Massive Phishing Campaign Unleashed by CoGUI Kit: Over 580 Million Emails Sent Worldwide

Listen to this Post

Featured Image

CoGUI Phishing Campaign Exposed: A Threat Spanning Continents

A sophisticated phishing campaign utilizing a new kit dubbed ‘CoGUI’ has emerged as a massive cybersecurity threat in early 2025. Between January and April alone, this campaign dispatched more than 580 million phishing emails, primarily impersonating trusted global brands such as Amazon, PayPal, Apple, Rakuten, and several financial institutions.

The purpose? Stealing login credentials and payment data through highly targeted deception. With operations peaking in January 2025—when 172 million messages were sent through 170 unique campaigns—the campaign maintained steady volume and reach in the following months, making it the largest phishing operation currently monitored by cybersecurity firm Proofpoint.

While Japan has borne the brunt of these attacks, smaller-scale operations have reached users in the United States, Canada, Australia, and New Zealand. Originating sometime around October 2024, CoGUI’s full scale became evident when Proofpoint began closely tracking the campaign from December onward.

Interestingly, analysts initially speculated a connection between CoGUI and Darcula, another phishing kit linked to Chinese cybercriminals. However, deeper investigation revealed that although both are operated by Chinese threat actors, the two kits are not technically related.

The CoGUI attack chain follows a familiar yet refined structure: phishing emails mimic trusted brands with urgent messages, containing links that only activate if certain conditions are met. These include geolocation, browser language, operating system, device type, and even screen resolution. If the criteria don’t match, users are safely redirected to legitimate websites. However, if matched, the link redirects to a cloned phishing site built to harvest login and payment data.

In addition to emails, CoGUI has powered smishing (SMS phishing) attacks in the U.S., using lures like fake toll payment notices. While such mobile campaigns are now reportedly shifting to Darcula, CoGUI still presents a major ongoing threat, especially due to its modular design, which allows different threat actors to adopt and deploy it with ease.

Experts emphasize the need for cautious user behavior, advising recipients to avoid clicking on embedded links in urgent-sounding messages and to access official sites directly through their browser instead.

CoGUI Phishing Operation Breakdown (30-Line Digest)

A new phishing kit named CoGUI has launched the largest email phishing campaign of 2025.
Over 580 million phishing emails were sent globally from January to April.
170 phishing campaigns peaked in January 2025 with 172 million emails.
Messages impersonate well-known entities: Amazon, Apple, PayPal, Rakuten, banks, and tax agencies.
Campaigns mainly targeted Japan, but also hit the U.S., Canada, Australia, and New Zealand.
Proofpoint researchers uncovered and began tracking CoGUI in December 2024.
CoGUI was initially confused with the Darcula phishing kit, also linked to Chinese actors.
Deeper analysis confirmed that CoGUI and Darcula are unrelated, though both are exploited by Chinese hackers.
CoGUI emails contain malicious links that activate only under specific victim conditions.
Criteria include IP location, language settings, OS, browser type, and screen resolution.
If criteria are not met, users are redirected to real brand websites—a clever cloaking tactic.
When conditions are met, users land on phishing pages mimicking login forms of trusted brands.

These pages steal usernames, passwords, and payment credentials.

CoGUI also launched SMS-based phishing in the U.S. (smishing), using fake toll fee alerts.
Most smishing activity has since shifted to Darcula, but CoGUI remains active.
The phishing kit supports multiple threat groups, making it scalable and modular.
CoGUI is believed to be China-based, but attribution is difficult due to kit sharing.
Future campaigns using CoGUI could target different countries depending on the operator.
Proofpoint calls CoGUI the largest volume campaign currently tracked.
Researchers warn of a rising trend in precision phishing, using behavioral targeting.
The campaign is part of a broader surge in global phishing threats in 2025.
Defensive measures include independent login practices and ignoring urgent links in messages.
Cyber hygiene awareness is essential to mitigate risk from evolving phishing kits.

CoGUI represents a shift toward adaptive phishing infrastructure.

Detection evasion is built into CoGUI via device fingerprinting.
Victims who match the phishing profile are more likely to be successfully compromised.
Many phishing sites use HTTPS and professional designs to appear authentic.
Even tech-savvy users are falling prey to targeted, brand-impostor phishing pages.
Law enforcement faces challenges as phishing kits are easily sold or rented on the dark web.
Cybersecurity vendors must rapidly adapt to new phishing platforms like CoGUI.

What Undercode Say:

The emergence of CoGUI signals a troubling evolution in the phishing landscape. What sets this phishing kit apart is not only the sheer scale of the campaigns—over half a billion emails in just four months—but also the technical sophistication in target selection and delivery tactics. The phishing emails don’t merely blast indiscriminately; they use contextual filters to ensure that only “high-value” or “authentic-looking” targets reach the phishing site. This increases the campaign’s effectiveness and lowers the risk of exposure.

From a strategic viewpoint, CoGUI represents a shift from simple phishing to precision cyber fraud, and this modular approach enables different cybercriminal groups to deploy customized attacks with little technical expertise required. Its infrastructure offers cloaking capabilities that mask malicious intent from both security systems and victims—a method similar to advanced malvertising.

The technical overlap in tactics with Darcula but not in code shows the rapid diversification of cybercrime tools, often developed by different groups but inspired by each other’s successes. CoGUI’s ability to adapt across vectors (email, SMS) and regions shows how threat actors are moving toward agile, adaptable malware-as-a-service ecosystems.

Its highly tailored criteria for link redirection (IP address, screen size, language) is a clear indication of the rising use of device fingerprinting in phishing—a technique traditionally used in ad tech and now repurposed by threat actors. It reduces false positives and increases victim conversion rates significantly.

More worryingly, the operational simplicity of CoGUI—coupled with the fact it’s used by multiple operators simultaneously—means this platform can spread virally among criminal networks. It’s likely being rented or sold on dark web forums, and with minimal setup, attackers can launch full-scale campaigns from anywhere.

Japan remains the primary testing ground for many phishing campaigns due to high digital adoption and frequent online transactions, but the real risk is global expansion. As geopolitical tensions rise and cyber espionage becomes more intertwined with commercial data theft, phishing campaigns like those powered by CoGUI could also serve intelligence-gathering or nation-state interests.

Finally, CoGUI underscores a vital truth in modern cybersecurity: no brand is immune to impersonation, and no user is safe without skepticism and awareness. As phishing kits become more sophisticated, traditional indicators of fraud—like misspellings, poor design, or HTTP-only pages—are no longer reliable. Security awareness training must evolve just as quickly as these kits do.

Fact Checker Results:

CoGUI’s link to Chinese operators is probable but not conclusively proven.
Over 580 million phishing messages were confirmed by Proofpoint data.
CoGUI and Darcula are technically distinct despite similar threat actor origins.

Prediction:

As 2025 progresses, CoGUI will likely be adopted by broader cybercriminal networks, expanding beyond Japan into more Western markets. Expect future waves to integrate AI-generated phishing pages, more realistic fake apps, and multi-channel deception combining email, SMS, and even phone calls. Without rapid detection improvements and user awareness, the next CoGUI campaign could dwarf even this record-setting wave.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram