A new phishing kit called CoGUI has been used to send over 580 million emails between January and April 2025 in an attempt to steal account credentials and payment information from users.
Cybersecurity researchers at Proofpoint discovered the campaign, calling it the largest phishing operation they are currently tracking. Most of the phishing messages impersonate well-known brands like Amazon, PayPal, Apple, Rakuten, and various banks and government agencies.
The majority of these attacks targeted users in Japan, although smaller campaigns also reached the United States, Canada, Australia, and New Zealand.
The phishing emails often used urgent language to trick recipients into clicking links that led to fake websites designed to look like legitimate login pages. However, these phishing sites only loaded for users who met certain conditions, such as being in a specific location or using a particular device. If the target didn’t meet the criteria, they were redirected to the real site, making the scam harder to detect. Once on the fake site, users were asked to enter sensitive information, which was then collected by the attackers.
CoGUI has also been linked to smishing (SMS phishing) attacks in the United States, using fake toll payment messages to lure victims. While these mobile attacks have mostly shifted to another phishing kit called Darcula, CoGUI remains active and may be adopted by more cybercriminals in the future.
Researchers believe the kit is primarily used by Chinese threat actors and is designed to serve multiple criminal groups.
