Full Report
A new phishing kit named 'CoGUI' sent over 580 million emails to targets between January and April 2025, aiming to steal account credentials and payment data. [...]
Analysis Summary
# Tool/Technique: CoGUI Phishing Platform
## Overview
CoGUI is a large-scale phishing platform utilized by threat actors, primarily from China, to conduct credential harvesting operations. It has been responsible for sending an estimated 580 million phishing emails, mainly targeting Japanese users, though it has also been observed in smishing campaigns in the United States. The platform uses sophisticated redirection logic to ensure that only specific, high-value targets see the malicious content.
## Technical Details
- Type: Attack Tool / Phishing Kit
- Platform: Web-based delivery mechanism, targets desktop and mobile users via email and SMS (smishing).
- Capabilities: Advanced link resolution based on victim characteristics, credential harvesting via targeted login pages, high-volume email distribution.
- First Seen: Not explicitly stated, but detailed analysis by Proofpoint suggests recent significant activity.
## MITRE ATT&CK Mapping
Based on its function as a phishing delivery system resulting in credential theft:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Potential for links in emails)
- T1566.002 - Spearphishing Link
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (If the harvested credentials are used later)
## Functionality
### Core Capabilities
- **Phishing Email Distribution:** Sending massive volumes of emails (580 million observed) impersonating trusted brands with urgent subject lines.
- **Credential Harvesting:** Deploying fake login forms mimicking legitimate brand designs to trick victims into entering sensitive information.
- **Smishing Operations:** Utilized in text message-based phishing ("smishing") campaigns, such as those utilizing "outstanding toll payment" lures in recent US activity.
### Advanced Features
- **Targeted Link Resolution:** The mechanism employs strict criteria-checking for link resolution. The malicious payload (phishing page) is only served if the target meets predefined conditions, which include:
- IP address (location)
- Browser language
- Operating System
- Screen resolution
- Device type (mobile or desktop)
- **Suspicion Reduction:** If the target criteria are *not* met, victims are redirected to the genuine website of the brand being impersonated, which effectively reduces the suspicion rate among general traffic.
## Indicators of Compromise
*Note: The provided article snippet does not contain specific IOCs like hashes or direct C2 addresses, relying on descriptive context.*
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: Hosting URLs on the CoGUI platform are ephemeral and dynamically changed; no specific defanged domains provided.
- Behavioral Indicators: Emails/SMS containing urgent calls to action; redirection logic based on browser/device fingerprinting.
## Associated Threat Actors
- Primarily utilized by multiple threat actors originating from **China**.
- Predominantly targets **Japanese users**.
## Detection Methods
*Note: Specific technical detection signatures are not detailed in the context.*
- Signature-based detection: Detection based on known phishing page structures or URL patterns associated with the kit.
- Behavioral detection: Monitoring for suspicious redirection patterns (e.g., device/geo fingerprinting before showing a login form).
- YARA rules: [Not provided in context]
## Mitigation Strategies
- **User Training:** Emphasize the danger of acting hastily on emails or texts requesting urgent action.
- **Independent Navigation:** Advise users to always log into claimed platforms independently (by typing the known URL) rather than clicking embedded links in unsolicited messages.
- **Email Filtering:** Deploy advanced email security solutions capable of identifying high-volume phishing campaigns and brand impersonation attempts.
## Related Tools/Techniques
- **Darcula Phishing Kit:** Explicitly mentioned as sharing similar goals (credential theft) but found to be technically unrelated to CoGUI, although both are used by Chinese threat actors. Darcula has recently seen an increase in activity, seemingly absorbing some of CoGUI's former smishing targets (US toll scams).