In a startling revelation, cybersecurity firm Proofpoint has uncovered a phishing operation of unprecedented scale driven by a new phishing kit known as CoGUI, which sent over 580 million malicious emails between January and April 2025. The campaign, which aimed to steal account credentials and payment data, primarily targeted users in Japan, while smaller attack clusters were observed in the United States, Canada, Australia, and New Zealand.
According to Proofpoint, CoGUI now ranks as the highest-volume phishing operation currently tracked by its researchers. The kit’s operation peaked in January 2025, when over 172 million phishing emails were sent in 170 separate campaigns. These messages impersonated well-known brands such as Amazon, PayPal, Apple, Rakuten, tax authorities, and major financial institutions.
How CoGUI Executes Its Sophisticated Phishing Attacks
The CoGUI phishing campaign relies on deception, scale, and precision targeting. Each attack typically begins with a spoofed email urging the recipient to take immediate action—often involving a fake alert about account issues or unpaid balances.
Embedded within the email is a malicious URL that redirects victims to a phishing page. But CoGUI introduces a unique screening mechanism—the link activates only if the victim meets specific attacker-defined conditions, such as:
-
IP address location
-
Browser language
-
Operating system
-
Screen resolution
-
Device type (mobile/desktop)
If the criteria are not met, the URL redirects users to the legitimate version of the impersonated brand’s website, helping the threat actors avoid detection and reduce suspicion.
Victims who meet the conditions land on a highly convincing fake login page that mirrors the target brand’s interface. Once users input their credentials or financial details, the information is harvested and transmitted to attacker-controlled servers.
Chinese-Origin Threat Actors Suspected, But Not Confirmed
While early similarities to the Darcula phishing kit suggested a shared origin, Proofpoint’s deeper investigation confirmed that CoGUI and Darcula are separate toolkits, despite both being used by China-based cybercriminals.
CoGUI was first identified as active in October 2024, but Proofpoint began tracking its activities more closely from December 2024 onward. Analysts believe that multiple threat actors are now leveraging the CoGUI platform, with its infrastructure facilitating large-scale, automated credential theft. Most operations still focus on Japan, but there are signs that global expansion is possible.
Interestingly, CoGUI has also been linked to smishing campaigns in the U.S., using fake “outstanding toll payment” messages. However, this activity has largely transitioned to Darcula, suggesting operational shifts between phishing-as-a-service providers.
Global Implications and Cyber Hygiene Tips
With over half a billion phishing emails attributed to CoGUI in just four months, cybersecurity experts warn that such platforms could be easily repurposed for global attacks. Its ability to emulate trusted brands and filter out unqualified traffic makes it a potent weapon for phishing campaigns worldwide.
Recommended countermeasures:
-
Avoid clicking on links in unsolicited emails, even if they appear legitimate.
-
Manually navigate to websites by typing the URL instead of relying on embedded links.
-
Use two-factor authentication (2FA) wherever possible to limit unauthorized access.
-
Report suspicious emails to relevant cybersecurity or IT teams.
As phishing kits like CoGUI evolve in complexity and scale, the onus is on both individuals and organizations to stay vigilant, train users, and implement layered defenses.