CoGUI
CoGUI is a phishing kit / phishing-as-a-service (PhaaS) platform used by multiple Chinese-speaking threat actors. Proofpoint described it as one of the highest-volume threats in its campaign data, with activity observed since at least October 2024 and tracked from December 2024. Campaigns primarily target Japanese organizations and Japanese-language speakers in Japan using Japanese-language phishing lures, although some activity has also been observed targeting users in Australia, New Zealand, Canada, and the United States.
CoGUI is used to steal usernames, passwords, and payment card data. Observed campaigns commonly impersonate major consumer, retail, payment, banking, and government brands including Amazon, PayPay, Rakuten, Apple, and Japan’s national tax agency. In observed workflows, phishing pages collected credentials and in some cases subsequently collected payment card details. Proofpoint reported that observed CoGUI campaigns did not include capability to capture multifactor authentication credentials.
A defining characteristic of CoGUI is its advanced evasion and anti-analysis behavior. Reported techniques include geofencing, header fencing, browser or device fingerprinting, and selective delivery of phishing content based on victim profiling. The kit profiles targets using data such as GeoIP, browser language, browser type and version, screen dimensions, operating system platform, and whether the device is mobile. Victims whose profiles do not match targeting criteria may be redirected to legitimate websites such as Amazon.co.jp, helping the kit evade automated analysis and reduce exposure to non-targets.
Proofpoint reported that CoGUI campaigns typically involve hundreds of thousands to tens of millions of messages, average roughly 50 campaigns per month, usually run for three to five days, and peaked at more than 172 million messages in January 2025. Researchers also noted technical similarities with the Darcula phishing kit, including minimal initial HTML, randomized asset filenames, browser profiling, Chinese-language code elements, and short URI paths, but assessed that Darcula is ultimately unrelated to CoGUI.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Information that CoGUI collects as part of its victim profiling includes: GeoIP (geographical location of IP address) Language configuration of the browser Browser type (e.g. Chrome) Browser version Monitor screen height and width OS Platform (e.g. win32) If the victim’s browser is running on a mobile device
Initial Access
2 techniques
Initial Access
The highest volume threat in current Proofpoint campaign data is a phishing kit named CoGUI, which is actively targeting Japanese organizations. CoGUI campaigns impersonate well-known companies, mainly consumer and finance brands. The objective of the campaigns is to steal usernames, passwords, and payment data.
Stealth
2 techniques
Stealth
Credential Access
1 technique
Credential Access
The emails contained URLs leading to a credential capture webpage impersonating Raktuen, which was designed to collect user credentials. | In this campaign, a user was first directed to enter their username and password for their Amazon account. Then, the user was directed to enter their payment details, leading to theft of usernames and passwords as well as credit card information.
Discovery
3 techniques
Discovery
CoGUI is a sophisticated kit that employs advanced evasion techniques, including geofencing, headers fencing, and fingerprinting to avoid detection from automated browsing systems and sandboxes.
Collection
1 technique
Collection
The emails contained URLs leading to a credential capture webpage impersonating Raktuen, which was designed to collect user credentials. | In this campaign, a user was first directed to enter their username and password for their Amazon account. Then, the user was directed to enter their payment details, leading to theft of usernames and passwords as well as credit card information.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A phishing kit with advanced evasion and anti-detection features, used by Chinese-speaking threat actors, impersonating major platforms but not capturing MFA credentials.
A highly evasive phishing framework primarily targeting users in Japan. It impersonates major consumer, payment, retail, banking, and tax brands to steal usernames, passwords, and payment card data. It uses geofencing, header fencing, browser fingerprinting, and victim profiling to evade automated analysis and selectively serve phishing pages.
A phishing kit offered as a phishing-as-a-service platform, described as being used to target Japan.
A phishing kit offered as a service (PhaaS) used to conduct credential-harvesting phishing campaigns, reported as targeting Japan.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.