Japanese businesses are being bombarded with millions of phishing messages

News
By published

Chinese threat actors are on the hunt for login credentials

Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
(Image credit: Shutterstock / janews)
  • Proofpoint observes notable spike in phishing emails targeting Japanese businesses
  • The emails are being sent out via a kit called CoGUI
  • The researchers attributed the attack to a Chinese-speaking threat actor

Threat actors are flooding Japanese businesses with phishing attacks, and are using a unique phishing kit framework called CoGUI to do it.

Cybersecurity researchers Proofpoint say they have observed a “notable increase” in high-volume Japanese language campaigns using CoGUI in the wild in October 2024, before starting to track it in December of the same year.

“The campaigns typically include a high-volume of messages, with counts ranging from hundreds of thousands to tens of millions per campaign, with an average of approximately 50 campaigns per month campaigned by our researchers,” Proofpoint explained.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Millions of messages

The campaign peaked in January 2025, when 172 million messages were sent out.

The attackers were mostly pretending to be Amazon, PayPal, or Rakuten, but other brands were abused, as well. Japan was, by far, the most targeted country, but Proofpoint also said that there were victims in Australia, New Zealand, Canada, and the United States.

The goal of the campaign was to steal people’s login credentials, and system information. That data includes the geographical location of the IP address, language configuration of the browser, browser type and version, monitor height and width, OS, and the type of device used (mobile, desktop, laptop).

Proofpoint added the kit cannot grab 2FA code, but still described it as “sophisticated”, with advanced evasion techniques such as geofencing, header fencing, and fingerprinting.

These allowed the threat actors to focus on specific geographies, while evading most of today’s security measures.

The researchers attributed the attacks to a Chinese-speaking threat actor that mainly targets Japanese language speakers in Japan.

The best way to defend against these attacks remains the same - to use common sense, and slow down when reading and responding to email messages.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.