Haozi Returns: The Phishing-as-a-Service Platform Making Cybercrime Easy

A new report from Netcraft has exposed the alarming return of Haozi, a Chinese-language Phishing-as-a-Service (PhaaS) platform that combines sleek design, full customer support, and a deceptively friendly cartoon mouse mascot. Designed to lower the barrier to entry for cybercriminals, Haozi has transformed phishing into a no-code, subscription-based criminal service, enabling nearly anyone to launch advanced credential theft campaigns.

“Haozi epitomizes this trend,” says Netcraft. “Virtually no technical skills required.”

The standout feature of Haozi is its fully automated, web-based control panel. Unlike traditional phishing kits that require command-line setup and server configuration, Haozi operates as a “plug-and-play” platform. Attackers simply enter their server credentials into a hosted installation page, and the system automatically deploys a phishing site and admin dashboard — all without needing to run a single command.

“This frictionless setup contrasts with other PhaaS tools like the AI-enabled Darcula suite… Haozi eliminates even that,” the report notes.

The resulting dashboard allows users to manage multiple phishing campaigns, filter traffic, view stolen credentials, and fine-tune attack behavior, making sophisticated phishing campaigns accessible to novices.

Haozi is more than just a kit — it’s a criminal enterprise with a structured business model. It offers a subscription plan of $2,000 per year, along with a-la-carte sales. Transactions are handled using Tether (USDT), and the associated wallet has received over $280,000 to date.

“The Tether (USDT) wallet used for these advertisements and intermediary services has received more than $280,000, with recent withdrawals frequently amounting to several thousand dollars each.”

Moreover, Haozi sells advertising space that connects buyers to third-party services such as SMS gateways. Here, Haozi acts as a middleman, monetizing not just the phishing kits but the entire attack ecosystem.

Haozi’s kits don’t just steal credentials — they simulate real user experiences. Its phishing templates mimic bank verification and credit card prompts with response logic. For example, after capturing credit card details, the operator may decide to request a 2FA code based on the response received from a card transaction attempt.

“The phishing kit displays a loading screen while the kit operator decides whether to prompt for a two-factor authentication (2FA) code.”

Operators can also simulate mobile prompts or reject invalid cards, giving attackers a powerful set of tools to maximize success.

Haozi markets itself like a SaaS company, complete with dedicated Telegram support channels. These include after-sales troubleshooting, FAQs, resource sharing, and even custom page design services.

This level of polish and accessibility is a major reason behind Haozi’s growing popularity. Since relaunching in April 2025, the platform has attracted over 1,700 new followers, signaling a rapid re-engagement of its user base.

Netcraft has observed Haozi administration panels installed on thousands of phishing hostnames, underscoring the kit’s widespread deployment. These panels — labeled “Hàozǐ xìtǒng” — offer familiar interfaces and features borrowed from legitimate development tools, lowering suspicion and increasing ease-of-use.

Related Posts:

• The Rise of Phishing-as-a-Service: How Cybercriminals are Outsourcing Attacks
• Microsoft Takes Down “ONNX” Phishing-as-a-Service Operation
• SVG Phishing Surge: How Image Files Are Being Weaponized to Steal Credentials
• Server-Side Phishing Campaign Evades Detection, Targets Employee Portals
• New Phishing-as-a-Service Kits Bypass MFA & Target Microsoft 365 Users Globally!