Executive summary

In November 2025, Google filed a federal RICO lawsuit against a China-based cybercriminal network the first time a tech giant has used organized crime statutes to pursue a PhaaS operator. The complaint pulls back the curtain on an operation that compromised up to 115 million credit cards operated across 121 countries and ran with the organizational discipline of a black-market enterprise: dedicated developer teams, bulk-SMS infrastructure providers, data brokers, and a money-laundering division coordinating openly on Telegram. For Japan, the filing is more than headline news. It is a rare court-documented window into the same ecosystem that has been quietly flooding Japanese inboxes and mobile devices for years.

Japan’s inbox threat landscape increasingly looks “coordinated” from the victim’s perspective, even when it is not. In practice, multiple unrelated operators converge on the same target population simultaneously.

• Three distinct clusters are active against Japan in parallel: CoGUI (high-volume email phishing), Smishing Triad (high-volume SMS/iMessage “Lighthouse/Darcula” ecosystem), and MirrorFace / Earth Kasha (targeted espionage via spearphishing and post-exploitation tradecraft).
• Convergence is real, coordination is not required. Japanese victims can encounter multiple campaigns in the same week across email and mobile channels, producing an operational “single campaign” illusion.
• The most consequential open question is whether a localization-as-a-service (LaaS) layer exists inside the broader Chinese eCrime ecosystem—i.e., Japanese-language and Japan-brand expertise being sold or shared to multiple operator buyers.
• Defensive implication: prioritize durable behavioral indicators (TDS behavior, kit fingerprinting, API wrapper patterns, payload structure) over short-lived domains/IPs.

The framing question that drove this analysis is simple: what does the Japanese threat landscape look like from the victim’s side of the inbox?

Not from the perspective of any individual vendor tracking any individual actor, but from the perspective of a ministry official in Kasumigaseki, a Rakuten account holder in Osaka, or a semiconductor engineer at a Tsukuba research park.

What they see is this:

• An Amazon Japan phishing page served by CoGUI landing in corporate email.
• A Japan Post toll-violation SMS pushed by Smishing Triad infrastructure, clicking through to a mobile-only credential harvester.
• If they work in the right sector, a carefully worded Japanese-language spearphish from MirrorFace themed around Japan’s economic security strategy.

Three entirely different operators, three entirely different motivations—but to the target they can look like a single coordinated campaign.

That convergence matters for defense. But the nature of the convergence is not what it might appear. This research attempts to identify what is genuinely shared between the three actor clusters, what is coincidental, and—most speculatively but most interestingly—whether a localization-as-a-service layer inside the Chinese eCrime ecosystem is providing Japanese-language expertise to multiple operator buyers simultaneously.

1.1 Japan as a convergence target

Japan has become one of the most concentrated targets in the global cyber threat landscape. That concentration is driven by structural factors, not random selection.

1. Economic profile. Japan has the world’s third-largest economy, a dense concentration of advanced manufacturing and semiconductor IP, and an affluent consumer population accustomed to routine digital transactions across a relatively small number of dominant platforms (Amazon, Rakuten, PayPay, Japan Post, SMBC). That combination creates a high-yield environment for both criminal financial fraud and state-level IP theft.
2. The iMessage factor. Japan’s iPhone penetration exceeds 50% of smartphone users. iMessage traffic bypasses carrier-level spam filtering entirely. A criminal operator who has built Japan-targeting SMS infrastructure gains a meaningful delivery advantage versus operating in lower-iOS-penetration markets.
3. Policy environment. Since 2022—METI’s economic security legislation, Japan’s revised National Security Strategy, tightening semiconductor export controls, and the publicly elevated Japan–US–Taiwan security alignment—Japan has become a higher-priority intelligence collection target for Chinese state-affiliated actors. The timing of MirrorFace escalation and the introduction of NOOPDOOR as a persistence layer in 2023 aligns with this policy window (per public reporting).
4. Defensive maturity vs volume. Japan invests in cybersecurity, but JPCERT/CC and IPA operate with constrained resources relative to threat volume. EDR deployment is uneven, and incident reporting culture—while improving—still produces significant underreporting. That gap between threat density and defensive coverage is where all three actors operate.

The most exploited advantages in Japan are cultural as much as technical.

Japan’s corporate culture operates on the principle of taimen (体面)—face, reputation, the preservation of institutional dignity. Disclosing a major data breach is not merely a regulatory event; it is a reputational catastrophe that reflects poorly on leadership, triggers board-level embarrassment, and risks damaging trust relationships (including keiretsu ties) that underpin business.

This creates a structural incentive to avoid disclosure: remediate quietly, classify internally, and suppress external escalation. Where public reporting has compared dwell time patterns in Japanese victims versus Western victims, longer dwell times have been observed in Japan (per vendor reporting). This is not necessarily because Japanese defenders are less competent—it is because organizational dynamics that normally trigger escalation and external IR engagement can be actively suppressed.

1.2 Three actors, three motivations, one target population

This research covers three distinct threat clusters that share a target country but differ in goals, tactics, and operator profile.

CoGUI is a phishing-as-a-service framework operated by Chinese-speaking threat actors, primarily targeting Japan through high-volume email campaigns (per Proofpoint reporting). Its goal is credential and payment card theft; stolen data is used for financial fraud.

Phishing page from CoGUI campaign which is active in April 2026

Smishing Triad is a Chinese-speaking criminal franchise built around the “Lighthouse / Darcula” phishing kit ecosystem (per Silent Push and Unit 42 reporting). It operates primarily through SMS and iMessage delivery and runs a broader marketplace model across Telegram with competing vendors at multiple supply-chain layers.

Smishing Triad kit / infrastructure example

MirrorFace / Earth Kasha is a Chinese state-affiliated espionage actor attributed by Japan’s National Police Agency (January 2024) to Chinese state direction, and assessed by ESET and others as related to (or under) the APT10 umbrella. Its motivation is intelligence collection: defense contractors, ministries, think tanks, and research institutions. It operates at the opposite end of the spectrum from the other two—targeted, low-noise intrusions with longer operational timelines.

1.3 The convergence hypothesis

Two hypotheses about the relationship between these actors are tested:

H1 — Shared infrastructure. Do the three clusters share hosting ASNs, registrars, or certificate infrastructure in ways suggesting common procurement or coordination?

H2 — Localization-as-a-service. Is there evidence of a shared Japanese-language content production layer (vendor or ecosystem service) providing polished Japanese lures and brand templates to multiple operators simultaneously?

2.1 Intelligence baseline construction

The intelligence baseline was built from publicly available reporting across seven primary sources: Proofpoint (CoGUI, May 2025), Silent Push (Smishing Triad, April 2025), Palo Alto Unit 42 (Smishing Triad, October 2025), JPCERT/CC (MirrorFace, July 2024), ESET (Operation AkaiRyū, March 2025), Trend Micro (Earth Kasha, November 2024 and the ANEL return report), and NFLaboratories JSAC2023 (LODEINFO technical deep dive).

Where vendor naming and clustering differed (e.g., MirrorFace vs Earth Kasha; APT10 attribution), the approach was to acknowledge both framings and present the stronger evidentiary case. ESET formally considers MirrorFace a subgroup under APT10, citing ANEL’s reappearance; Trend Micro maintains “potentially related.” This report uses that split to calibrate attribution confidence rather than selecting a single label for convenience.

Sources (public reporting)

The analysis above is based primarily on the following public reports and technical references:

• Proofpoint — CoGUI (May 2025)
• Silent Push — Smishing Triad (April 2025)
• Palo Alto Networks Unit 42 — Smishing Triad (October 2025)
• JPCERT/CC — MirrorFace / NOOPDOOR (July 2024)
• ESET — Operation AkaiRyū / MirrorFace (March 2025)
• Trend Micro — Earth Kasha / MirrorFace-related reporting (2024)
• NFLaboratories — JSAC2023 LODEINFO technical deep dive

2.2 Infrastructure analysis approach

Infrastructure analysis relied on:

• Passive DNS review and ASN-level pattern observation across the three clusters
• WHOIS registration data (notably registrar identification patterns for Smishing Triad in published datasets)
• Hosting pattern analysis from cited reports

Shared infrastructure was treated as a lead for further investigation, not as standalone attribution evidence. This is particularly important for CoGUI vs Smishing Triad comparisons, where full hosting detail is not consistently published.

2.3 Behavioral indicators over short-lived IoCs

This report deprioritizes domain- and IP-level IoCs throughout. Smishing Triad rotates infrastructure aggressively; CoGUI campaigns can run in short windows; and MirrorFace infrastructure changes after exposure/attribution events. The behavioral signatures—geofencing patterns, browser profiling logic, Chinese-language code strings, DLL sideloading chains, and beacon/payload structure—remain useful across versions and are therefore more valuable for detection engineering.

3 Actor profiles with TTPs

3.1 CoGUI (first observed October 2024)

CoGUI is a phishing kit framework targeting Japan at high volume (per Proofpoint). It operates via email, targets consumer and financial brands, and appears to be used by multiple operators sharing the same kit infrastructure.

Phishing mail for Rakuten

Scale and tempo (reported). Proofpoint reporting describes very large campaign volumes and high campaign cadence in 2024–2025, with campaigns typically lasting a few days and rotating quickly. Brands targeted include Amazon Japan, PayPay, Rakuten, SBI Securities, Apple, and Japan’s National Tax Agency.

Phishing page for Japan Amazon, an attack link for redirect

After redirect phishing page will appear login page

User was directed to enter their payment details, leading to theft of usernames and passwords as well as credit card information.

Evasion architecture. CoGUI profiles the client before serving phishing content. Profiling can include GeoIP, browser language, browser type/version, screen characteristics, OS platform, and mobile/desktop flags. If the profile does not match the operator’s targeting criteria, the victim is redirected to the legitimate site. The defensive consequence is that automated scanning from non-Japanese IP space can consistently see legitimate content rather than the phishing page.

Kit signatures (observed / reported).

• HTML <html lang="jp"> appears consistently in samples discussed publicly.
• Randomized JS/CSS filenames.
• Chinese-language internal configuration naming such as "codeName":"日本rakuten乐天证券" / "日亚amazon无账单" / "日本paypay".

CoGUI does not consistently collect MFA credentials in the same way as modern AiTM kits (per Proofpoint). Possible explanations include targeting users without MFA, prioritizing simplicity, or using stolen credentials quickly enough to avoid MFA challenges.

3.2 Smishing Triad

Covered in depth in the companion Smishing Triad Japan report. Key cross-actor points:

• The Lighthouse kit developer (Wang Duo Yu, 王多余) built Japan-specific brand templates into the kit early (per reporting). Japan Post, Yamato, TEPCO, SMBC Card, and E-NEXCO are not incidental—they are first-class targets reflecting Japan-specific consumer touchpoints.
• Smishing Triad advertises extensive “front desk staff” and provides supporting services around delivery and fraud/cash-out workflows (per reporting).
• Infrastructure shift (reported). Public reporting describes a hosting shift from China-based cloud toward US-based cloud/CDN infrastructure over 2025, while registration and DNS-management concentration patterns remain visible in published datasets.

  Detection evasion is not a skill requirement in the Lighthouse ecosystem. It is a subscription feature, meaning every operator regardless of expertise gets the same anti-detection capability by default.

  — Unit Zero

• Lighthouse's anti-detection capability is built into the platform, not bolted on. It polls transparencyreport.google.com every 15 minutes meaning the moment Google flags a domain as malicious, the operator knows before most enterprise threat feeds have pushed a block. A separate "anti-red" feature monitors Chrome's browser-level interstitial warnings independently; the instant Chrome marks a domain dangerous, the platform alerts the operator, who rotates to a clean domain within hours. By the time a defender acts on the detection, the infrastructure has already moved.

Lighthouse kit

In corner Lighthouse kit developer Wang Duo Yu is written

Lighthouse developer Telegram ID

Telegram ecosystem. During tracking, Telegram groups have advertised bulk SMS delivery for Japan during the same operational windows as Smishing Triad activity (screenshots included below). These screenshots also illustrate the broader multi-country targeting that extends beyond Japan.

Selling Bulk SMS for Japan

Bulk SMS which actor similar to the Smishing traid.

The timeline is important because it’s aligned with campaign.

3.3 MirrorFace / Earth Kasha

MirrorFace has been continuously active against Japan since at least 2019. For this cross-actor analysis, three 2024 developments are most relevant:

Shift back to spearphishing in 2024. After a 2023 period heavily focused on exploiting internet-facing vulnerabilities, the June 2024 Earth Kasha campaign (Trend Micro) returned to spearphishing as the primary initial access vector. Lure emails used OneDrive links to ZIP files, with Japanese-language subjects aligned to the target population’s professional context.

ANEL’s return and what it implies (reported). ESET’s analysis of Operation AkaiRyū found ANEL at version 5.5.4—an increment from the 5.5.0 version last seen in 2018. This implies development continuity during a long deployment gap and supports the “resources and continuity” conclusion.

ROAMINGMOUSE and the 2024 execution chain (reported). The 2024 spearphishing chain introduced ROAMINGMOUSE as a macro-enabled dropper that extracts and executes ANEL components. Delivery involved OneDrive → ZIP → LNK → SFX/CAB → template document loading.

NOOPDOOR as persistence layer (reported). JPCERT describes NOOPDOOR as a persistence backdoor since 2022, including a DGA-based C2 behavior and a secondary channel on TCP port 47000. Injection targets vary across common Windows processes.

Operation AkaiRyū provides post-attribution behavioral data that is relevant to resilience and adaptation:

• ANEL reintroduction alongside LODEINFO (tooling diversification).
• ROAMINGMOUSE as dropper (delivery-chain complexity consistent with defense evasion).
• Customized AsyncRAT deployment including Windows Sandbox usage (unusual anti-analysis).
• Scope expansion to a Central European diplomatic institute, using Japan-themed lures (Expo 2025 Osaka-Kansai).
• Return to spearphishing after the edge-device exploitation phase.

“Public attribution didn’t slow MirrorFace down. It got a new dropper, a revived backdoor family, a more complex delivery chain, and its first documented operation outside Japan—all within eighteen months of being named. If the goal of attribution was deterrence, the 2024–2025 activity record is the answer.”

— Unit Zero

4 Infrastructure overlap analysis

4.1 The confirmed picture

Confirmed (reported) for MirrorFace: Japan-located VPS usage in providers cited in public reporting; IP-direct C2 in some implant families; infrastructure changes after exposure.

Confirmed (reported) for Smishing Triad: large-scale infrastructure footprint across many ASNs; public reporting describes major hosting and registrar patterns over 2024–2025.

Confirmed (reported) for CoGUI: published sample domains include .cn infrastructure and additional non-.cn infrastructure in reporting and sample collections.

There have different name files which are mimic for phishing

Smishing Triad and CoGUI both use HTTPS with automated certificate issuance (common across phishing). MirrorFace has historically used IP-direct communication in some protocols, though certain components communicate on port 443.

Japan relate infrastructure domain ceritificate are last update very recent

4.2 ASN-level observations (assessment)

The three clusters use different primary hosting strategies, which is itself analytically meaningful:

• MirrorFace has used Japan-located VPS infrastructure (blend with local traffic; reduce geopolitical anomaly).
• Smishing Triad shows evidence of hosting diversification and CDN usage over time (operational learning; evasion).
• CoGUI’s use of .cn infrastructure suggests at least partial China-based provider dependency.

What these clusters share is not a single ASN, but a common philosophy: abuse legitimate commercial hosting providers rather than relying exclusively on traditional “bulletproof” hosting. The operational advantages are similar: slower abuse response, reduced blanket blocking, and infrastructure that looks benign to many passive-monitoring systems.

One overlap to flag: Smishing Triad’s early-2025 cloud-provider dependency (reported) and CoGUI’s .cn footprint both suggest China-based provider reliance. If CoGUI hosting pivots are confirmed onto the same large cloud ASNs described in Smishing Triad reporting, that would represent a more concrete infrastructure overlap for future tracking.

The below image highlights geographical convergence in some datasets (US-based IP space usage). This is common across many cybercrime operations and should be treated as context rather than a standalone linkage signal.

TDS architecture comparison

All three actors implement traffic filtering before serving malicious content, but implementations differ in ways that reflect resources and operational constraints.

• MirrorFace does not need a traditional TDS: spearphishing delivers targeted content to pre-identified recipients.
• Smishing Triad uses layered filtering: country whitelist, mobile-only checks, pre-campaign validation of target phone numbers, and scanning/blocklist workflows that trigger domain rotation when flagged.
• CoGUI uses multi-factor profiling (GeoIP + language + browser characteristics + device flags) before deciding whether to serve the phishing page.

Two cross-kit observations drive correlations explored later:

• Proofpoint’s comparison of CoGUI and Darcula described structural similarities (minimal HTML landing page, randomized asset naming conventions, Chinese-language code strings).
• Most significantly, Proofpoint reported that both use the same specific online service to profile the victim’s browser before serving content, but did not name the service publicly.

5 The CaaS supply chain and the localization-as-a-service hypothesis

5.1 Why the hypothesis matters

The most novel analytical question in this research is also the hardest to answer definitively from OSINT: is there a localization-as-a-service layer within the Chinese eCrime ecosystem providing Japanese-language content (brand templates, lure copy, UI text) to multiple operator buyers?

If multiple operators are independently building Japan-language expertise, Japan’s exposure scales linearly with the number of operators. If a shared service exists, disrupting or identifying that service could degrade multiple campaigns simultaneously.

5.2 Technical evidence for shared ecosystem tooling (reported)

The most concrete cross-kit finding in public reporting is Proofpoint’s observation that CoGUI and Darcula “both use the same specific online service to profile the user’s browser.” Proofpoint did not name this service.

This remains the most important unresolved technical question in CoGUI–Smishing Triad cross-actor analysis because it represents a shared dependency. Two possibilities:

• Scenario A — common commercial tool: both kit developers independently adopted the same third-party fingerprinting/device detection service.
• Scenario B — code lineage / shared supply chain: profiling implementation was developed once and shared, forked, or sold between developers.

5.3 The Japanese brand template layer (assessment)

When Unit Zero pulled apart CoGUI internal configuration naming (e.g., “日本rakuten乐天证券”, “日亚amazon无账单”, “日本paypay”), the taxonomy implied deliberate organization of Japanese consumer brands inside a Chinese-language development environment.

Smishing Triad’s brand selection reads similarly: Japan Post, Yamato, TEPCO, SMBC Card, E-NEXCO. Each is a high-frequency, high-authority brand in a Japanese consumer’s daily life.

A notable pattern is the non-overlap: the two kits largely partition the Japanese consumer landscape—CoGUI emphasizes e-commerce and payments, Smishing Triad emphasizes logistics, utilities, and certain banking workflows. This does not require coordination to occur, but it is consistent with multiple actors drawing from a shared Japan-targeting knowledge base.

“Two kits, different brands, no coordination—and they still carved up the Japanese consumer attack surface between them.”

— Unit Zero

5.4 MirrorFace and LaaS: a different picture

MirrorFace sits largely outside the LaaS hypothesis. The Japanese-language proficiency in MirrorFace spearphishing reflects professional-context understanding consistent with state-resourced tradecraft, not commodity phishing lure localization.

If MirrorFace purchases shared services from the broader cybercrime ecosystem, the most plausible candidates are infrastructure-layer services (VPS procurement, domain registration), not content localization.

5.5 A three-tier economy serving Japan (model)

• Tier 1 — kit development layer. CoGUI developers; Lighthouse/Darcula developer(s); MirrorFace in-house malware development.
• Tier 2 — affiliate/operator layer. multiple operators running CoGUI; affiliates configuring and deploying Lighthouse/Darcula; MirrorFace as dedicated teams.
• Tier 3 — shared services layer. profiling services, hosting providers, registrar/DNS ecosystems, and potentially shared localization resources.

6.1 Multi-channel victim exposure

The key fact in 2025–2026 is that CoGUI, Smishing Triad, and MirrorFace are running simultaneously and independently. A Japanese financial services professional could plausibly encounter all three in one week without any operator awareness of the others.

• From CoGUI: Amazon[.]co[.]jp / Rakuten-themed credential phishing landing in inbox.
• From Smishing Triad: Japan Post failed-delivery SMS on iPhone, followed by TEPCO payment overdue.
• From MirrorFace: OneDrive link to a ZIP file framed as an economic security strategy document.

“This multi-channel convergence is the threat landscape’s real innovation. No single actor planned it. No coordination is required to produce it.”

— Unit Zero

6.2 The FSA connection (reported; medium confidence)

Proofpoint noted a temporal correlation: Japan’s Financial Services Agency published an April 2025 report on phishing impact on securities companies, describing stolen credentials being used for unauthorized trading (including Chinese stock purchases). Proofpoint observed increased finance-themed CoGUI campaigns in the same window. Proofpoint explicitly noted it could not confirm the activity was CoGUI-related due to lack of IoCs in the FSA report.

When Japan’s NPA publicly attributed MirrorFace in January 2024, they described a multi-year operational profile: spearphishing delivery, Japan-based VPS patterns, LODEINFO as core implant, NOOPDOOR persistence, and consistent post-exploitation behaviors. The analytical question is not the profile itself, but how the actor adapted after exposure.

Legal & Industry Response: Google Takes the Gloves Off

Reference: Google LLC v. Does 1–25 (S.D.N.Y.), Case 1:25-cv-09421-LAK — Complaint filed 2025-11-12: https://www.courtlistener.com/docket/71900274/1/google-llc-v-does-1-25/

There was also a law suit against Lighthouse. What makes the RICO framing significant is not the lawsuit itself. It is what the statute allows. RICO was built to dismantle organized crime as a system, not chase individual actors. Applied here, it means Google can pursue the developers, operators, and infrastructure simultaneously, and collect treble damages if successful.

The three claims each pull a different lever. RICO targets the enterprise structure. The Lanham Act targets the 116 Google-branded phishing templates turning trademark law into an infrastructure weapon. The CFAA targets the credential theft and digital wallet fraud directly.

The injunction request is the most operationally consequential piece. A court order compels domain registrars and hosting providers to act not as a courtesy, but as a legal obligation. Takedown requests get ignored. Court orders do not.

Conclusion

Japan’s exposure in 2026 is structurally high. The iMessage delivery advantage is architectural. The taimen dynamic that suppresses disclosure is cultural. The policy environment that elevated Japan as a collection priority remains active.

CoGUI activity in 2026 (as observed in public reporting and sample sets) shows no sign of meaningful degradation. Smishing Triad continues to industrialize and expand. MirrorFace continued adaptation post-attribution demonstrates resilience rather than deterrence.

Key defensive takeaways:

• Treat “convergence” as an operating condition: plan for overlapping email + mobile delivery threats simultaneously.
• Prioritize durable behavior-based detection over domain/IP lists.
• Invest in controls that reduce value of credential theft (MFA, token binding where possible, rapid session revocation, anti-AiTM protections).
• For spearphish risk populations, prioritize attachment and link detonation controls, OneDrive/SharePoint telemetry, and endpoint macro/template chain monitoring.

Most important open question: identifying the shared profiling service dependency referenced in Proofpoint reporting would change the disruption calculus for both CoGUI and Lighthouse/Darcula ecosystems.

Indicators of compromise

Note: IoCs are included for operational use, but these ecosystems rotate quickly. Use the behavioral and pattern-based detections below as the primary defensive control surface.

Domains

IPs

File hashes (SHA256)

Notable ASNs - active infrastructure hosting

Live hosting confirmed at time of analysis

Infrastructure

Domain qvrifob[.]cocoifly[.]cn — IP 43[.]165[.]166[.]156

# B1mJW4nA.js 7de3ca0c09d229344ed792cfe80f2e44c9bee56eaaa83c2b9509c96b8f8b6f68

Domain stultiern[.]iceaz[.]cn — IP 165[.]154[.]231[.]146

8bc55f760a8ad956e66394c3a32b26711b660c74d20d358b35ec1e3b2ba2c728

Domain gmlddrla[.]dwsfipix[.]cn — IP 43[.]165[.]174[.]250

8eb434031c800898502e49fa1b85131f3ab143b27d0cfceff7c7f05026f5a823

Domain dfumbu[.]fytwfj[.]cn — IP 91[.]195[.]240[.]12

59c6cb8863714dd12574b2e5ba7611f24fa9c993e116e3e02b7c1a39db9ff172

Domain order[.]yodobashi[.]com

# Primary HTML  b73d84827251a6622b8e5e5e598bd5e8cb92eb692ae0103c8614177adc3497bb
# DhJtZW9o.js  050f013609fe8a6f9a08f1e39f201b07cdf19ef65da78632e8657e5d39ec06b9
# DtfgGNqk.js  aaeabb2b138bbe7a0ac1ad7683b74f03b5952c89795390b1d129f1226c308874
# DQmCohhm.js  74c3b78ec956765c49f81e0438c91ca577b33aa7e04cd14f6a68657c26a96056
# Cuo7p7J1.js  e7011110e2b1a9a7e7b6ddf280055c9a2dd0bc0de516e7e56066bfcfbcb15f87
# CmQ0Nhup.js  8ab475996569be0937628c7cd206f13deea0c5a574bf552e84d167c5fd63e2cf
# BlPOdoC7.js  4c295b3379d9ca8840e88280169a8a6d55964b3047081e99ca8b21700d563f85
# /open/ POST  01303ec421edae0954b87795fabea32cb693738cdd04d7a75bcfa5dddda1a71a
# CdSVSj1d.css  3ec8fcf5d6494f9f1fff4d0127a7d18983df20dd6c2acbe6aa9d15a39d546444
# BLoe_qxi.css  8c5c832253e73d7b3d06e17217c9e8e73a73755445543aebcbcc3f0ca0435163
# CARMVZyg.css  1f66eb34d83d5b19be5dca232870c4019027b5f74eb0b52250177cba1b5997e9
# logo_ekinet.png  3f7c549cfacde11c4129c09b1908d106126d823682cc758f70fc046638d7746b
# index_help-icon_red.png  429d816293b8489b7f9e6d422b9396868a7cf67454b9b06c23c2a4c1536726ae
# logo_jreast.png  ba4924716ed0580ae30f974eebb97421a2c10c1e2cf61e8ad60fcd39d8fbca30
# favicon.ico  2c48caa63d1daa7b92a064c42c13bcb050e1fbf8fc8f0915fbdb93478528ce56

Domain iceaz[.]cn + 80 associated

# Primary HTML  85961fd864c4219694c7a8adf6c5c481490c09aae4cc9bce1bc73b88cc3037e8
# BXSzBRDQ.js  fa0c44293f00efdbe8605f10f6a54f52b7462dd0aa942d016210c7cb517c995b
# DkEP9GPr.js  fbbe526352a2e52123725803e40d947c9b8a9549f7503d367b381c343b7ca549
# CN8srYxh.js  e5ae4b176f853aff8cc8d746c5791c9229f860d92848ba663f07a97c24e82848
# BcYSkvoz.js  a6a1df56a61d21b82ef24802912690c7c9117d54d0dad97949a79d57709e6138
# CVBtqhQH.js  50eefce983cec9e4775b3eae2ee3e007c162382eef66cfdbb25458938a6e801a
# GfsYFSNX.js  558f704ec5ada743bb8a29b00268bc62b3bbbc15d86832bbcd929eed2a92cf0e
# CXX97pgS.js  146fed586734f71a435a1248d480f2299f1738918079fd7683ccdf6fb78d9c55
# Bx0SYbZu.js  29921418094503656ad791762eb091575cca1956729b0dbb191762ba0c2b0a5f
# DCHntQxK.js  2ee0c3def7940579ee688fa1a2cf9b9bf49c8623d1e6f97a20822ed3648388eb
# /open/ POST  ed5cd66245715e84e5eaa948931025c094917c47d7dd6f1d4fb00706e471b3a3
# DB1jZd4N.css  a617fec2db6de950ddea8f25067d742eb021f53d0b68c92fc3ba9cbf672e5bdb
# B_SY1GJM.css  7b97718157fd097200839d87f730f091f2d98f99f828a95e7865c07ae4da9916
# BRjhuBjS.css  6d639bbbae0b70bd27eac14c0c9dee79a7f8094b2790af807024bd4e145b312b
# DjI-1K-R.css  6624e94f6890a8b1bfd26e135805eceebdd6cc5e152b9f5bdcad27e52a4b359f
# BkSnn2Y8.css  d93891ccb0802d5e713a331d6b4e7d729e930d97a6ce5cc98c17958bcd91abd7
# favicon.gif  365974fed7f1fa7bb42b2e309fb01e68a1954d479f841a67b4d6081336992899
# dhl-logo.svg  328777be6ed92ae88755009a974a1283abf795957a3df244576ed70f5de4e9c3
# glo-footer-logo.svg  eec352f272b13be3883b6b13674898e718d277a690011c4e6eb1e47189656433
# youtube-new.svg  8ab280a31a012ac7c6fb77be3e134d2858d50e3b1d16ffa4b45f35487cadf5bd
# facebook-new.svg  1979d99c5483675a8be762b48f46112909e27301c1f549c8cb35a2be5503f72f
# linkedIn-new.svg  86a4a9a96396b1de82e1616e6c1c62a2185f808328816c40e2abb03c37c4e965
# instagram-new.svg  f27026fef42b128c001a2c722d427044a148b50fc90c55f898c4447838580237

Domain btyzywlp[.]top

# Primary HTML 8e8fe07216c77dff80cbadc617eb5e52a271e0a48a84b5879cfa592307b28195
# BOPxjbdB.js f27ea939304e8cad92f2e772b255cdb9d0d2f91f5517521f43752ec0d3ca8446
# CEVJ20c8.js ddc9f500ce17f28b5e95b354dfecec91d3703734fb92aa3d787474e9bca2594c
# D8rtGeP0.js 08205b67149c2fbece8cef23b761e859b95715257cf01771f55dcdfa3b86bf2d
# C0R1Oi0m.js 6af66bd371f5c5edcc61e290e69d200a03ebab9b7322848568c6c5fc1bbc0f43
# wDwuzupP.js 555e0c982b2ea83b0ced8979ae4e2de729dfdce84bbd20e05fab90e0fd6f34fb
# BVsJh5wV.js 87b866be86c74044cb29182a6b40a8c9438fccf192104ad67bd0c8f668b60dd5
# DSMfFn-Z.js f54e05625fd4c0e6f45be778bb583339e834b05c35940d2eedbffa91d9a95d2c
# /open/ POST 40d9091425266f8e648a7c1930d11d7b289e34f2469979c98571ff3718b0f572
# Dwpp8olV.css 23adf0400d282fd0e3bb05a9118d1252cfe11744d4e7c64f65551728f9d5de7a
# 6sX4RC_9.css 7c601f7fdd78e365dcb3ca5bfc644bf941e8458371221439d4c3a07f696f1b94
# DMB4qmk3.css 169d22d6513161cfdb2374c421404a2e974cd6062341603896a9a7855e4443b7
# DBOr6jBE.css fa79c63fbfb0ef50259e36353672b375d1736c1138a2354a6907c3f68d864385
# favicon.ico f378e80809f59162256d1893cc5dd557197f5a956e403a17de552154d6541974
# linkarrow.gif 6744a2726319c32bba421c71be01f818dcd09a2b13cb6520d2fdb8cf434d23d3
# head_etc_logo.gif 7d1c425ab87390fa62f0b924e95453ba0c95e4a40a724eca66a1bca47178680b
# head_title.gif 706aad4ccfa4f04be2b24b09d832c00391612ae50fd44ee76e819b70c9f4d973
# head_listmark.gif e9f21dccc13ca0678430dd66bb38410b00cacfec4fe4de8cdafc0f688906ca2f

Domain dwsfipix[.]cn

# Primary HTML  0d4797171bb3dbba00f4967a89b5c9be9c618f5c6cd0f9a7a2358eb6a64f5f00
# ChcICT9A.js  483e23ccede818e46977b925e9acef6d77e504814ab462dad062a78ae0afe897
# BpV_JH_v.js  fde279866de3c353867c4a4bba4592382ccf8184588a0ee9d7797aa17e330919
# IaVDUbAB.js  81ca7efbc0f9cf4902297649af037e5ae7bdefecfa75c424bdd56077792eea27
# CDTsx6dX.js  3527587b8df730e674f6ba1298a5a61c69c185a76210de565e09de5e75ed7ece
# BWr29-G4.js  c5b013a635ec8758d618e4e2097a2fc231cc3202037f75ad620e768e7badfbf5
# D3a2imaL.js  a0b259e0dd37ee41607210b6669ab30032b8170f1af25d25b9782dbbec27f1f8
# /open/ POST  820be13a3959884851060bb7b453ed24d488c084c8ddfc8850e7cf137614aec1
# HuRoR-B5.css  ea5f13daaf2d52d8ea22b6e7ca1c622b01a36f9ac278d832a7215dcbef244c74
# 1PCYLBtc.css  55882fbf8bba4134315f749bcf3d97c85b6db7b70440044e41103aee265684d2
# DhzzI2YW.css  a243e514a712a4ba687933c1cb775a39cedec3434687458b509ba06276f28092
# BbJhGhz9.css  a6421517ff119f0e7819dc1d0697531cdc33cb24cbde9ce966d365f1f5f81445
# 9zdtWb-X.css  6ae104a3ad079f1f118ef319de901d1e5291c74cbc04c4cb791aeac52e873bbc
# icon64Locked01_bl.webp  330085fc19862069d094b198c8fe0c309eca60771a30780d5ab50df68fee2b0d
# logoYodobashi.png  edb194d33c6fe716d47d2bb7ec272942975bda599d1ad5634ce0c4486755de07
# favicon.ico (404)  696bafee5f2b6895736ad2f77ec327cb89d79f88f85dac4fef2e83de6126166f
# inline data URI PNG  ab769f9d66223e219c797910706c5ce4672c4e8ef0455f9730711c66ed9ed4b7

Appendix A — Bulk domain lists (operational reference)

Smishing Triad — associated domains (81)

info-trackingcoi[.]cc
evriuk[.]top
estafetau[.]shop
tuyrepost[.]cc
posten[.]top
busine[.]cfd
indiapost[.]top
ewdfb[.]top
canadaapoost[.]com
btyzywlp[.]top
auspoust[.]cc
psocygb[.]xin
post-isl[.]sbs
posteit[.]cfd
chamge-a[.]top
yurticikargoy[.]cyou
smbc-card[.]shop
inposttrack[.]click
cttpacks[.]click
slvpostgob[.]ccsv
aiisoi[.]top
za-post-word[.]top
shant[.]fun
dpd-pack[.]xyz
phlppovd[.]top
post-track[.]help
ceska-post-a[.]blog
address-4-72[.]top
isr-aelpost[.]sbs
wbduvn[.]com
fwedsfg[.]top
whetf[.]xin
fexpres[.]lol
mys-jtexpres[.]cyou
www-claro[.]top
lietuvospost[.]help
singpposts[.]top
serviciopostalgobec[.]pics
mapxis[.]ink
chroonopostfrr[.]click
business-poste[.]top
egiuw[.]top
postah[.]cc
cootrut[.]site
aramexaene[.]com
ukrspack[.]click
spl-express[.]help
posta-romanam[.]cc
unogmu[.]icu
at-post[.]icu
myhermes-at[.]bond
autopistes[.]asia
telkomssel[.]ink
post-word[.]top
tepco-co-jp[.]online
geopostl[.]cfd
eltade[.]cc
thetollroadsll[.]lol
epgovc[.]top
ttspost[.]sbs
coeetrttgroup[.]cfd
smseexpress[.]cfd
posti-fifi[.]top
mxups[.]me
tigo-gtmc[.]top
mondialrellay[.]live
entelclws[.]top
slpostgovls[.]xyz
hketoll-etc-hk[.]top
uypos[.]xyz
globeefd[.]top
thposto[.]vip
belpost-by[.]lol
hanypost[.]top
adffew[.]top
nzposst-co[.]top
iceaz[.]cn

CoGUI — associated .cn domains (220+)

pcn-finesh[.]cn
kzmmluu[.]cn
eenenj[.]cn
mqfans[.]cn
fgwgwf[.]cn
fateam[.]cn
hfltkc[.]cn
zajzt[.]cn
eyeux[.]cn
wodha[.]cn
cjxzo[.]cn
qgxmp[.]cn
xsfys[.]cn
cvequ[.]cn
iqpvj[.]cn
tvsuk[.]cn
qiwfo[.]cn
ezike[.]cn
uuobw[.]cn
hlktsg[.]cn
tpsqi[.]cn
hheix[.]cn
ivgqz[.]cn
fbzdnv[.]cn
fhlhlp[.]cn
favoredu[.]cn
hvuah[.]cn
hgktlr[.]cn
phtej[.]cn
kxdkr[.]cn
zfxem[.]cn
hfytjs[.]cn
hlktsj[.]cn
hfytjr[.]cn
r8n2[.]cn
tmnfn[.]cn
ryoyp[.]cn
usvzw[.]cn
cehxt[.]cn
shuhwkj[.]cn
shaltgs[.]cn
sunjz[.]cn
vekmfq[.]cn
rexmx[.]cn
gmztu[.]cn
shyligs[.]cn
3iiii[.]com[.]cn
opard[.]cn
hdqtnn[.]cn
hgktlm[.]cn
hdqtcy[.]cn
meditco[.]cn
xhskn[.]cn
bwpip[.]cn
rxlev[.]cn
aihix[.]cn
czlhl[.]cn
wesbank[.]cn
gofjp[.]cn
zbdki[.]cn
bngsbk[.]cn
cgyng[.]cn
ltwuv[.]cn
aemlp[.]cn
pzfntn[.]cn
eglsl[.]cn
tkvmz[.]cn
ekjxi[.]cn
oqyyx[.]cn
jlvdr[.]cn
pyore[.]cn
odriq[.]cn
vlggn[.]cn
eylxy[.]cn
ifsmv[.]cn
dkjpu[.]cn
cgeynp[.]cn
ycquo[.]cn
qcjvt[.]cn
hgjtgk[.]cn
hpqvo[.]cn
vkvwv[.]cn
ncnmny[.]cn
abmdz[.]cn
apmuj[.]cn
xrqdf[.]cn
ztlou[.]cn
hcfza[.]cn
chzvg[.]cn
michan[.]com[.]cn
vbwtx[.]cn
vdznr[.]cn
ipoqe[.]cn
hjxujbv[.]cn
xfqju[.]cn
fvafj[.]cn
oqvjk[.]cn
pmoup[.]cn
jocae[.]cn
lzjeh[.]cn
iepxv[.]cn
gmka2o[.]cn
ysybc[.]cn
ioppe[.]cn
xwriq[.]cn
rtmul[.]cn
neenv[.]cn
izqat[.]cn
qeoima[.]cn
lsaqr[.]cn
xcwot[.]cn
aztny[.]cn
xqaxk[.]cn
jnrys[.]cn
wrptm[.]cn
xigar[.]cn
jkfnq[.]cn
pkxqo[.]cn
klkeh[.]cn
kqfij[.]cn
uemiu[.]cn
gmkm3u[.]cn
gbcji[.]cn
znrek[.]cn
fxyat[.]cn
mhudr[.]cn
oanvd[.]cn
xfhgu[.]cn
hgnihe[.]cn
qxcip[.]cn
ezbearlng[.]cn
hfctdd[.]cn
tdyqh[.]cn
hdqtdy[.]cn
gmks5r[.]cn
vdbkh[.]cn
gujyq[.]cn
ssvwm[.]cn
zdxfgyj[.]cn
zxotfgl[.]cn
orbmkkz[.]cn
fmkw3i[.]cn
ltrqu[.]cn
ejwfg[.]cn
rwpbe[.]cn
ngpolp[.]cn
ogchj[.]cn
textindentify[.]cn
zvdei[.]cn
ykeze[.]cn
gxhcn[.]cn
pvpun[.]cn
shlomkj[.]cn
yowdnf[.]cn
fdhhjri[.]cn
lkvya[.]cn
gcxog[.]cn
wzgvz[.]cn
noqfy[.]cn
snwhf[.]cn
losapac[.]cn
gvcbs[.]cn
gxivqm[.]cn
feikp[.]cn
oxnma[.]cn
hmkm2q[.]cn
aznuq[.]cn
ibmym[.]cn
ptfoa[.]cn
uqryn[.]cn
pjjtg[.]cn
lomuy[.]cn
siifq[.]cn
dmknw[.]cn
hgltcb[.]cn
pngonv[.]cn
enugv[.]cn
cnkgy[.]cn
yqbpz[.]cn
imwyv[.]cn
bwdjh[.]cn
gfreg[.]cn
sxivrw[.]cn
vggrt[.]cn
oliqz[.]cn
hfqttx[.]cn
hgntsm[.]cn
hdqtrm[.]cn
ynhuadu[.]cn
huayuhr[.]cn
gjmekp[.]cn
hfntxf[.]cn
zjzzcx[.]cn
hntpsmo[.]cn
imjtmn[.]cn
iiokpv[.]cn
bomwd[.]cn
wwwsei[.]cn
gcqwii[.]cn
kjkjtdwh[.]cn
fuedw[.]cn
ynqxo[.]cn
yerhw[.]cn
atecv[.]cn
bqbjn[.]cn
hgktql[.]cn
qwjaf[.]cn
hfntbq[.]cn
hgktxj[.]cn
hlxtct[.]cn
pigsearch[.]cn
jfsgk[.]cn
xckau[.]cn
uudnq[.]cn
xrbco[.]cn
hfgtky[.]cn
seyif[.]cn
mluzt[.]cn
xccvw[.]cn
vurgc[.]cn
qdfvl[.]cn
wrzsy[.]cn
hlktmx[.]cn
roxiq[.]cn
xgcrm[.]cn
hlktss[.]cn
jdmihxm[.]cn
hbsy7[.]cn
bjyuanlln[.]cn
sckgga[.]cn
wkmiyq[.]cn
uokuge[.]cn
easehr[.]cn
gbxyrq[.]cn
hnttcmh[.]cn
shyljgs[.]cn
bbgwo[.]cn
rwuble[.]cn
slecr[.]cn
hrduw[.]cn
iaxqf[.]cn
xosahp[.]cn
zvwgy[.]cn
tzioz[.]cn
kzonp[.]cn
tytnri[.]cn
hfctny[.]cn
krpnx[.]cn
vhvkdlb[.]cn
wmusbgt[.]cn
mrifm[.]cn
xearvt[.]cn
xzoorbq[.]cn
jwkgg[.]cn
kqffy[.]cn
fazhf[.]cn
zctvb[.]cn
xouwttj[.]cn
ycuhome[.]cn
vgtym[.]cn
fonywo[.]cn
vojfb[.]cn
yqcpd[.]cn
okywa[.]cn
cqjoi[.]cn
hmkm8q[.]cn
kxviy[.]cn
hfxtxg[.]cn
suzhou-pateka[.]cn
hbclcar[.]cn
tiuwt[.]cn
mjnsp[.]cn
evsiz[.]cn
gmka1r[.]cn
onrhis[.]cn
fmkz9k[.]cn
qevwj[.]cn
taawm[.]cn
nvqww[.]cn
gmkv5c[.]cn
gmkt7e[.]cn
qpsjn[.]cn
xgxba[.]cn
wlvvi[.]cn
vkzyr[.]cn
fshuh[.]cn
pzraj[.]cn
uzlmm[.]cn
mmabf[.]cn
gmku8u[.]cn
iigmx[.]cn
nraoj[.]cn
reuom[.]cn
bohxy[.]cn
plexj[.]cn
odvxe[.]cn
yynyww[.]cn
zmvon[.]cn
zhmaz[.]cn
hfctdy[.]cn
zzfgg[.]cn

Detection rules

Suricata / Snort rules

# Network and DNS Signatures
# Japan-specific phishing threat detection
# Deploy at DNS forwarder and corporate proxy
# Ruleset: CoGUI / Smishing Triad Japan brand phishing indicators

alert dns $HOME_NET any -> any 53 (
    msg:"COGUI Japan: Rakuten phishing domain pattern";
    dns.query;
    pcre:"/(^|\.|-)rakuten[a-z0-9-]{3,}\./i";
    classtype:trojan-activity;
    sid:9002001;
    rev:1;
)

alert dns $HOME_NET any -> any 53 (
    msg:"COGUI Japan: Amazon JP phishing domain pattern";
    dns.query;
    pcre:"/(^|\.|-)amazon(?:co)?[a-z0-9-]{3,}\./i";
    classtype:trojan-activity;
    sid:9002002;
    rev:1;
)

alert dns $HOME_NET any -> any 53 (
    msg:"COGUI Japan: PayPay phishing domain pattern";
    dns.query;
    pcre:"/(^|\.|-)paypay[a-z0-9-]{3,}\./i";
    classtype:trojan-activity;
    sid:9002003;
    rev:1;
)

alert dns $HOME_NET any -> any 53 (
    msg:"SMISHING-TRIAD Japan: E-NEXCO / ETC toll phishing domain";
    dns.query;
    pcre:"/(^|\.|-)(?:nexco|etc(?:-card)?)[a-z0-9-]{3,}\./i";
    classtype:trojan-activity;
    sid:9002010;
    rev:1;
)

alert dns $HOME_NET any -> any 53 (
    msg:"SMISHING-TRIAD: Gov-prefix Japan government impersonation domain";
    dns.query;
    pcre:"/(^|\.)gov-[a-z0-9]{4,12}\./i";
    classtype:trojan-activity;
    sid:9002011;
    rev:1;
)

MirrorFace / NOOPDOOR C2 behavioral indicators

alert tcp $HOME_NET any -> $EXTERNAL_NET 47000 (
    msg:"MIRRORFACE: NOOPDOOR secondary C2 channel (TCP 47000)";
    flow:established,to_server;
    classtype:command-and-control;
    sid:9002020;
    rev:1;
)

LODEINFO beacon structural pattern - v0.6.2+ (post substitution cipher)

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"MIRRORFACE: Possible LODEINFO beacon — POST with substitution-cipher header pattern";
    flow:established,to_server;
    http.method; content:"POST";
    http.request_body;
    pcre:"/^[A-Za-z0-9._-]{10,18}=[A-Za-z0-9\\-_.]{200,800}/";
    http.user_agent; content:"Chrome/";
    classtype:trojan-activity;
    sid:9002021;
    rev:1;
)

YARA rules

Cross-campaign backend module (highest confidence)

rule CoGUI_OrientalGudgeon_SharedBackendModule
{
    meta:
        author          = "Md. Azim Uddin"
        date            = "2026-06-17"
        description     = "Detects the shared CoGUI/Oriental Gudgeon core backend JS module (B1mJW4nA.js) present byte-for-byte across all 4 confirmed campaign sites: JR East, DHL, ETC, Yodobashi."
        threat_actor    = "Oriental Gudgeon / CoGUI"
        tlp             = "WHITE"
        reference       = "https://urlscan.io/blog/2026/06/01/oriental-gudgeon/"
        confidence      = "HIGH"
        hash_sha256     = "7de3ca0c09d229344ed792cfe80f2e44c9bee56eaaa83c2b9509c96b8f8b6f68"

    condition:
        hash.sha256(0, filesize) == "7de3ca0c09d229344ed792cfe80f2e44c9bee56eaaa83c2b9509c96b8f8b6f68"
}

Phishing HTML landing page (multi-brand)

/*
 ============================================================
 ORIENTAL GUDGEON / CoGUI — YARA Detection Rules
 Author : Md. Azim Uddin
 Version: 2.0 (corrected)
 Date   : 2026-06-17
 TLP    : WHITE
 Ref    : https://urlscan.io/blog/2026/06/01/oriental-gudgeon/
 ============================================================
*/

rule CoGUI_OrientalGudgeon_APIWrapper_Pattern
{
    meta:
        author       = "Md. Azim Uddin"
        version      = "2.0"
        date         = "2026-06-17"
        description  = "Detects the CoGUI/Oriental Gudgeon encrypted API wrapper pattern in JavaScript bundles. Matches the /open/?apiName= encrypted routing endpoint combined with kit-specific internal API paths and Vue.js runtime globals. Behavioural rule — survives domain/IP rotation and bundle recompile provided string constants remain unchanged. Validated against 4 confirmed campaign samples (JR East, DHL Japan, ETC, Yodobashi Camera)."
        threat_actor = "Oriental Gudgeon / CoGUI"
        tlp          = "WHITE"
        confidence   = "HIGH"
        mitre_att    = "T1566.002, T1071.001, T1041"
        reference    = "https://urlscan.io/blog/2026/06/01/oriental-gudgeon/"

    strings:
        $wrapper_endpoint = "/open/?apiName=" ascii wide

        $api_validate     = "/open/visitors/info/validateHuman" ascii wide
        $api_cogui        = "/visitors/info/coguicogui"         ascii wide
        $api_legacy       = "/info/createOrGetUserInfo"         ascii wide

        $meta_cogui       = "coguicogui"   ascii wide
        $meta_buttons     = "buttons"       ascii wide
        $meta_codename    = "codeName"      ascii wide
        $meta_browserinfo = "browserInfo"   ascii wide

        $vue_instance     = "__VUE_INSTANCE_SETTERS__" ascii wide
        $vue_ssr          = "__VUE_SSR_SETTERS__"      ascii wide
        $vue_global       = "__VUE__"                  ascii wide

        $cookie_locale    = "locale=en-us" ascii wide

    condition:
        filesize < 500KB
        and $wrapper_endpoint
        and (
            1 of ($api_*)
            or (
                $meta_cogui
                and 2 of ($meta_buttons, $meta_codename, $meta_browserinfo)
            )
            or (
                $vue_instance
                and $vue_ssr
                and $cookie_locale
            )
        )
}

rule CoGUI_OrientalGudgeon_PhishingLandingPage
{
    meta:
        author       = "Md. Azim Uddin"
        version      = "2.0"
        date         = "2026-06-17"
        description  = "Detects CoGUI/Oriental Gudgeon phishing HTML landing pages across observed brand templates. Matches shared Vue.js SPA mount structure, hardcoded en-us locale cookie injection, CoGUI API path segments embedded in HTML, and brand-specific copyright strings from cloned pages."
        threat_actor = "Oriental Gudgeon / CoGUI"
        tlp          = "WHITE"
        confidence   = "MEDIUM"
        mitre_att    = "T1566.002"
        reference    = "https://urlscan.io/blog/2026/06/01/oriental-gudgeon/"

    strings:
        $vue_attr         = /data-v[ue]?-[a-f0-9]{8}/  ascii wide
        $path_open        = "/open/"   ascii wide
        $path_apiname     = "apiName=" ascii wide
        $locale_en_us     = "locale=en-us" ascii wide

        $brand_jreast     = "JR East Net Station Co.,Ltd" ascii nocase wide
        $brand_dhl        = "DHL Group" ascii nocase wide
        $brand_etc        = { EF BC A5 EF BC B4 EF BC A3 }
        $brand_yodobashi  = "Yodobashi Camera Co.,Ltd" ascii nocase wide

    condition:
        (uint16(0) == 0x213C or uint32(0) == 0x6D74683C)
        and filesize < 100KB
        and $vue_attr
        and $path_open
        and $path_apiname
        and $locale_en_us
        and 1 of ($brand_*)
}

Specific hash-based detection (all confirmed samples)

rule CoGUI_OrientalGudgeon_KnownHash_Critical
{
    meta:
        author      = "Md. Azim Uddin"
        date        = "2026-06-17"
        description = "Hash-based detection for the two highest-value shared artifacts confirmed across all 4 Oriental Gudgeon sites."
        threat_actor = "Oriental Gudgeon / CoGUI"
        tlp         = "WHITE"
        confidence  = "CRITICAL"

    condition:
        hash.sha256(0, filesize) == "7de3ca0c09d229344ed792cfe80f2e44c9bee56eaaa83c2b9509c96b8f8b6f68"
        or
        hash.sha256(0, filesize) == "8bc55f760a8ad956e66394c3a32b26711b660c74d20d358b35ec1e3b2ba2c728"
}

rule CoGUI_OrientalGudgeon_KnownHash_SubClusterA
{
    meta:
        author      = "Md. Azim Uddin"
        date        = "2026-06-17"
        description = "Sub-cluster A panel artifacts — JR East + Yodobashi operator instance."
        threat_actor = "Oriental Gudgeon / CoGUI"
        tlp         = "WHITE"
        confidence  = "HIGH"

    condition:
        hash.sha256(0, filesize) == "8eb434031c800898502e49fa1b85131f3ab143b27d0cfceff7c7f05026f5a823"
}

rule CoGUI_OrientalGudgeon_KnownHash_SubClusterB
{
    meta:
        author      = "Md. Azim Uddin"
        date        = "2026-06-17"
        description = "Sub-cluster B panel artifacts — DHL + ETC operator instance."
        threat_actor = "Oriental Gudgeon / CoGUI"
        tlp         = "WHITE"
        confidence  = "HIGH"

    condition:
        hash.sha256(0, filesize) == "59c6cb8863714dd12574b2e5ba7611f24fa9c993e116e3e02b7c1a39db9ff172"
}

CoGUI decrypted payload metadata (memory / network capture)

rule CoGUI_OrientalGudgeon_DecryptedPayload_Metadata
{
    meta:
        author      = "Md. Azim Uddin"
        date        = "2026-06-17"
        description = "Detects decrypted CoGUI API payload metadata in memory captures or PCAP-extracted content."

    strings:
        $buttons_skip   = "\"buttons\"" ascii wide
        $step_login     = "\"2\":" ascii wide
        $step_otp       = "\"5\":" ascii wide
        $step_complete  = "\"200\":" ascii wide

        $browser_info   = "\"browserInfo\"" ascii wide
        $is_mobile      = "\"isMobile\"" ascii wide
        $is_ios         = "\"isIOS\"" ascii wide

        $cogui_path     = "/open/visitors/info/coguicogui" ascii wide

        $domain_key     = "\"domain\"" ascii wide
        $code_name      = "\"codeName\"" ascii wide

    condition:
        filesize < 10KB
        and $cogui_path
        and $browser_info
        and ($buttons_skip and $step_otp and $step_complete)
        and ($domain_key and $code_name)
}

Further Oriental Gudgeon / CoGUI rules

# ==============================================================
# SURICATA RULES — ORIENTAL GUDGEON / CoGUI
# Ruleset version: 1.0 | Date: 2026-06-17
# Category: Phishing / Credential Theft / CnC
# ==============================================================

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"ET PHISHING CoGUI/OrientalGudgeon Encrypted API Wrapper Request";
    flow:established,to_server;
    http.method; content:"POST";
    http.uri; content:"/open/"; depth:6;
    http.uri; content:"apiName="; distance:0;
    http.header; content:"application/json";
    threshold:type limit, track by_src, count 1, seconds 60;
    classtype:trojan-activity;
    sid:9000001;
    rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"ET PHISHING CoGUI/OrientalGudgeon UUID Session Registration";
    flow:established,to_server;
    http.method; content:"GET";
    http.uri; content:"/open/"; depth:6;
    http.uri; content:"apiName="; distance:0;
    http.uri; content:"uuid="; distance:0;
    http.header; content:"application/json";
    classtype:trojan-activity;
    sid:9000002;
    rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"ET PHISHING CoGUI/OrientalGudgeon DNS Lookup — cocoifly.cn";
    dns.query; content:"cocoifly.cn"; endswith; nocase;
    classtype:trojan-activity;
    sid:9000003;
    rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"ET PHISHING CoGUI/OrientalGudgeon DNS Lookup — iceaz.cn";
    dns.query; content:"iceaz.cn"; endswith; nocase;
    classtype:trojan-activity;
    sid:9000004;
    rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"ET PHISHING CoGUI/OrientalGudgeon DNS Lookup — dwsfipix.cn";
    dns.query; content:"dwsfipix.cn"; endswith; nocase;
    sid:9000005;
    rev:1;
)

alert dns $HOME_NET any -> any any (
    msg:"ET PHISHING CoGUI/OrientalGudgeon DNS Lookup — fytwfj.cn";
    dns.query; content:"fytwfj.cn"; endswith; nocase;
    sid:9000006;
    rev:1;
)

Sigma rules (SIEM detection)

Proxy/Web logs — API wrapper URI pattern

title: CoGUI OrientalGudgeon Encrypted API Wrapper URI Pattern
id: a1b2c3d4-0001-4e5f-8a9b-0c1d2e3f4a5b
status: stable
description: >
    Detects outbound HTTP requests matching the Oriental Gudgeon / CoGUI
    phishing kit encrypted API wrapper pattern (/open/?apiName=).
author: Md. Azim Uddin
date: 2026-06-17
references:
    - https://urlscan.io/blog/2026/06/01/oriental-gudgeon/
tags:
    - attack.initial_access
    - attack.t1566.002
    - attack.t1071.001
    - attack.t1041
logsource:
    category: proxy
    product: web_proxy
detection:
    selection:
        cs-method: POST
        cs-uri-query|contains: 'apiName='
        cs-uri-path|contains: '/open/'
    filter_internal:
        cs-host|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter_internal
falsepositives:
    - Legitimate applications using /open/ endpoints with apiName parameters (unlikely in this combination)
level: high

Hunting queries

Splunk

index=proxy_logs OR index=web_logs
| where match(url, "/open/\?apiName=")
| where dest_ip NOT IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
| stats count, values(url), values(src_ip) by dest_ip, dest_host

KQL

DeviceNetworkEvents
| where RemoteUrl contains "/open/?apiName="
| where RemoteIPType != "Private"
| project Timestamp, DeviceName, InitiatingProcessFileName,
          RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc