GitBait: Phishing targeting the Mexican financial sector
GitBait is a modular phishing campaign targeting at least 12 Mexican financial institutions over three years. It abuses GitHub Pages for hosting phishing sites and uses the SheetBest API to exfiltrate stolen credentials to attacker-controlled Google Sheets. The infrastructure includes over 100 domains with multiple phishing pages, employing obfuscated JavaScript, randomized URLs, and dynamic brand selection to mimic legitimate banking portals. Credentials are harvested through multi-stage forms resembling authentic banking authentication flows. An alternative exfiltration method via a Telegram bot has also been observed. The campaign shows operational persistence with multiple operator accounts maintaining and updating the infrastructure continuously.
AI Analysis
Technical Summary
This threat involves a sophisticated phishing infrastructure named GitBait that targets Mexican financial institutions. It leverages serverless hosting on GitHub Pages and the SheetBest API for credential exfiltration, avoiding the need for dedicated backend servers. Attackers use obfuscated JavaScript, randomized paths, and dynamic brand selection panels to convincingly impersonate legitimate banking portals. The campaign operates over 100 domains, each hosting multiple phishing pages, and collects credentials via multi-stage forms that mimic real banking authentication processes. Stolen credentials are exfiltrated in real-time to attacker-controlled Google Sheets, with an alternative exfiltration channel via a Telegram bot. The operation has persisted for at least three years, maintained by multiple operator accounts through continuous commits and updates.
Potential Impact
The campaign enables attackers to harvest credentials from customers of targeted Mexican financial institutions, potentially leading to unauthorized access to banking accounts and financial fraud. The use of legitimate hosting (GitHub Pages) and real-time exfiltration to Google Sheets complicates detection and takedown efforts. The persistence and modularity of the infrastructure increase the operational resilience of the phishing campaign.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign rather than a software vulnerability. Defenders should focus on user awareness training to recognize phishing attempts, implement multi-factor authentication to reduce the impact of credential theft, and monitor for suspicious domains and URLs related to this campaign. Blocking known phishing domains and URLs identified in threat intelligence feeds can help reduce exposure. Since the campaign abuses GitHub Pages and SheetBest API, monitoring for abuse of these services may assist in early detection. There is no vendor patch; mitigation relies on detection and user protection measures.
Affected Countries
Mexico
Indicators of Compromise
- url: https://api.sheetbest.com/sheets/0e2a1336-e971-496f-9eb2-cd8dcd25565c
- url: https://api.sheetbest.com/sheets/47edba58-31f7-41e6-af18-31c77046dee1
- url: https://api.sheetbest.com/sheets/578ad828-fc67-4447-9182-197f92c1f302
- url: https://api.sheetbest.com/sheets/db4a7782-bc66-4a99-875b-ede99744f3fe
- url: https://api.sheetbest.com/sheets/f2958fbe-cdd7-4796-a4e4-19539d759a9f
- url: https://api.sheetbest.com/sheets/fe9f1e2d-16c9-4d92-9bdf-8425921ac073
GitBait: Phishing targeting the Mexican financial sector
Description
GitBait is a modular phishing campaign targeting at least 12 Mexican financial institutions over three years. It abuses GitHub Pages for hosting phishing sites and uses the SheetBest API to exfiltrate stolen credentials to attacker-controlled Google Sheets. The infrastructure includes over 100 domains with multiple phishing pages, employing obfuscated JavaScript, randomized URLs, and dynamic brand selection to mimic legitimate banking portals. Credentials are harvested through multi-stage forms resembling authentic banking authentication flows. An alternative exfiltration method via a Telegram bot has also been observed. The campaign shows operational persistence with multiple operator accounts maintaining and updating the infrastructure continuously.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a sophisticated phishing infrastructure named GitBait that targets Mexican financial institutions. It leverages serverless hosting on GitHub Pages and the SheetBest API for credential exfiltration, avoiding the need for dedicated backend servers. Attackers use obfuscated JavaScript, randomized paths, and dynamic brand selection panels to convincingly impersonate legitimate banking portals. The campaign operates over 100 domains, each hosting multiple phishing pages, and collects credentials via multi-stage forms that mimic real banking authentication processes. Stolen credentials are exfiltrated in real-time to attacker-controlled Google Sheets, with an alternative exfiltration channel via a Telegram bot. The operation has persisted for at least three years, maintained by multiple operator accounts through continuous commits and updates.
Potential Impact
The campaign enables attackers to harvest credentials from customers of targeted Mexican financial institutions, potentially leading to unauthorized access to banking accounts and financial fraud. The use of legitimate hosting (GitHub Pages) and real-time exfiltration to Google Sheets complicates detection and takedown efforts. The persistence and modularity of the infrastructure increase the operational resilience of the phishing campaign.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign rather than a software vulnerability. Defenders should focus on user awareness training to recognize phishing attempts, implement multi-factor authentication to reduce the impact of credential theft, and monitor for suspicious domains and URLs related to this campaign. Blocking known phishing domains and URLs identified in threat intelligence feeds can help reduce exposure. Since the campaign abuses GitHub Pages and SheetBest API, monitoring for abuse of these services may assist in early detection. There is no vendor patch; mitigation relies on detection and user protection measures.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/gitbait-phishing-mexico-banking-finance-es/"]
- Adversary
- null
- Pulse Id
- 6a33c3f0081d62e3b09eaf65
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://api.sheetbest.com/sheets/0e2a1336-e971-496f-9eb2-cd8dcd25565c | — | |
urlhttps://api.sheetbest.com/sheets/47edba58-31f7-41e6-af18-31c77046dee1 | — | |
urlhttps://api.sheetbest.com/sheets/578ad828-fc67-4447-9182-197f92c1f302 | — | |
urlhttps://api.sheetbest.com/sheets/db4a7782-bc66-4a99-875b-ede99744f3fe | — | |
urlhttps://api.sheetbest.com/sheets/f2958fbe-cdd7-4796-a4e4-19539d759a9f | — | |
urlhttps://api.sheetbest.com/sheets/fe9f1e2d-16c9-4d92-9bdf-8425921ac073 | — |
Threat ID: 6a345308f198dc38c17d1137
Added to database: 6/18/2026, 8:20:24 PM
Last enriched: 6/18/2026, 8:35:14 PM
Last updated: 6/18/2026, 11:56:52 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.