Ddos 
Threat actors using a sophisticated phishing kit called CoGUI have launched a torrent of Japanese-language credential theft campaigns, flooding inboxes with millions of phishing emails each month, according to a new report from Proofpoint. The kitβfirst observed in late 2024βleverages brand impersonation, advanced evasion, and browser fingerprinting to target users in Japan, making the country one of the most phished regions in the world in early 2025.
βJapan has become one of the most targeted countries in Proofpoint data based on campaign volume,β the report states, noting over 172 million CoGUI messages were observed in January 2025 alone.
CoGUI is a modular phishing framework that integrates several evasive technologies:
- Geofencing to avoid non-target countries
- Header filtering to block automated scanners
- Browser fingerprinting to screen for real users
These methods allow the kit to selectively target specific geographic regions, primarily Japan, while evading security measures. While some campaigns targeted users in other countries, the volume and frequency were significantly lower compared to those directed at Japan.
The scale of these CoGUI campaigns is substantial. “Most of the observed campaigns abuse popular consumer or payment brands in phishing lures,” including well-known names like Amazon, PayPay, Rakuten, and others. The high volume of messages associated with these campaigns has made Japan “one of the most targeted countries in Proofpoint data based on campaign volume.” Individual campaigns can involve “hundreds of thousands to tens of millions” of messages.
Proofpoint’s analysis reveals that CoGUI campaigns typically occur over a short timeframe, usually spanning three to five days. The threat actors behind these campaigns use URLs in their messages to direct victims to credential phishing websites. Notably, the observed CoGUI campaigns do not include capabilities to collect multifactor authentication (MFA) credentials, which is unusual for frequently observed email credential phishing services.
The report provides specific examples of brands impersonated in CoGUI campaigns:
- Amazon: One campaign used the subject line “To protect your account, please update your account” and directed users to a counterfeit Amazon authentication page designed to steal user credentials and payment information.
- PayPay: Another campaign used an email with the subject “[Spring Thanksgiving] Get an Amazon gift certificate & 100,000 PayPay points with entry!” and led to a fake PayPay authentication page to harvest user credentials and payment information.
- Rakuten: Some Rakuten-themed campaigns even included mentions of tariffs in their lures, such as one with the subject line “γEmergency Responseγ Al Investment Strategy for Tariff Crisis: Limited Release of Tools Supervised by Top Analyst Eiji Kinouchi“.
CoGUI employs victim profiling techniques to evade detection and target specific users. This profiling includes collecting information such as GeoIP, browser type and version, and operating system. Proofpoint’s analysis suggests that the CoGUI phishing kit is used by multiple Chinese-speaking threat actors primarily targeting Japanese-language speakers in Japan. While there are similarities to another phishing kit called Darcula, Proofpoint’s research indicates that CoGUI is a separate entity.
Related Posts:
- Russia blocks 1.8 million Amazon and Google cloud service IP addresses
- Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations
- Hacker exploits Google App script to spread malware
- Hacker exploits Google App script to spread malware
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
