A sophisticated phishing framework called CoGUI has emerged as a significant threat, targeting organizations in Japan. The attacks began in October 2024 and have since escalated, with millions of phishing messages sent. The CoGUI phishing kit impersonates well-known brands like Amazon, PayPay, Rakuten, and various financial institutions. Its goal is to trick users into divulging sensitive information such as credentials and payment details.
The phishing messages often create a sense of urgency, prompting recipients to click on embedded URLs that lead to fake login pages.
Once on these pages, victims are asked to enter their usernames, passwords, and payment card information, all of which are harvested by the attackers. The scale of the campaign has been massive, with volumes ranging from hundreds of thousands to tens of millions of phishing emails. CoGUI’s success has made Japan one of the most targeted countries.
CoGUI’s sophistication lies in its advanced evasion techniques, making it difficult to detect. It employs browser profiling to assess the victim’s characteristics, including geographic location, browser type, and operating system. If the victim’s profile meets the attackers’ criteria, they are shown the phishing page. Otherwise, they are redirected to a legitimate site, leaving no trace of the attack attempt.
This strategy makes detection by automated systems challenging and allows the attackers to target specific victims effectively.
Researchers at Proofpoint first identified the CoGUI phishing kit in December 2024 and have tracked its evolution since then. The volume of phishing messages peaked in January 2025, with over 172 million messages sent. While Japan remains the primary target, the CoGUI kit has also been used in campaigns targeting users in Australia, New Zealand, Canada, and the U.S. This campaign’s sophistication and scale suggest it is likely run by Chinese-speaking threat actors targeting Japanese-language speakers.
Reference:
