GitBait: Phishing targeting the Mexican financial sector

June 18, 2026, 8:05 p.m.

Description

A sophisticated, modular phishing infrastructure has been identified targeting at least 12 Mexican financial institutions over a three-year period. The operation leverages GitHub Pages for hosting and SheetBest API for credential exfiltration, eliminating the need for dedicated backend infrastructure. Attackers employ obfuscated JavaScript, randomized paths, and dynamic brand selection panels to impersonate legitimate banking portals. Over 100 associated domains were identified, each hosting multiple phishing pages across different paths. Credentials are collected through multi-stage forms mimicking authentic banking authentication flows and exfiltrated in real-time to attacker-controlled Google Sheets. An alternative exfiltration method via Telegram bot was also observed. The campaign demonstrates operational persistence with multiple operator accounts maintaining the infrastructure through continuous commits and updates.

External References

https://otx.alienvault.com/pulse/6a33c3f0081d62e3b09eaf65
https://www.group-ib.com/blog/gitbait-phishing-mexico-banking-finance-es/
Tags
financial fraud
credential harvesting
phishing kit
2026-06-18
gitbait
github pages abuse
mexican banking
serverless infrastructure
sheetbest api

Date

  • Created: June 18, 2026, 10:09 a.m.
  • Published: June 18, 2026, 10:09 a.m.
  • Modified: June 18, 2026, 8:05 p.m.

Indicators

  • https://api.sheetbest.com/sheets/578ad828-fc67-4447-9182-197f92c1f302
  • https://api.sheetbest.com/sheets/47edba58-31f7-41e6-af18-31c77046dee1
  • https://api.sheetbest.com/sheets/0e2a1336-e971-496f-9eb2-cd8dcd25565c
  • https://api.sheetbest.com/sheets/db4a7782-bc66-4a99-875b-ede99744f3fe
  • https://api.sheetbest.com/sheets/fe9f1e2d-16c9-4d92-9bdf-8425921ac073
  • https://api.sheetbest.com/sheets/f2958fbe-cdd7-4796-a4e4-19539d759a9f
Download all indicators here!

Additional Informations

  • Finance
  • Mexico