Campaigns
GitBait Campaign

GitBait Campaign

GitBaitPhishingPhaaSCredential HarvestingGitHub Pages AbuseSheetBest API
GitBait is an active, large-scale phishing operation that has targeted at least 12 banking and financial institutions in Mexico for approximately three years using a fully serverless architecture. The operation abuses GitHub Pages to host a modular, multi-brand phishing kit across more than 100 distributed domains and exfiltrates harvested credentials, client identifiers, and payment-card data through the SheetBest API into attacker-controlled Google Sheets, with a Telegram bot used as an alternative exfiltration channel for one target. Commit history reveals multiple collaborating operator accounts and continuous maintenance, including periodic rotation of the credential-collection endpoint

Indicators of Compromise

support-vh.github.io
soporte-y-atencion.github.io
0725-soporte.github.io
soporte2650.github.io
soporte-index09.github.io
api.sheetbest.com
soporte74.github.io
soporte-c1.github.io
soporteyatencionf.github.io
soporte0725-3.github.io
soporte0625.github.io
soporte-0725.github.io
soporte-index05.github.io
soporte-bn1.github.io
soporte-07-25.github.io
soporte160625.github.io
soporte250324.github.io
soporte2507.github.io
soporter03.github.io
soporte-b2.github.io
soporte-index.github.io
sntndr25-soporte.github.io
sntdr-soporte25.github.io
soporte-index25.github.io
respaldo94.github.io
soporte200525.github.io
0825-soporte.github.io
0725soporte.github.io
soporte-r5.github.io
soporte0725.github.io
fldsmdfr-94.github.io
soporte-b1.github.io
soporte-b4.github.io
soporte-bm1.github.io
07-soporte.github.io
sntndr-soporte0825.github.io

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation / Detection

Detection Signal

Description

SheetBest Exfiltration

Alert on outbound HTTPS POST requests to api.sheetbest.com (or resolving to 159.89.254.93) sourced from user browser sessions on banking-related pages.

GitHub Pages Brand Abuse

Hunt *.github.io repositories and Pages impersonating institution brands using naming patterns such as [brand]-soporte, soporte-cancelacion, and respaldo.

Phishing Kit Fingerprint

Detect cloned pages carrying form id="contact-form" with toggling element IDs id="registro" and id="exito", combined with the Kanit+Play Google Fonts and the campaign's Bootstrap SRI hashes.

Obfuscated Script Loading

Flag phishing pages that load external JavaScript from long, randomized, non-semantic paths instead of embedding logic inline.

Telegram Exfiltration

Detect hardcoded Telegram bot tokens / chat IDs in page source and outbound requests to api.telegram.org from web sessions not expected to use Telegram.

Direct-Link Delivery Marker

Treat pages carrying <meta name="robots" content="noindex, nofollow"> alongside full Open Graph banking-brand metadata as likely messaging-delivered phishing lures.

Observed Countries250

AD (114)
AE (17)
AF (419)
AG (81)
AI (942)
AL (820)
AM (242)
AO (672)
AQ (241)
AR (259)
AS (940)
AT (221)
AU (397)
AW (672)
AX (809)
AZ (575)
BA (414)
BB (451)
BD (186)
BE (732)
BF (248)
BG (686)
BH (41)
BI (792)
BJ (684)
BL (175)
BM (581)
BN (204)
BO (104)
BQ (692)
BR (19)
BS (352)
BT (391)
BV (128)
BW (135)
BY (240)
BZ (578)
CA (161)
CC (545)
CD (479)
CF (787)
CG (24)
CH (673)
CI (695)
CK (848)
CL (698)
CM (722)
CN (116)
CO (464)
CR (337)
CU (265)
CV (361)
CW (796)
CX (718)
CY (729)
CZ (153)
DE (757)
DJ (454)
DK (893)
DM (289)
DO (963)
DZ (79)
EC (762)
EE (846)
EG (634)
EH (492)
ER (987)
ES (198)
ET (633)
FI (723)
FJ (609)
FK (17)
FM (727)
FO (963)
FR (33)
GA (413)
GB (11)
GD (643)
GE (964)
GF (778)
GG (245)
GH (71)
GI (820)
GL (389)
GM (757)
GN (898)
GP (175)
GQ (390)
GR (607)
GS (577)
GT (958)
GU (97)
GW (139)
GY (440)
HK (981)
HM (342)
HN (453)
HR (830)
HT (713)
HU (456)
ID (991)
IE (911)
IL (822)
IM (909)
IN (306)
IO (875)
IQ (15)
IR (671)
IS (295)
IT (912)
JE (487)
JM (139)
JO (828)
JP (179)
KE (571)
KG (963)
KH (232)
KI (834)
KM (198)
KN (600)
KP (529)
KR (95)
KW (542)
KY (402)
KZ (957)
LA (13)
LB (167)
LC (829)
LI (268)
LK (72)
LR (72)
LS (261)
LT (168)
LU (960)
LV (751)
LY (909)
MA (490)
MC (680)
MD (686)
ME (413)
MF (322)
MG (802)
MH (127)
MK (780)
ML (736)
MM (367)
MN (280)
MO (762)
MP (360)
MQ (445)
MR (75)
MS (775)
MT (924)
MU (307)
MV (381)
MW (474)
MX (324)
MY (552)
MZ (335)
NA (229)
NC (100)
NE (415)
NF (964)
NG (997)
NI (113)
NL (786)
NO (846)
NP (716)
NR (380)
NU (14)
NZ (804)
OM (973)
PA (188)
PE (650)
PF (633)
PG (110)
PH (652)
PK (553)
PL (128)
PM (823)
PN (187)
PR (774)
PS (483)
PT (794)
PW (196)
PY (692)
QA (245)
RE (693)
RO (388)
RS (42)
RU (479)
RW (908)
SA (137)
SB (395)
SC (159)
SD (232)
SE (535)
SG (281)
SH (439)
SI (623)
SJ (224)
SK (273)
SL (722)
SM (110)
SN (612)
SO (414)
SR (903)
SS (361)
ST (743)
SV (501)
SX (652)
SY (284)
SZ (819)
TC (859)
TD (374)
TF (737)
TG (386)
TH (534)
TJ (410)
TK (52)
TL (581)
TM (38)
TN (103)
TO (776)
TR (535)
TT (796)
TV (466)
TW (958)
TZ (508)
UA (75)
UG (733)
UM (598)
US (26)
UY (472)
UZ (534)
VA (136)
VC (344)
VE (714)
VG (724)
VI (332)
VN (639)
VU (910)
WF (903)
WS (428)
XK (922)
YE (203)
YT (431)
ZA (53)
ZM (152)
ZW (435)