Sailor Framework
Chinese backed phishing services
– urlscan Threat Research Team
urlscan Pro Report New
This is a public version of a report first published as an Intel Report on the urlscan Pro platform. The urlscan Pro version contains a more detailed look into the activity as well as more complex searches to cluster the activity. The urlscan Pro report also benefits from added visibility of Unlisted scans.
The Sailor Framework has emerged as a highly specialized Chinese-backed phishing ecosystem, moving away from broad industry attacks to dominate a specific vertical: U.S. state government and tolling infrastructure. By utilizing AES-encrypted WebSockets and modular “branches” like Sailors and globalConfig, the platform evades traditional detection while harvesting sensitive payment and identity data through urgency-based lures. Deep-dive into our analysis of this modular architecture and learn why browser storage keys, rather than URLs, have become the new frontline for tracking these sophisticated campaigns.
Intel card
- Primary Name: “Sailor Framework”
Targeting
Regions: North America (Dominant) · Europe · Asia-Pacific (APAC) · Latin America · Middle East
| Industries |
|---|
| Government & Public Sector (Dominant) |
| Transportation & Tolling Services |
| Financial Services & Banking |
| Telecommunications |
| Postal & Logistics |
| E-commerce & Consumer Services |
| Payments & Fintech |
| Retail & Consumer Brands |
Key findings
- Overwhelming concentration of US state and local government entities, indicating highly targeted and localized phishing campaigns within the United States
- Strong focus on tolling and transport infrastructure, suggesting widespread use of road charge and fine-related phishing lures
- Government impersonation is the primary theme, often combined with urgency-based pretexts such as fines, violations, or unpaid tolls
- Supporting use of telecom providers to reinforce identity verification or billing-related phishing flows
- Inclusion of financial and payment brands to facilitate credential harvesting and fraudulent transactions
- Continued use of postal/logistics providers as secondary or fallback phishing themes
- Use of infrastructure masking to evade detection and improve campaign longevity
- This cluster represents a highly specialised vertical focusing on government and civic infrastructure rather than broad multi-industry targeting
The Sailor Framework represents a modular phishing platform comprimised of multiple branches which share a common architectural foundation but differ in implementation details.
Rather than distinct “variants”, analysis indicates minor components are modified which suggests the controlling threat actor capable of updating specific parts of the framework without redeploying the entire codebase.
The urlscan Threat Research Team are currently tracking multiple branches within this cluster, with the expectation that additional branches may emerge over time.
Across all observed Sailor branches, several core characteristics remain consistent. All branches rely on encrypted local storage, AES-encrypted WebSocket communications, and heavily obfuscated JavaScript to manage victim interaction flows and exfiltrate data. While the front-end templates frequently impersonate U.S. toll providers (for example Florida, Texas, and Arizona), the underlying architecture appears brand-agnostic and designed to support multiple payment-themed phishing scenarios.
Sensitive values including configuration, session state, and victim data are encrypted client-side. Encryption keys and IVs are embedded in obfuscated JavaScript which are sometimes unique per branch.
Because of this design, traditional clustering using URLs, cookies, or API paths is ineffective. Instead, browser storage keys remain the most reliable detection mechanism.
Branch: Sailors
This is the most extensively observed branch and forms the baseline for the Sailor Framework.
Primary storage key:
ab331e7aeff3e8576b9d74971ab1a023 = sailors_config
Several additional MD5-hashed storage keys are used to manage victim sessions.
| Storage Key | Plaintext | Purpose |
|---|---|---|
| ab331e7aeff3e8576b9d74971ab1a023 | sailors_config | Encrypted configuration object |
| f3395cd54cf857ddf8f2056768ff49ae | router | Tracks the current page state |
| 721ceb620f946e89400945d36d204114 | sailors_form_data | Stores submitted victim information |
| ddafc76f38596c8b6769b63034d43f1d | VERIFICATION_STATE | Tracks secondary verification flows |
The router key only appears once victims progress past the landing page, which explains why it is absent in many automated scans.
The verification state is rarely observed but suggests operators can enable additional verification stages such as phone verification.
All Sailors storage values are encrypted using AES.
WebSocket Communications
The Sailors framework communicates with its backend using WebSockets rather than traditional HTTP API requests.
Connection format: wss://<domain>/console/?uuid=<uuid>&EIO=4&transport=websocket
Messages exchanged over this channel are also AES encrypted.
Example message structure: ["message","<encrypted_payload>"]
The output appears to contain binary structured data as opposed to plain text or JSON.
Language Indicators
Numerous Chinese strings embedded in the JavaScript indicate internal page structures.
Examples include:
| Chinese | Translation |
|---|---|
| 手机验证页 | Mobile verification page |
| 邮箱验证页 | Email verification page |
| APP验证页 | App verification page |
| PIN验证页 | PIN verification page |
| 运通CVV验证页 | Amex CVV verification page |
| 首页 | Home page |
| 资料页 | Information page |
| 支付页 | Payment page |
| 完成页 | Completion page |
These strongly suggest the framework supports multi-stage verification flows beyond simple payment harvesting.
Branch: t_config
This newly identified branch is closely aligned with the Sailors implementation but introduces updated storage naming conventions and encryption material.
Primary storage key:
2e14a1ac17c37597f4579a51c5f26330 = t_config
Associated storage keys:
| Storage Key | Plaintext | Purpose |
|---|---|---|
| 2e14a1ac17c37597f4579a51c5f26330 | t_config | Encrypted configuration object |
| f3395cd54cf857ddf8f2056768ff49ae | router | Tracks page state (shared with Sailors) |
| 6677b6f7dd5ca11774f0f0e484baa3c0 | t_form_data | Stores submitted victim information |
The router key is only set after initial page interaction, consistent with Sailors behavior.
The webSocket structure remains unchanged: wss://<domain>/console/?uuid=<uuid>&EIO=4&transport=websocket
The encryption methodology is the same as Sailors.
This branch appears to represent an iterative update of the Sailors branch, rather than a separate framework.
Branch: globalConfig
This branch diverges more significantly in implementation but retains core architectural patterns.
Primary storage key:
9908c873b133dbae6d4a5bf8af4184c8 = globalConfig
Associated storage keys:
| Storage Key | Plaintext | Purpose |
|---|---|---|
| 9908c873b133dbae6d4a5bf8af4184c8 | globalConfig | Encrypted configuration object |
| 9aee50191bbed6b0890f8e94a389a3ce | routerPath | Tracks current page state |
| 578c995a9c239e1039801db76acd1981 | syncConfig | Stores session identifier |
| d98a07f84921b24ee30f86fd8cd85c3c | from | Stores submitted victim information |
Notable differences:
- Router key present from initial page load
- Modified storage naming conventions
- Altered WebSocket endpoint (
/logger/vs/console/)
Despite these differences, the similarities strongly suggest shared development origin.
WebSocket Communications
Across all branches, the framework relies on WebSockets for backend communication.
The globalConfig branch websocket path also differs from the other branches.
Connection format: wss://<domain>/logger/?EIO=4&transport=websocket
Notably:
- No UUID parameter is used
- Messages remain AES encrypted
Example payload: ["message","<encrypted_payload>"]
As with the other branches, the content appears to contain binary data.
The Sailor Framework represents an evolution in phishing kit design toward:
- Modular architecture
- Encrypted client-side state
- WebSocket-based exfiltration
- Minimal observable indicators
Rather than discrete variants, the framework is best understood as a branching ecosystem where components are continuously modified and redeployed.
The introduction of new branches demonstrates active development and iterative refinement, reinforcing the likelihood of a centrally maintained platform.
This model enables operators to rapidly adapt infrastructure while maintaining a consistent underlying architecture, significantly complicating detection and clustering efforts.
Future tracking should assume continued branch proliferation and focus on invariant behaviors such as storage patterns and encryption workflows.
Below is a list of brands which have been detected and linked to Sailor Framework:
- Transport & Toll Roads
- Texas Department of Motor Vehicles - https://urlscan.io/result/019d7072-653b-76ea-9096-40eda7ee612d
- Commonwealth of Pennsylvania - https://urlscan.io/result/019d7071-ee30-73fa-b0d3-358617781428
- Oklahoma Department of Public Safety - https://urlscan.io/result/019d7071-d142-71cd-93e4-a6b82adfc17a
- Postal & Courier Services
More on urlscan Pro
If you want to learn about the urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.