A sophisticated phishing framework known as CoGUI has emerged as a significant threat, primarily targeting organizations in Japan with millions of phishing messages since October 2024. This kit impersonates popular consumer and finance brands, including Amazon, PayPay, Rakuten, and various financial institutions, to deceive users into divulging sensitive information.
The phishing campaigns employ meticulously crafted emails that mimic legitimate communications from trusted brands. These messages often create a sense of urgency, prompting recipients to click embedded URLs leading to counterfeit authentication pages. Once directed to these pages, victims are asked to enter their credentials and payment information, which are then harvested by the attackers.
In recent months, threat actors have exploited current events, with some campaigns using tariff-themed lures following reciprocal tariff announcements by the U.S. government. Proofpoint researchers identified the CoGUI phishing kit in December 2024 and have been tracking its evolution and deployment since then. The researchers noted that the total message volume peaked in January 2025, with over 172 million messages observed that month alone.
While Japanese organizations remain the primary target, several campaigns have also been observed targeting users in Australia, New Zealand, Canada, and the United States. This activity aligns with recent reporting from Japan’s Financial Services Agency regarding increased phishing campaigns leading to financial theft.
What makes CoGUI particularly dangerous is its sophisticated evasion techniques and the comprehensive nature of the data it steals. Beyond just usernames and passwords, the phishing kit is designed to capture payment card details, creating significant financial risk for victims.
Advanced Evasion Techniques
The CoGUI kit employs multiple layers of defense evasion that make it particularly difficult to detect. Central to its evasion strategy is sophisticated browser profiling that collects information including the geographical location of IP addresses, browser language configurations, browser type and version, screen dimensions, operating system platform, and device type.
This profiling serves two purposes: targeting specific victims and evading automated analysis systems. When a potential victim visits a CoGUI phishing page, the kit first evaluates whether the browser meets its targeting criteria. If the profile verification is satisfied, it delivers the phishing page designed to steal credentials. However, if the verification fails, the victim is redirected to a legitimate website matching the impersonated brand, effectively masking the attack attempt.
For instance, if the phish is spoofing “Amazon.co.jp” and fails verification, the visitor is seamlessly redirected to the legitimate Japanese Amazon website, leaving no trace of the attempted attack. This sophisticated approach to victim targeting and sandbox evasion, combined with geofencing and headers fencing techniques, demonstrates why CoGUI has been so successful in its campaigns.
