CoGUI Phish Kit Targets Japan With Millions of Messages

    Wednesday, May 7, 2025 In: Threat Research Print

    Date: 05/07/2025

    Severity: Critical

    Summary

    Our team has observed a surge in large-scale phishing campaigns written in Japanese, primarily targeting organizations in Japan using a phishing kit known as CoGUI. These campaigns often impersonate well-known consumer and payment brands like Amazon, PayPay, and Rakuten. CoGUI is a stealthy phishing framework designed to evade detection, with Japan being its main focus. While similar activity has been spotted in countries like Australia, New Zealand, Canada, and the U.S., it remains far less frequent.

    Indicators of Compromise (IOC) List

    Domains \ Urls :

    https://zjkso.cn/QJSmxXOQ/

    https://uhlkg.cn/HJmOkggh

    https://kzongfd.bo5wfb0f9.top/Kfade

    https://evrryday.com/paypay-login-ne-jp

    https://ezdrivema.com-kpy.win/I/

    https://sunpass.com-tyjr.cc/pay/

    https://etcady.xin/pay/

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Domains\Urls : 

    domainname like "https://kzongfd.bo5wfb0f9.top/Kfade" or url like "https://kzongfd.bo5wfb0f9.top/Kfade" or siteurl like "https://kzongfd.bo5wfb0f9.top/Kfade" or domainname like "https://uhlkg.cn/HJmOkggh" or url like "https://uhlkg.cn/HJmOkggh" or siteurl like "https://uhlkg.cn/HJmOkggh" or domainname like "https://ezdrivema.com-kpy.win/I/" or url like "https://ezdrivema.com-kpy.win/I/" or siteurl like "https://ezdrivema.com-kpy.win/I/" or domainname like "https://evrryday.com/paypay-login-ne-jp" or url like "https://evrryday.com/paypay-login-ne-jp" or siteurl like "https://evrryday.com/paypay-login-ne-jp" or domainname like "https://zjkso.cn/QJSmxXOQ/" or url like "https://zjkso.cn/QJSmxXOQ/" or siteurl like "https://zjkso.cn/QJSmxXOQ/" or domainname like "https://sunpass.com-tyjr.cc/pay/" or url like "https://sunpass.com-tyjr.cc/pay/" or siteurl like "https://sunpass.com-tyjr.cc/pay/" or domainname like "https://etcady.xin/pay/" or url like "https://etcady.xin/pay/" or siteurl like "https://etcady.xin/pay/"

    Reference: 

    https://www.proofpoint.com/us/blog/threat-insight/cogui-phish-kit-targets-japan-millions-messages


    Tags

    MalwareThreat ActorCoGUIPhishingAmazonPayPayRakutenJapanAustraliaNew ZealandCanadaUnited States

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.