Japan orgs targeted by CoGUI phishing kit impersonating Amazon, Rakuten

People and organizations across Japan are being inundated with phishing messages from cybercriminals who are using a sophisticated toolkit that lets them avoid detection.

Security firm Proofpoint said the goal of the campaign is to steal usernames, passwords and payment information, and it’s making use of the CoGUI phishing kit that’s primarily associated with Chinese-speaking threat actors.

In January, Proofpoint tracked 172 million messages launched through CoGUI, according to a report published this week. The number may be even higher because some messages may be blocked by already existing detections used by Proofpoint, the researchers added. 

Most of the campaigns spoof Amazon, but Proofpoint said it has seen hackers impersonating “payment cards, transport cards, popular banks, retailers like Rakuten and Apple, and Japan’s national tax agency.”

CoGUI allows the hackers to profile the browser a victim is using, tracking information like the IP address location, the language used, the type of browser, the size of the monitor or whether the victim is using a mobile device. 

The profile of a victim’s device allows hackers to determine whether to deliver the phishing page or send the user to the legitimate website. 

“These methods allow the kit to selectively target specific geographic regions while evading security measures, making it a significant threat to potential victims in the targeted countries,” Proofpoint said.  

CoGUI has been in use since at least October and Proofpoint began tracking it in December — with some campaigns involving millions of messages. 

Proofpoint says it saw about 50 campaigns per month and each is typically conducted over a three- to five- day stretch.

Many of the emails, including one campaign during the week of March 24, claim to be from Amazon and ask victims to update their account for security reasons. The emails contain a URL that takes victims to a fake Amazon site “leveraging the CoGUI phish kit.”

The other phishing emails urge victims to either verify their identity or offer gift certificates and account “points.”

LLMs supercharge Japanese phishing

The Proofpoint report this week said that due to the use of the CoGUI phish kit, Japan “has become one of the most targeted countries in Proofpoint data based on campaign volume.” They noted that several other phishing campaigns used the kit in Australia, New Zealand, Canada and the United States — but all saw less incidents than Japan. 

At the RSA Conference in San Francisco last week, Proofpoint Chief Strategy Officer Ryan Kalember told Recorded Future News that Japanese phishing was typically rare for many years due to hackers’ inability to speak the language and match the cultural appropriateness. 

But now, with large language models like ChatGPT, hackers can craft the type of emails needed to trick Japanese victims. 

“Now, you can ask: ‘If I was a Japanese vendor to a school district and I wanted to change the billing details in my contract, how would I ask for that to a complete stranger?’” Kalember explained. 

“Large language models have made this all accessible. Language phishing in Asian languages has materially changed. ChatGPT will give you exactly what you want, including the cultural context, including things that are non-obvious. That barrier that Japan used to have is no longer.”

Some of the phishing emails now use recently-announced tariffs as a lure. Proofpoint said its research aligned with a recent report released by Japan’s Financial Services Agency that said hundreds of millions of dollars worth of unauthorized trades are being conducted on hacked brokerage accounts in the country.

“While the report does not provide indicators of compromise to compare with known campaigns, this Rakuten themed campaign and others impersonating different finance organizations that Proofpoint observed in April appear to align with the techniques described in the agency’s release,” they said. 

Japanese officials said that as of April 16, 12 securities firms reported fraudulent transactions, with sales totaling about $350 million and purchases worth about $315 million.

Proofpoint also said it saw more finance-related CoGUI campaigns in April 2025 following the announcement of new tariffs issued by the U.S. government. 

The company said CoGUI is used by a variety of threat actors but explained that it is “likely” Chinese hackers are the people mainly targeting Japanese-speakers in Japan. Even the campaigns used outside of Japan are targeting Japanese speakers and companies operating out of Japan. 

“The appearance of CoGUI aligns with an increasing trend in Chinese language cybercrime across the threat landscape since 2023, including phishing kits like Darcula and malware campaigns based off Gh0stRAT variants,” Proofpoint added. 

Proofpoint researchers also found similarities between CoGUI phish kits and the tools used for recent SMS-based campaigns targeting Americans with threats of unpaid tolls.