
GitBait Campaign
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Remediation / Detection
Detection Signal | Description |
|---|---|
SheetBest Exfiltration | Alert on outbound HTTPS POST requests to api.sheetbest.com (or resolving to 159.89.254.93) sourced from user browser sessions on banking-related pages. |
GitHub Pages Brand Abuse | Hunt *.github.io repositories and Pages impersonating institution brands using naming patterns such as [brand]-soporte, soporte-cancelacion, and respaldo. |
Phishing Kit Fingerprint | Detect cloned pages carrying form id="contact-form" with toggling element IDs id="registro" and id="exito", combined with the Kanit+Play Google Fonts and the campaign's Bootstrap SRI hashes. |
Obfuscated Script Loading | Flag phishing pages that load external JavaScript from long, randomized, non-semantic paths instead of embedding logic inline. |
Telegram Exfiltration | Detect hardcoded Telegram bot tokens / chat IDs in page source and outbound requests to api.telegram.org from web sessions not expected to use Telegram. |
Direct-Link Delivery Marker | Treat pages carrying <meta name="robots" content="noindex, nofollow"> alongside full Open Graph banking-brand metadata as likely messaging-delivered phishing lures. |