A new sophisticated phishing kit named ‘CoGUI’ has been actively sending over 580 million emails from January to April 2025, primarily targeting Japanese users but also impacting other countries. The campaign involves impersonation of major brands and employs advanced targeting techniques, including URL filtering based on user criteria. (Affected: Targeted organizations and systems)
Keypoints :
- CoGUI is a high-volume phishing kit responsible for over 580 million emails within a four-month period in 2025.
- The campaign impersonates major brands such as Amazon, PayPal, Apple, banks, and tax agencies to deceive victims.
- The attack chain involves personalized phishing links that redirect targets based on specific device and location criteria.
- Most activity is concentrated in Japan, with smaller campaigns in the US, Canada, Australia, and New Zealand.
- CoGUI campaigns initially mimicked the Darcula phishing kit but are now considered unrelated despite similarities.
- The kit is believed to be operated mainly by Chinese threat actors, but could be adopted by others for different targets.
- Mitigation advice emphasizes cautious handling of urgent emails, avoiding clicking embedded links, and independently verifying platform URLs.