Phishing Kits & PhaaS
What Is CoGUI?
CoGUI is a Chinese-language phishing kit that sends high-volume email phishing campaigns targeting Japanese organizations with particular focus on stealing credentials and payment data.
CoGUI is a Chinese-language phishing kit that sends high-volume email phishing campaigns targeting Japanese organizations with particular focus on stealing credentials and payment data. Between January and April 2025, CoGUI sent over 580 million malicious emails, according to Proofpoint's reporting, making it the highest-volume phishing threat tracked by the security firm at the time. The kit has been observed since at least October 2024 and was actively tracked by Proofpoint starting December 2024. Operated by Chinese-speaking threat actors with infrastructure similarities to the Darcula platform, according to Bleeping Computer's reporting from April 2025, CoGUI represents a significant escalation in phishing campaign volume compared to other contemporary PhaaS platforms.
How Does CoGUI Work?
CoGUI operates through email-based delivery of phishing messages sent via compromised or attacker-controlled mail servers. The platform achieved peak monthly volume of 172 million emails in January 2025, averaging approximately 50 campaigns per month with individual campaigns ranging from hundreds of thousands to tens of millions of messages, according to Proofpoint's analysis. Email spoofing techniques impersonate well-known brands to increase click rates and credential submission.
The platform implements sophisticated victim profiling to ensure phishing pages only display for intended targets. According to Dark Reading's April 2025 reporting, URLs only resolve if targets meet pre-defined criteria including IP address geolocation, browser type and version, browser language settings, operating system, screen resolution, and device type (desktop versus mobile). This filtering prevents security researchers using non-target devices or locations from analyzing phishing pages and reduces the risk of automated security tools detecting the malicious content.
When victims matching the required profile access phishing links, adaptive content serves different phishing pages based on victim characteristics. According to Proofpoint, the platform captures usernames, passwords, and payment card information through multi-step flows that may request additional data after initial credentials are submitted. An administrative panel shows victim interactions and stolen data in real-time, enabling operators to monitor campaign effectiveness and validate captured information.
Campaign infrastructure likely distributes across compromised servers and legitimate hosting providers, according to analysis by The Record. Redirect chains use open redirects and intermediate links to obscure origin points. Domain rotation employs multiple domains to evade blocklist detection. The centralized campaign coordination with distributed execution resembles botnet-like architecture, according to eSecurity Planet's analysis.
The platform's primary brand impersonation targets include Amazon (the plurality of campaigns), Apple, Rakuten (a major Japanese e-commerce platform), the Japan national tax agency, and various Japanese financial institutions, according to Proofpoint. Sector targeting focuses on consumer and retail (Amazon, Apple), e-commerce (Rakuten), financial services, and government organizations (tax agency). The geographic specialization means Japan represents over 90% of message volume, with secondary markets including the United States, Canada, Australia, and New Zealand receiving significantly lower volumes that suggest testing or expansion phases.
How Does CoGUI Differ From Other Phishing Platforms?
Feature | CoGUI | Lucid | Darcula | Morphing Meerkat |
|---|---|---|---|---|
Primary Channel | iMessage/RCS | iMessage/RCS | Email + redirects | |
Monthly Volume Peak | 172M emails (Jan 2025) | ~3M (100K/day × 30) | Not specified | Thousands (lower) |
4-Month Total Volume | 580M emails | ~12M estimated | Not specified | Not comparable |
Primary Target Geography | Japan (90%+); US, CA, AU, NZ | Global (88 countries) | Global (100+ countries) | Global |
Brand Impersonation Focus | Amazon, Apple, Rakuten, tax agency | 169 entities | Postal services, brands | 114+ email providers |
Device Fingerprinting | Yes (IP, browser, OS, screen, language) | Yes (advanced) | Limited | IP blocking |
Operator Origin | Chinese-speaking | XinXin group (China) | Yucheng C. (China) | Unknown |
Operational Start | October 2024 | Mid-2023 | 2023 | 2020 |
Infrastructure Similarity | Shared with Darcula | Independent | Shared with CoGUI | Independent |
Campaign Frequency | ~50/month | Continuous | Continuous | Consistent |
Ideal for | High-volume email targeting Japan | iMessage/RCS smishing globally | iMessage/RCS smishing globally | DNS-based targeted phishing |
CoGUI's primary distinguishing feature is extraordinary email volume. According to Proofpoint, the 580 million emails in four months represents an average of 145 million per month, with the January 2025 peak of 172 million substantially exceeding other documented email-based PhaaS platforms. This volume-focused approach contrasts with platforms like Lucid that emphasize device farm infrastructure and messaging protocol exploitation, or Morphing Meerkat that emphasizes technical sophistication through DNS-based dynamic targeting.
The geographic concentration on Japan creates specialization distinct from most PhaaS platforms. According to The Record, while other platforms target broadly across Western markets, CoGUI's Japan focus suggests either operator language capabilities (Chinese operators often target other Asian markets), less competitive market conditions in Japan compared to heavily-targeted US and European organizations, or specific monetization channels for Japanese credentials and payment cards.
Why Does CoGUI Matter?
CoGUI demonstrates that volume-based strategies remain effective despite advances in email security. The 580 million emails in four months, according to Proofpoint's analysis, represents successful distribution at scale that overwhelms some traditional email filtering systems. The ability to maintain approximately 50 campaigns per month indicates operational infrastructure capable of rapid campaign deployment, domain rotation, and adaptation to defensive measures.
The geographic targeting of Japan highlights underappreciated phishing risks in non-English-speaking markets. According to TechRadar's reporting, Japanese organizations face concentrated phishing pressure from CoGUI's campaigns while much Western cybersecurity media attention focuses on threats targeting US and European organizations. The targeting may reflect sophisticated market analysis by operators identifying lucrative targets (wealthy consumer base, high-value financial services, large retailers) in markets with potentially less mature anti-phishing awareness compared to heavily-targeted Western organizations.
The platform's identification as Proofpoint's highest-volume phishing threat establishes CoGUI's significance in the threat landscape. According to Proofpoint, this designation means CoGUI surpassed all other phishing operations tracked by the security firm during the January-April 2025 period, including established PhaaS platforms, nation-state operations, and traditional cybercriminal campaigns. This volume leadership indicates substantial operational capacity, financial resources for infrastructure, and market success attracting either paying customers or collaborating threat actors.
The shared infrastructure with Darcula suggests possible organizational connections or copied codebases. According to Bleeping Computer, similarities between CoGUI and Darcula platforms indicate either common development teams, deliberate code sharing within Chinese cybercriminal communities, or one platform copying successful techniques from the other. This infrastructure sharing has implications for defense—signatures and indicators developed for one platform may be partially effective against the other.
The rapid emergence timeline matters for threat intelligence. CoGUI was first observed in October 2024 and by January 2025 had become Proofpoint's highest-volume tracked threat, according to the timeline documented by Proofpoint. This three-month acceleration from emergence to market dominance suggests either rapid customer acquisition if operating as PhaaS, or substantial pre-existing infrastructure and capability that was redirected to CoGUI operations. The speed challenges threat intelligence processes that typically require longer observation periods to characterize new threats.
What Are CoGUI's Limitations?
Email-Based Delivery Exposes to Authentication Checks
CoGUI's reliance on email delivery subjects campaigns to DMARC, SPF, and DKIM authentication checks that can identify spoofed messages. According to Proofpoint, organizations enforcing strict DMARC policies with "p=reject" settings will block many CoGUI messages impersonating protected domains. Email security gateways implementing machine learning-based phishing detection can identify lookalike domains, suspicious sending patterns, and message content characteristic of CoGUI campaigns. The volume concentration (172 million emails in January 2025) creates statistical signatures that anomaly detection systems can identify, flagging unusual spikes in messages from particular sending infrastructure or targeting particular geographic regions.
Profiling Logic Requires JavaScript Execution
The device fingerprinting that filters victims based on IP, browser, OS, screen resolution, and language requires JavaScript execution in victim browsers. According to Dark Reading, this creates detectable patterns and can be circumvented by security researchers using residential proxies, modified user agents, or JavaScript analysis tools that extract profiling logic without triggering filtering. Organizations implementing JavaScript restrictions or email clients that don't execute JavaScript will prevent the profiling from functioning, potentially exposing the underlying phishing infrastructure without the intended filtering protections.
Campaign Coordination Creates Centralized Vulnerability
Maintaining approximately 50 campaigns per month requires centralized coordination infrastructure for scheduling, domain management, template deployment, and credential collection. According to eSecurity Planet, this centralization creates single points of failure—if law enforcement identifies and seizes core coordination servers, the entire operation could be disrupted. The scheduling patterns and campaign timing may create behavioral fingerprints identifiable through analysis of email receipt timestamps, campaign deployment sequences, and domain registration patterns.
Geographic Concentration Creates Obvious Targeting Footprint
The heavy focus on Japanese organizations (over 90% of volume) creates concentrated visibility for Japanese authorities and security researchers. According to The Record, Japanese law enforcement and the Japan National Police Agency have strong incentives to investigate and disrupt operations specifically targeting Japanese victims. The concentration also enables Japanese organizations to share threat intelligence more effectively, as most victims are in similar geographic and regulatory contexts. Brand impersonation of major Japanese services like Rakuten and Japanese tax agencies may trigger stronger enforcement responses than targeting dispersed international organizations.
Shared Infrastructure with Darcula Multiplies Attribution Risk
The infrastructure similarities to Darcula, according to Bleeping Computer, mean that research and law enforcement investigation into either platform may yield intelligence applicable to the other. If Darcula's infrastructure is disrupted or operators identified, CoGUI operations may be affected. The shared codebase or infrastructure patterns create correlated vulnerabilities—security improvements effective against one platform likely transfer to the other, reducing the operational isolation that might otherwise protect separate operations.
How Can Organizations Defend Against CoGUI-Style Attacks?
Email Authentication and Gateway Security
Organizations should implement DMARC with policy set to "p=reject" to reject unauthenticated messages impersonating organizational domains. According to CISA best practices, configure SPF records to limit sending IPs to authorized mail servers only, preventing attackers from sending spoofed emails appearing to originate from organizational domains. Implement DKIM to digitally sign all outgoing mail, enabling recipients to verify message authenticity and detect forgeries. Email gateway protection should include advanced phishing filters using machine learning to detect lookalike domains characteristic of brand impersonation, URL sandboxing to execute links in isolated environments before allowing message delivery, attachment sandboxing to execute files in isolated environments to detect malware, and header analysis to detect spoofed domains and unusual originating IP addresses.
User warning systems should add banners to external mail stating "This email originated outside your organization," highlight domain mismatches where claimed sender differs from actual sending domain, and warn on unusual sender behavior including first-time senders requesting sensitive actions. According to Microsoft Security guidance, these visual cues help users apply appropriate skepticism to external messages.
User Training for Brand Impersonation Recognition
Training programs should teach users to verify sender domains (not just display names) by examining the actual email address rather than the friendly name shown in email clients. According to Proofpoint, users should recognize urgent language ("Act now," "Verify immediately," "Account suspended") as common phishing indicators designed to bypass rational evaluation. URL inspection training should emphasize hovering over links to see actual destinations before clicking. Domain verification requires exact matching only—typosquatting awareness should highlight common substitutions like amazon.con, amaz0n.com, or character substitutions using visually similar letters from different alphabets.
For organizations with Japanese operations or employees, provide Japanese-language training to recognize local phishing campaigns. According to TechRadar, CoGUI's focus on Japanese targets means Japan-specific examples and training materials are more relevant than generic Western-focused phishing education.
Multi-Factor Authentication and Access Controls
Implement multi-factor authentication to reduce impact of password compromise. According to The Hacker News, hardware security keys are preferred as they resist phishing by verifying authentication domains, preventing credential submission to fraudulent sites even when phishing pages appear identical. App-based TOTP (Time-based One-Time Password) is acceptable for lower-risk accounts, though SMS and email-based MFA are vulnerable to interception. Conditional access policies should flag logins from unusual locations or devices, require additional verification for new device logins, enforce device health requirements before granting access, and block impossible travel scenarios where authentication attempts occur from two distant locations within implausible timeframes.
Passwordless authentication using Windows Hello, FIDO2, or biometric methods eliminates the password as an attack vector. According to Microsoft Security, passwordless approaches prevent credential phishing because there are no passwords to steal.
Financial Institution Transaction Monitoring
Financial institutions should implement real-time fraud scoring for anomalous purchases, identifying transaction patterns inconsistent with normal customer behavior. According to Proofpoint, velocity checks flag rapid multi-transaction patterns characteristic of bulk fraud using stolen credentials. Geolocation analysis should flag transactions from impossible locations—purchases from geographic areas inconsistent with customer's location or pattern, or multiple transactions from widely separated locations within implausible timeframes. New merchant flagging identifies first purchases from merchant categories where the customer has no transaction history, which may indicate testing stolen payment cards.
Payment method protection should include virtual card numbers (single-use or merchant-specific tokens), card-not-present (CNP) transaction restrictions for high-risk contexts, 3D Secure enforcement requiring additional authentication for high-risk transactions, and rapid card replacement procedures to minimize vulnerability windows after compromise detection. Account recovery monitoring should alert on password changes, email forwarding rule creation, and recovery email updates, as these may indicate account takeover attempts.
Threat Intelligence Integration and Reporting
Organizations should subscribe to threat intelligence feeds tracking CoGUI domains, IP addresses, and email sending patterns. According to Dark Reading, indicators of compromise should be integrated into email gateways, web proxies, and DNS filtering solutions for automated blocking. Brand monitoring services track use of organizational brands in phishing campaigns, enabling rapid detection and takedown requests. Card monitoring examines dark web marketplaces for sales of stolen cards that might originate from CoGUI campaigns. Credential monitoring tools like Have I Been Pwned track compromised credentials appearing in breach databases.
Report phishing attempts to the FBI Internet Crime Complaint Center (IC3), Japanese National Police Agency (for Japan-focused incidents), and Interpol for international coordination. According to CISA, payment processors including Visa and Mastercard can block stolen card testing through network-level controls. Email providers including Gmail, Outlook, and Yahoo should receive abuse reports for credential theft to enable provider-level countermeasures. Brand protection teams at Amazon, Apple, and Rakuten can issue takedown notices to hosting providers. ISP cooperation enables reporting of spoofing and phishing to internet service providers hosting malicious infrastructure.
FAQs
Why is CoGUI targeting Japan so heavily?
Japanese organizations represent lucrative targets with wealthy consumer bases, high-value financial services, and large retailers like Rakuten and Amazon Japan, according to Proofpoint's analysis. Japan's digital-first society means more online transactions and banking activity, creating more opportunities for credential and payment card theft. According to The Record, Japanese markets may be less heavily targeted than US and European organizations, giving CoGUI operators higher success rates due to potentially lower victim awareness of phishing tactics compared to populations that have faced intensive phishing campaigns for longer periods. The targeting may also reflect operator group characteristics—Chinese-speaking operators often target other Asian markets due to geographic proximity, cultural familiarity, and language capabilities. According to Dark Reading, Japanese credentials and payment cards may have specific monetization channels through Asian cybercriminal marketplaces where Chinese operators have established relationships and trust. The operators may also exploit timing and regulatory differences, as Japanese organizations may be slower to implement some Western-developed security controls due to localization requirements or different regulatory priorities.
What makes CoGUI different from other phishing kits if it's just email-based?
While email-based like traditional phishing, CoGUI's sophistication comes from victim profiling (filtering based on IP, browser, OS, screen size, language) and extraordinary scale (580 million emails in four months), according to Bleeping Computer. The geofencing and device fingerprinting ensure phishing pages are customized and more convincing, reducing security researcher visibility while improving victim conversion rates. According to Proofpoint, the massive volume overwhelms traditional email filters through sheer quantity, statistical variation in sending infrastructure, and rapid domain rotation. The approximately 50 campaigns per month allow operators to adapt quickly to takedown efforts, deploying new domains and templates to replace blocked infrastructure within days rather than weeks. The platform's integration of real-time victim data validation enables operators to verify captured credentials immediately, according to eSecurity Planet, distinguishing valid from invalid submissions and prioritizing high-value targets. The infrastructure similarities to Darcula suggest possible code sharing or common development, potentially providing access to sophisticated techniques developed for messaging-based phishing adapted for email delivery.
If CoGUI is the highest-volume phishing threat, why haven't we heard more about it?
CoGUI's primary targeting is Japan, so Western media coverage is limited to cybersecurity trade publications rather than mainstream news, according to TechRadar. Japanese news outlets reported extensively on CoGUI in early 2025 when the threat became apparent to Japanese organizations. Proofpoint's tracking data is shared with enterprise customers and threat intelligence subscribers but not mass-market consumer audiences. According to Bleeping Computer, highly sophisticated phishing prevention deployed by enterprise email security systems means most users never see CoGUI emails—they're filtered before delivery—so media attention concentrates in the cybersecurity industry rather than generating mainstream news coverage. The platform's relatively recent emergence (October 2024) means it hasn't accumulated the multi-year operational history of platforms like LabHost or Darcula that generated more sustained media attention. According to The Record, Japanese organizations may be less likely to publicly disclose phishing incidents due to cultural factors around public acknowledgment of security incidents, reducing visible reporting compared to Western organizations that face regulatory disclosure requirements under laws like GDPR or US state breach notification statutes.
How can I tell if an email is from CoGUI vs. a legitimate brand?
Check the sender's email domain carefully for exact matches—typosquatting attempts are common, with domains differing by single characters or character substitutions, according to Proofpoint guidance. Verify links by hovering before clicking to see actual destinations rather than displayed text. Look for urgency language ("Act now," "Verify immediately," "Account will be suspended") designed to bypass rational evaluation. According to Dark Reading, CoGUI-impersonated brands include Amazon, Apple, Rakuten, and Japanese tax agencies—if receiving unsolicited credential requests claiming to be from these organizations, verify directly through official channels. Examine email headers to check sending infrastructure—CoGUI messages may originate from unexpected mail servers or geographic locations inconsistent with the claimed sender. If unsure, contact the brand via official phone numbers listed on their website (not numbers in the suspicious email) or navigate directly to known websites by typing URLs manually. According to CISA guidance, legitimate organizations will not send unsolicited emails requesting credential verification, password resets, or payment information updates with urgent deadlines. Organizations with Japanese employees should provide specific training on recognizing Japanese-language CoGUI campaigns, as translation quality and cultural context may differ from English-language phishing.
What should I do if I think I clicked a CoGUI phishing link?
Take immediate action from a clean device not involved in the phishing incident. According to CISA guidance, change passwords for critical accounts including email, banking, and work accounts immediately, using strong unique passwords for each account. Enable hardware security key two-factor authentication if available, as this is resistant to phishing unlike SMS or app-based codes that can be intercepted. Contact financial institutions immediately to monitor accounts for fraud and request new card numbers with different account numbers if payment cards were compromised. According to Proofpoint, file a report with the FBI Internet Crime Complaint Center (IC3) at ic3.gov for US victims, or the Japanese National Police Agency (www.npa.go.jp) for Japanese victims, providing email headers, suspicious URLs, and information entered. If employed, notify your IT security team immediately, as they may need to investigate broader organizational compromise, reset additional accounts, or implement additional monitoring. According to The Hacker News, freeze credit with bureaus (Experian, Equifax, TransUnion in the US; Japan Credit Information Center, Credit Information Center, Japan Credit Bureau in Japan) if payment cards were compromised, preventing fraudulent account openings. Monitor credit reports monthly for at least 12 months to detect fraudulent activity. Watch for follow-up attacks—CoGUI operators may attempt additional phishing or vishing (voice phishing) attacks after initial compromise, so maintain heightened vigilance for suspicious communications claiming to be from financial institutions or IT support.
