A powerful new phishing campaign is flooding Japanese email inboxes.
According to reports by cybersecurity firm Proofpoint, a cybercrime tool known as CoGUI was used to send over 580 million phishing emails between January and April 2025. This wave of scams is designed to steal usernames, passwords, and payment information, mostly by impersonating major companies like Amazon, Rakuten, Apple, and PayPal.
“The highest volume threat in current Proofpoint campaign data is a phishing kit named CoGUI, which is actively targeting Japanese organizations,” said Proofpoint in a newly published report.
How the scam works
CoGUI phishing messages often come with urgent subject lines, pushing victims to act quickly. Some examples include:
- “To protect your account, please update your account.” (Amazon-themed).
- “[Spring Thanksgiving] Get an Amazon gift certificate & 100,000 PayPay points with entry!” (PayPay-themed).
- “【Emergency Response】AI Investment Strategy for Tariff Crisis” (Rakuten-themed).
Once clicked, the links in these emails don’t immediately take all users to fake sites. Instead, CoGUI first checks the victim’s device, including IP location, browser type, screen size, language settings, and whether it’s mobile or desktop. If the system fits a targeted profile, the link loads a convincing fake login page.
If not, users are redirected to the real company website, reducing suspicion and making the scam harder to detect.
Japan is the main target, but not the only one
Most phishing attempts focus on Japan, where Proofpoint observed millions of messages per campaign. Over 172 million phishing emails were tracked across 170 campaigns in January alone. Other countries like the U.S., Canada, Australia, and New Zealand have also seen activity, though on a much smaller scale.
This pattern of targeting lines up with an alert from Japan’s Financial Services Agency, which recently warned of an increase in phishing aimed at financial institutions.
Who’s behind the CoGUI kit?
Proofpoint believes that Chinese-speaking threat actors are behind CoGUI. While it shares similarities with another phishing kit called Darcula, which is also linked to Chinese hackers, the two platforms are not directly related.
“Interestingly, while investigating CoGUI phish kits, researchers noticed similarities to another type of activity Proofpoint is tracking: Road Toll Smishing, …Since 2025, Road Toll Smishing infrastructure has evolved to use a phish kit called Darcula,” said Selena Larson, a staff threat researcher with Proofpoint. “Ultimately, our analysis found that the Darcula phish kit is unrelated to CoGUI and its presence in Road Toll Smishing is notably different. ”
Both CoGUI and Darcula contain Chinese code elements and use the same user-profiling techniques, but their targeting methods differ. Darcula mostly hits mobile users, while CoGUI targets users on mobile or web browsers.
What can you do to stay safe?
Phishing emails often look trustworthy and include logos and branding from familiar companies. Cybersecurity experts advise against clicking links in suspicious emails. Instead, go directly to the official website and log in.
Organizations should also educate employees about phishing scams and implement multifactor authentication (MFA) across services. However, to protect against more advanced threats, hardware-based security keys like FIDO are recommended.
