | Minimal | Unknown | Not documented |
Ideal for | Government impersonation | Mass consumer phishing | European banking | Cloud credential theft |
Xiū gǒu's most distinctive characteristic is its embrace of RCS messaging for phishing distribution. While traditional phishing kits rely on SMS or email, Xiū gǒu leverages RCS's enhanced capabilities to create more convincing social engineering lures. RCS messages can include branded sender identification, rich formatting with images and buttons, and delivery confirmation—features that significantly increase perceived legitimacy compared to plain-text SMS. This technical differentiation reflects the kit developers' understanding of emerging communication technologies and willingness to adopt newer platforms before widespread defensive measures exist.
The modern technology stack sets Xiū gǒu apart from older phishing frameworks. Vue.js and Golang represent current professional development tools rather than legacy PHP or basic HTML/JavaScript common in established kits. This choice suggests the kit's developers possess contemporary software engineering skills and prioritized performance and maintainability. Vue.js enables reactive, single-page application experiences that closely mimic legitimate government and banking portals, while Golang's compiled nature provides performance advantages over interpreted languages and complicates reverse engineering efforts compared to PHP source code.
Xiū gǒu's infrastructure rotation strategy operates at exceptional scale compared to many competitors. The documented 1,500+ IP addresses across 2,000+ phishing websites indicates substantial investment in infrastructure diversification. While GhostFrame achieved higher attack volume (1 million+ attacks in three months), its infrastructure approach differs—GhostFrame uses dynamic subdomain generation rather than IP rotation. V3B's infrastructure details remain less documented, but its focused targeting of 54 specific European banks suggests smaller-scale infrastructure than Xiū gǒu's broad geographic and sector targeting.
The kit's geographic scope reflects opportunistic targeting rather than specialization. V3B concentrates exclusively on European banking with deep customization for PhotoTAN and SmartID authentication systems. In contrast, Xiū gǒu spreads across multiple continents and sectors, impersonating whatever institutions provide effective social engineering opportunities in each market. This breadth-over-depth approach enables rapid expansion to new markets but potentially sacrifices the specialized authentication bypass capabilities that make V3B effective against sophisticated banking targets.
Xiū gǒu's Chinese origin and Mandarin admin panel distinguish it from most documented phishing kits. While attribution remains uncertain for many phishing platforms, Xiū gǒu's naming, language, and targeting patterns (including significant focus on Asia-Pacific markets) clearly indicate Chinese development. This geographic origin may explain the kit's RCS adoption, as messaging platforms in China have long offered rich communication features that Western markets are only recently standardizing through RCS.
Why Does Xiū gǒu Matter?
Xiū gǒu demonstrates how phishing kit development has evolved to incorporate modern development practices and emerging communication technologies, creating threats that traditional defensive measures struggle to address. The platform's rapid deployment following its September 2024 emergence—reaching 2,000+ websites within months according to Netcraft's tracking—indicates significant threat actor adoption and operational effectiveness.
The kit's use of RCS messaging exploits a gap in organizational security awareness and defensive posture. Most security training emphasizes email phishing recognition, with growing attention to SMS-based smishing. However, RCS remains unfamiliar to many users and security teams despite carrier-level deployment across major networks. Xiū gǒu's operators leverage this knowledge gap, using RCS's legitimate-appearing features to bypass user skepticism that might detect traditional SMS phishing. As carriers increasingly enable RCS by default on modern smartphones, this attack vector's potential impact expands.
Government and postal service impersonation creates unique victim vulnerability compared to commercial brand phishing. Citizens generally trust communications purporting to come from government agencies, particularly when they involve time-sensitive matters like payment notices, fines, or delivery problems. SC Media's November 2024 coverage noted that Xiū gǒu's lures frequently invoke urgent scenarios requiring immediate action—unpaid toll fees, customs charges on packages, or overdue government payments—that pressure victims into clicking without careful verification. This psychological manipulation proves particularly effective against populations with limited cybersecurity awareness.
The infrastructure scale supported by Xiū gǒu's architecture enables threat actors with modest technical skills to conduct campaigns affecting thousands of potential victims. The kit's Telegram bot integration provides simplified credential management without requiring operators to maintain databases or command-and-control servers that might expose their identity. This ease of use, combined with the modern technology stack's capabilities, lowers barriers to entry for phishing operations while improving success rates through convincing user interfaces.
Xiū gǒu's Cloudflare dependency illustrates both the challenges and opportunities in disrupting phishing infrastructure. The platform's heavy reliance on Cloudflare for hosting, content delivery, and anti-bot protection creates concentration risk—if Cloudflare implements aggressive detection and blocking of Xiū gǒu patterns, the kit's effectiveness could decline substantially. However, CyberStash's 2024 advisory noted that Cloudflare's legitimate services make distinguishing malicious from benign usage difficult, enabling Xiū gǒu to persist by mimicking normal website behavior until reported.
The kit's international scope demonstrates coordination or knowledge sharing among geographically distributed threat actors. With targeting spanning the United States, United Kingdom, Spain, Australia, and Japan, Xiū gǒu either serves multiple distinct operator groups or indicates that a single sophisticated group has developed localized lures for diverse markets. Either scenario suggests organizational maturity beyond individual opportunistic attackers, pointing toward commercialized phishing operations or collaborative cybercriminal networks.
What Are the Limitations of Xiū gǒu?
Despite its sophisticated design, Xiū gǒu faces several operational and technical constraints that limit its effectiveness and sustainability.
RCS adoption dependency creates geographic and demographic limitations. While RCS has achieved significant penetration in the United States, United Kingdom, and Australia—Xiū gǒu's primary target markets—adoption remains incomplete globally. Many users maintain older devices that lack RCS support or use carriers that have not enabled the protocol. When RCS messages reach non-compatible devices, they fall back to traditional SMS, losing the rich formatting and sender verification features that enhance Xiū gǒu's credibility. This technical limitation reduces effectiveness in markets with lower smartphone penetration or among demographic groups that upgrade devices infrequently.
Cloudflare infrastructure visibility creates centralized disruption opportunities. Xiū gǒu's heavy reliance on Cloudflare services means the platform's effectiveness depends partly on this provider's tolerance for abuse. As security researchers identify Xiū gǒu phishing domains and report them to Cloudflare, the provider can terminate accounts and implement pattern-based detection that blocks similar infrastructure before it becomes active. Netcraft's detailed November 2024 analysis provides security vendors with technical indicators that enable proactive identification of Xiū gǒu infrastructure, potentially accelerating this disruption cycle. Unlike fully distributed peer-to-peer phishing infrastructure, this centralization creates a controllable chokepoint.
Mandarin admin panel complicates international adoption. While Xiū gǒu successfully targets multiple countries, its Chinese-language administrative interface creates barriers for non-Mandarin-speaking threat actors who might otherwise adopt the kit. This language limitation may explain why despite the kit's technical sophistication and documented success, it has not achieved the market penetration of English-language alternatives like GoPhish or multilingual commercial offerings. Translation efforts or simplified control panels could expand adoption, but maintaining an exclusively Chinese interface currently constrains the operator demographic.
IP rotation overhead creates operational costs. Maintaining connections to 1,500+ IP addresses requires either substantial infrastructure investment or reliance on compromised systems and proxy networks. Each IP address represents hosting costs, configuration overhead, and potential forensic exposure. While this rotation complicates defender blocking efforts, it also increases the kit's operational complexity and cost compared to simpler single-server deployments. As law enforcement agencies improve at tracking phishing infrastructure, these numerous IP addresses may become liabilities rather than assets, providing multiple investigation entry points.
Brand-specific targeting enables proactive defense. Xiū gǒu's impersonation of well-known government agencies and postal services means targeted organizations can monitor for fraudulent domains and implement takedown procedures. Organizations like USPS, UK Government Digital Service, and Services Australia maintain cybersecurity teams that track phishing activity impersonating their brands. As Xiū gǒu's tactics become documented through security research, these organizations can develop specific countermeasures including user education, domain monitoring automation, and coordination with registrars for accelerated takedowns. Unlike generic phishing that spreads across countless brands, concentrated impersonation focuses defensive attention.
How Can Organizations Defend Against Xiū gǒu?
Effective defense against Xiū gǒu requires addressing both the RCS distribution channel and the phishing infrastructure itself, combining technical controls with user education.
Implement RCS message filtering and security controls. Organizations should work with mobile device management providers and carriers to implement RCS message filtering comparable to existing SMS and email security controls. This includes blocking messages containing URLs from recently registered domains, flagging messages from senders without verified business credentials, and quarantining messages that match known phishing patterns. Enterprise mobile management platforms should enforce policies that warn users when clicking links in RCS messages, particularly those claiming to come from government or financial institutions. Carrier-level filtering can reduce Xiū gǒu distribution effectiveness before messages reach end users.
Migrate to phishing-resistant authentication methods. Organizations targeted by Xiū gǒu campaigns—particularly government agencies and financial institutions—should implement authentication methods that resist credential harvesting attacks. FIDO2 hardware security keys and WebAuthn browser-based authentication provide cryptographic verification that prevents credential submission to phishing sites. For government services and banking applications, replacing password-based authentication with mobile app-based biometric verification eliminates the username-password credential capture that Xiū gǒu relies upon. Even when users reach phishing pages, phishing-resistant authentication prevents account compromise.
Maintain whitelists of verified institutional domains. Security teams should establish and regularly update whitelists of legitimate government, postal, and banking domains for their user populations. Browser extensions, mobile security apps, and network security gateways can reference these whitelists to warn users when navigating to sites that mimic legitimate institutions but use different domains. For frequently targeted institutions like USPS (usps.com) and UK Government (gov.uk), organizations can implement hard-coded domain verification that alerts users whenever they enter credentials on sites that closely resemble but don't exactly match the verified domain.
Monitor and report Xiū gǒu infrastructure to Cloudflare. Security researchers and organizations encountering Xiū gǒu phishing sites should report them to Cloudflare's abuse contact mechanisms. Because the kit depends heavily on Cloudflare infrastructure, coordinated reporting accelerates takedowns and helps Cloudflare develop pattern-based detection for Xiū gǒu campaigns. Organizations should participate in information sharing communities like the Anti-Phishing Working Group to coordinate reporting efforts and track Xiū gǒu's infrastructure evolution, enabling proactive blocking before users encounter active phishing sites.
Educate users on government communication practices. User awareness training should emphasize that legitimate government agencies, postal services, and utilities do not send urgent payment requests or account verification demands via RCS, SMS, or email with embedded links. Instead, these organizations send informational notifications directing users to log into official websites or mobile apps directly. Training should specifically address RCS's enhanced formatting capabilities, explaining that sophisticated appearance does not guarantee legitimacy. Users should be instructed to verify unexpected payment requests by independently navigating to official websites rather than clicking provided links.
Implement URL analysis and link rewriting. Email security gateways and mobile security solutions should implement real-time URL analysis that checks links in RCS and SMS messages against threat intelligence feeds, domain age databases, and phishing indicators before allowing user access. Link rewriting services can interpose warnings when users click URLs from messages, displaying domain information and safety ratings before the destination loads. For Xiū gǒu campaigns, this analysis can identify recently registered domains mimicking government agencies, Cloudflare-hosted sites without business verification, and domains resolving to IP addresses associated with known phishing infrastructure.
Coordinate with postal and government agencies. Organizations should establish reporting channels with frequently impersonated institutions like USPS, Royal Mail, and Australia Post. These agencies maintain fraud reporting systems and often coordinate with law enforcement for large-scale phishing investigations. Rapid reporting enables agencies to issue public warnings, update their own anti-fraud communications, and potentially pursue legal action against domain registrars and hosting providers enabling Xiū gǒu campaigns. This coordination creates feedback loops that accelerate defensive response times.
FAQs
What does "Xiū gǒu" actually mean and why was this name chosen?
"Xiū gǒu" (修狗) is Mandarin Chinese internet slang that roughly translates to "doggo," the English internet slang term for a small or cute dog. The name comes from the phishing kit's administrative panel, which displays the title "xiū gǒu yuánmǎ" (修狗源码), meaning "doggo source code." Netcraft's researchers, who discovered and analyzed the kit in late 2024, adopted this self-identified name from the admin interface. The choice of a playful, informal name is not unusual in cybercriminal communities, where threat actors often use humor, pop culture references, or deliberately non-threatening names for malicious tools. This naming pattern may serve to make malicious tools feel less serious or to create distinct brand identity in crowded underground markets. The Chinese-language name and admin interface clearly indicate the kit's Chinese origin, though the developers' specific identity and whether they operate as individuals or an organized group remains unknown.
Why does Xiū gǒu use RCS instead of traditional SMS for phishing distribution?
RCS (Rich Communication Services) provides several technical and social engineering advantages over traditional SMS that make phishing campaigns more effective. RCS supports rich formatting including images, buttons, carousels, and branded sender identification that make messages appear more legitimate and professional. Messages can include read receipts and typing indicators similar to messaging apps like WhatsApp, creating the appearance of interactive communication with real organizations. RCS also enables verified sender badges for businesses, and while legitimate verification is required, the presence of rich formatting alone increases user trust compared to plain-text SMS. From a tracking perspective, RCS provides operators with confirmation when messages are delivered and read, enabling them to gauge campaign effectiveness. Additionally, defensive measures for RCS remain less mature than email and SMS security controls because the protocol is newer and less widely understood by security teams. Users who recognize email phishing and increasingly identify SMS smishing may not yet apply the same skepticism to rich-formatted RCS messages that closely resemble legitimate mobile app notifications.
Which organizations and countries are most frequently targeted by Xiū gǒu campaigns?
According to Netcraft's November 2024 analysis and subsequent security research coverage, Xiū gǒu campaigns primarily target government agencies, postal services, and financial institutions across five main countries. In the United States, the most common impersonation targets the United States Postal Service (USPS) with fake delivery notifications, package tracking updates, and customs payment requests. UK-focused campaigns clone UK Government (gov.uk) websites for fake payment notices, Driver and Vehicle Standards Agency (DVSA) pages for vehicle-related fines, and Services Australia portals. Spain experiences campaigns targeting banking institutions with payment verification requests. Australian users encounter impersonations of Services Australia and the toll road operator Linkt requesting payment for overdue fees. Japan has also been targeted, though specific impersonated brands were not detailed in available research. Additional documented targets include Evri (UK parcel delivery), Lloyds Bank, and New Zealand Post. The common pattern across all these targets involves trusted institutions where users expect to receive notifications about payments, deliveries, or government services—scenarios that create urgency and reduce skepticism about unexpected messages.
How many phishing websites are currently using the Xiū gǒu kit?
Netcraft's threat intelligence analysis documented over 2,000 known phishing websites using the Xiū gǒu kit as of their November 2024 publication, with infrastructure spanning more than 1,500 IP addresses. This represents identified sites through Netcraft's monitoring capabilities, meaning the actual total may be higher as some phishing infrastructure may remain undetected or have rotated before discovery. The 2,000+ figure emerged within approximately two months of the kit's initial observation in September 2024, indicating rapid adoption by multiple threat actor groups. For context, while 2,000 sites is substantial, it remains smaller than some long-running phishing platforms—Sniper Dz reportedly powered over 140,000 phishing sites at peak activity. However, Xiū gǒu's growth velocity (achieving 2,000+ sites within months rather than years) suggests strong market adoption. The 1,500+ IP address count indicates sophisticated infrastructure distribution, as this represents either substantial hosting investment or use of compromised systems and proxy networks. Security researchers continue tracking Xiū gǒu infrastructure, so these numbers likely continue evolving as new phishing sites launch and existing ones are detected and taken down.
How can individuals protect themselves from Xiū gǒu phishing attacks?
Individuals should implement several defensive practices to reduce risk from Xiū gǒu and similar phishing campaigns. First, treat all unsolicited RCS or SMS messages requesting urgent payment or account action with extreme skepticism, regardless of how professional or legitimate they appear. Government agencies, postal services, and banks do not send payment links or account verification requests via messaging—they send informational notifications directing you to log into official apps or websites independently. Before clicking any link in a message, verify its legitimacy by calling the organization using an official phone number (not one provided in the suspicious message) or by navigating directly to their website through a web search or bookmarked link. Be particularly suspicious of shortened URLs or unfamiliar domains even if they contain keywords related to the impersonated organization. For sensitive accounts like banking and government services, enable multi-factor authentication using authenticator apps rather than SMS codes, as app-based authentication is more resistant to phishing. Consider using hardware security keys for your most critical accounts, as these provide phishing-resistant protection that prevents credentials from working on fraudulent sites. Keep your mobile device and apps updated, as newer versions may include improved phishing detection. Finally, if you receive a suspicious message, report it to the impersonated organization and delete it rather than simply ignoring it—reporting helps organizations track phishing campaigns and warn other potential victims.
