Chinese ‘CoGUI’ Phishing Kit Bombards Japan With Over 100 Million Malicious Emails Monthly

A new and increasingly dominant phishing-as-a-service (PhaaS) platform has emerged from China, flooding Japan with malicious spam emails at unprecedented volume. Known as “CoGUI,” this phishing kit has rapidly become a massive cyber threat in the Asia Pacific region — especially for Japanese users.

Japan Under Siege: The Surge of the CoGUI Phishing Campaign

Chinese cybercriminals are leveraging CoGUI to distribute phishing emails on a scale unmatched by other platforms. Research from Proofpoint reveals that in January 2025 alone, CoGUI was used to execute over 50 campaigns, pushing out 172 million phishing emails. Although activity dipped slightly in April — with 40 campaigns delivering over 100 million emails — the impact remains staggering.

CoGUI is a cornerstone of a broader trend in phishing-as-a-service platforms that are flourishing across China. While other kits like Lucid and Darcula are also gaining traction, CoGUI stands out for its email-based approach, massive scale, and Japanese focus.

Unlike Darcula, which often targets the US through smishing and mobile scams, CoGUI is mainly focused on Japanese citizens and businesses, impersonating brands such as Amazon, Apple, Rakuten, and the Japan National Tax Agency. These scams lure users into credential-phishing sites that mimic legitimate services with near-perfect detail.

Launched sometime around October 2024, CoGUI saw relatively modest activity until December, when its usage dramatically escalated. By early 2025, it had matured into one of the most high-volume phishing tools on the planet.

CoGUI cleverly evades spam filters by constantly rotating email addresses across campaigns, making it nearly impossible for automatic systems to detect and block its emails efficiently. The URLs embedded in these emails lead to phishing websites that first profile the user’s system — examining device type, language, operating system, browser, and even screen size — before either displaying a fake login page or redirecting the user to the legitimate website if their system doesn’t fit the attack criteria.

The impersonation strategies are sophisticated, targeting users with convincing fake sites that blend seamlessly with well-known brands. Proofpoint noted that while most attacks are on Japanese soil, occasional spillovers into Australia, Canada, the US, and New Zealand have occurred — mostly where ties to Japanese institutions or users are evident.

Proofpoint researchers are still uncertain why Japan is the central focus, but its role as a technological powerhouse and economic hub could be contributing factors. The Japanese government has taken note, with its Financial Services Agency recently issuing warnings about escalating phishing attempts tied to brokerage accounts — some possibly linked to CoGUI operations.

What Undercode Say:

CoGUI represents a critical inflection point in the evolution of phishing-as-a-service operations, and the trends emerging from its activity are worth unpacking with deeper cybersecurity analysis:

Localized Precision: CoGUI breaks from the traditional global spray-and-pray tactic. Instead, it’s laser-focused on Japan, suggesting either a state-backed initiative, a highly organized crime ring, or a criminal enterprise with financial interests tied to Japanese institutions.
Scalability Without Sophistication: Despite lacking Darcula’s advanced features (such as 2FA code interception), CoGUI’s sheer scale compensates for its technical limitations. It’s an industrialized phishing machine relying on brute volume, not complexity.
Infrastructure Evasion Mastery: Constantly changing sender emails and using different services allow CoGUI to stay ahead of spam filters. This is a playbook more commonly seen in advanced persistent threat (APT) groups than traditional phishing gangs.
Brand Masquerading: Amazon and Apple are global brands, but when they’re weaponized in Japanese campaigns — especially in the local language and format — it shows how attackers are doing their homework to build region-specific lures.
User Profiling Before Attack: The profiling feature embedded in CoGUI’s phishing process is alarmingly effective. It ensures only the most likely victims are shown phishing pages, lowering exposure to cybersecurity researchers and sandboxes.
Why Japan?: Japan’s mature digital infrastructure, large aging population with varying cyber literacy, and dense concentration of financial activity might make it an appealing, high-yield target.
Lack of Attribution: That no specific actor has been tied to CoGUI — despite the campaign size — raises questions about the nature of its operators. Is this an emerging cybercrime syndicate? A shadowy PhaaS marketplace? Or something state-aligned?
Potential Cross-Campaign Overlap: CoGUI’s partial overlap with Darcula indicates these kits may share infrastructure or developers. That suggests a growing ecosystem rather than isolated tools.
A Blind Spot for Defenders: The success of CoGUI’s campaigns underscores a significant weakness in current spam filtering and detection systems. Email-based attacks, once considered a legacy threat, are clearly back in force.
Future Threats Are Modular: CoGUI might be just one of many evolving kits. The modular nature of these platforms means new versions with enhanced capabilities — like 2FA bypass or session hijacking — are likely on the horizon.

Fact Checker Results:

CoGUI campaigns have been confirmed by Proofpoint as highly active since late 2024.
Japan is the primary target, with impersonation of major Japanese and international brands.
No direct ties to a specific threat actor group have been publicly attributed as of May 2025.

Prediction:

CoGUI is likely the precursor to a new generation of phishing tools that balance scale with geographic targeting. If trends continue, Japan could soon face PhaaS threats that integrate AI-driven lures, real-time credential harvesting, and even biometric data theft. Meanwhile, neighboring countries may see spillover attacks as these platforms seek new markets. Expect global cybersecurity vendors to rush patches and detection updates in the coming months — but the underlying arms race is just beginning.