
GitBait Campaign
GitBait is an active, large-scale phishing operation that has targeted at least 12 banking and financial institutions in Mexico for approximately three years using a fully serverless architecture. The operation abuses GitHub Pages to host a modular, multi-brand phishing kit across more than 100 distributed domains and exfiltrates harvested credentials, client identifiers, and payment-card data through the SheetBest API into attacker-controlled Google Sheets, with a Telegram bot used as an alternative exfiltration channel for one target. Commit history reveals multiple collaborating operator accounts and continuous maintenance, including periodic rotation of the credential-collection endpoint
Indicators of Compromise
Domains (36)
support-vh.github.iosoporte-y-atencion.github.io0725-soporte.github.iosoporte2650.github.iosoporte-index09.github.ioapi.sheetbest.comsoporte74.github.iosoporte-c1.github.iosoporteyatencionf.github.iosoporte0725-3.github.iosoporte0625.github.iosoporte-0725.github.iosoporte-index05.github.iosoporte-bn1.github.iosoporte-07-25.github.iosoporte160625.github.iosoporte250324.github.iosoporte2507.github.iosoporter03.github.iosoporte-b2.github.io+16 moreIPv4 (1)
159.89.254.93Notes
CONCLUSION<br><span id="docs-internal-guid-708b7ced-7fff-f394-fb31-2b1789c9bbe8"><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">GitBait demonstrates how a financially motivated actor can run a large-scale, persistent phishing operation against the Mexican financial sector without owning any traditional attack infrastructure. By hosting cloned banking pages on GitHub Pages, the operator inherits the platform's trusted reputation and default HTTPS coverage, which makes the fraudulent URLs appear legitimate to both victims and automated security tooling. By routing harvested credentials through the SheetBest API into attacker-controlled Google Sheets instead of a dedicated command-and-control server, the actor removes a critical point of exposure and operates entirely within the boundaries of legitimate cloud services. This serverless model significantly reduces the infrastructure footprint, enables rapid redeployment after individual repositories are taken down, and complicates attribution.</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The operation also reflects a broader shift in the threat landscape: attackers no longer need sophisticated malware or complex infrastructure to conduct credential theft at scale. The abuse of everyday cloud platforms lowers the barrier to entry while increasing operational effectiveness, and the modular kit design, multi-path deployment across more than 100 domains, collaborative operator activity, and periodic rotation of the SheetBest exfiltration endpoint all point to a well-maintained, long-lived campaign rather than a one-off effort. For the financial sector, this means defenses that rely solely on blocklists of known malicious domains will struggle against infrastructure built on reputable services. Effective mitigation requires behavioral detection rather than signature matching alone, continuous monitoring for brand-impersonation activity across hosting platforms such as GitHub Pages, layered customer-side controls including phishing-resistant multi-factor authentication and real-time transaction alerts, and proactive intelligence and indicator sharing with peers, CERTs, and regulators to accelerate coordinated takedown and response.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-3fb90083-7fff-12a5-53f5-e28822664cc8"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ATT&CK Mapping</span></p><br><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique ID</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique Name</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 8pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Procedure</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0042 Resource Dev.</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1583/006/">T1583.006</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Acquire Infrastructure: Web Services</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">GitHub Pages repositories and the SheetBest API are abused as hosting and exfiltration infrastructure, removing the need for any dedicated backend server.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0042 Resource Dev.</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1585/002/">T1585.002</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Establish Accounts: Email Accounts</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Multiple Gmail addresses are registered and tied to operator GitHub accounts used to build and maintain the phishing repositories.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0042 Resource Dev.</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1587/001/">T1587.001</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Develop Capabilities: Malware</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">A modular phishing kit with an internal campaign selector, brand-specific templates, and obfuscated credential-harvesting scripts is developed and reused across targets.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0042 Resource Dev.</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1608/005/">T1608.005</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Stage Capabilities: Link Target</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Brand-specific phishing pages are staged on GitHub Pages under randomized directory paths to act as link targets delivered to victims.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0001 Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1566/002/">T1566.002</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Phishing: Spearphishing Link</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Fraudulent github.io URLs are delivered to victims via messaging apps and SMS, using crafted Open Graph previews to render trusted brand link cards.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0005 Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1656/">T1656</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Impersonation</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Landing and login pages clone the branding, layout, and authentication workflows of at least 12 Mexican financial institutions.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0005 Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1027/">T1027</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Obfuscated Files or Information</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credential-harvesting logic is loaded as externally hosted, heavily obfuscated JavaScript via randomized paths to defeat static analysis and enable payload rotation.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0006 Credential Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1056/003/">T1056.003</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Input Capture: Web Portal Capture</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">A client-side script attaches a submit listener and calls e.preventDefault(), capturing usernames, client IDs, passwords, and card data before the legitimate request fires.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0010 Exfiltration</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1567/">T1567</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exfiltration Over Web Service</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Captured credentials are serialized to JSON and sent via POST to the SheetBest API, which writes the data directly into attacker-controlled Google Sheets in real time.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0011 C2</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1102/">T1102</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Web Service</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">For one targeted institution, credentials are relayed in real time to a Telegram bot using a hardcoded token and chat ID embedded in the phishing JavaScript.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">TA0040 Impact</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1657/">T1657</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Financial Theft</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:3pt 5.5pt 3pt 5.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Harvested banking credentials and card data enable account takeover, fraudulent transactions, and resale, directly impacting Mexican financial-sector customers. </span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></p></td></tr></tbody></table></div></span>