A new phishing kit called ‘Kugui’ sent more than 580 million emails to the target between January and April 2025, aimed at stealing account credentials and payment data.
Messages implement major brands such as Amazon, Rakutane, PayPal, Apple, Tax Agencies and Banks.
The activity concluded in January 2025, where 170 campaigns sent 172,000,000 fishing messages to the target, but the next months maintained equally impressive versions.
Proofpoint researchers discovered CGUI campaigns, stating that this is the highest volume fishing campaign they currently track. The attacks mainly target Japan, although small -scale campaigns were also directed in the United States, Canada, Australia and New Zealand.
Kagui is active at least from October 2024, but Proofpoint started trekking It further in December.
Source: Proofpoint
Analysts found several similarities for the dark fishing kit, which are associated with the China-based operators, and initially it was believed that the origin of the Kogo attacks is the same.
However, on deep examination, proofpoint concluded that two fishing kits are unrelated, even though they are used by Chinese danger actors.
Kogi attack chain
The attack begins with a fishing email that applies a reliable brand, often requires the action of the recipient.
Messages include an URL that redirects the host on the Kagui Fishing platform, but the link is solved only when the target fulfills pre-defined specific criteria by the assailants.
These criteria include their IP address (location), browser language, operating system, screen resolution and device type (mobile or desktop).
If the criteria is not met, the victims are redirected to the valid site of the brand that was imposed to reduce doubts.
Called goals are redirected to a fishing page, characterized by a fake login form that mimics the design of the real brand, which helps the victims to enter their sensitive information.
Source: Proofpoint
Proofpoint has also found that Kagui was behind the operations targeting the United States with ‘outstanding toll payments’. However, it was noted that most of that activity have now moved to Darula.
Researchers believe that CGUI facilitates operating many danger actors, mainly from China, who mainly target Japanese users.
However, the kit can be adopted by other cyber criminals at any time with a separate targeting scope, resulting in a large -scale attack waves kill other countries.
The best way to reduce fishing risks is never to work with a hurry when receiving emails, which request immediate action, and always log in independently on the claimed platform instead of following embedded links.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
