Oriental Gudgeon aka. "CoGUI"
Chinese backed phishing services
– urlscan Threat Research Team
urlscan Pro Report New
This is a public version of a report first published as an Intel Report on the urlscan Pro platform. The urlscan Pro version contains a more detailed look into the activity as well as more complex searches to cluster the activity. The urlscan Pro report also benefits from added visibility of Unlisted scans.
Oriental Gudgeon, also known as CoGUI, has undergone a major architectural shift toward a centralized encrypted wrapper model to mask its global phishing operations. This latest iteration employs defensive anti-analysis techniques, such as randomized local storage artifacts and encrypted API routing, while maintaining a heavy focus on US government entities and APAC financial institutions. Read our full technical breakdown to see how this mature framework uses multi-stage workflows, from OTP verification to localized UI mapping, to compromise users across the telecommunications, logistics, and retail sectors.
Intel card
- Primary Name: “Oriental Gudgeon”
- Alternative Name: “CoGUI”
Targeting
Regions: Africa · Asia-Pacific (APAC) · Europe · Latin America · Middle East · North America
| Industries |
|---|
| Postal & Logistics (Dominant) |
| Financial Services & Banking |
| Government & Public Sector |
| Telecommunications |
| Transportation & Travel |
| Utilities & Energy |
| E-commerce & Consumer Services |
| Payments & Fintech |
| Courier Aggregators / Regional Logistics Providers |
Key findings
- Very strong concentration of US government entities at both state and city level, indicating highly localized targeting within North America
- Continued heavy focus on Australian and New Zealand financial institutions, reinforcing APAC-specific campaign optimization
- Inclusion of major global logistics providers alongside regional couriers, maintaining postal delivery as a primary lure
- Blending of telecom providers with infrastructure masking, suggesting attempts to evade detection and improve delivery success
- Expansion into e-commerce and trading platforms, indicating diversification beyond traditional banking phishing
- Continued abuse of transport and tolling systems, particularly in APAC and Middle East regions
- Strong mix of global financial brands with regional banks, maximizing both reach and localization
- Consistent use of a global backend with interchangeable frontend templates tailored to specific countries and services
The urlscan Threat Research Team released a public blog in May 2025 on Oriental Gudgeon covering the bulk of the cluster. After publication of our blog, the actors behind Oriental Gudgeon adjusted their kit to avoid detection. The Oriental Gudgeon (also tracked as CoGUI) phishing framework represents a mature and evolving kit that has undergone significant architectural changes to improve operational resilience and hardening against detection. Analysis conducted by the urlscan Threat Research Team indicates that the latest iteration has shifted from a multi-endpoint API structure to a centralized encrypted wrapper model, reducing observable attack surface while maintaining full backend functionality.
Example Oriental Gudgeon site themed for DHL Japan
Analysis indicates the emergence of a parallel variant of the wrapper model, which retains the same backend logic but alters how encryption and routing are implemented.
To read the full public blog on Oriental Gudgeon: https://urlscan.io/blog/2025/05/06/oriental-gudgeon/
Wrapper Architecture Evolution
The modern Oriental Gudgeon framework primarily communicates through a wrapper endpoint: /open/?apiName=
Rather than directly calling internal APIs, requests are proxied through this endpoint, with the intended destination encrypted and passed via the apiName parameter.
However, newer variants deviate slightly from this structure. Observed samples show wrapper-style routing using paths such as: /open/visitors/info/validateHuman
This is notable as:
/visitors/info/validateHumanwas a core endpoint in earlier CoGUI versions- The
/open/prefix indicates the wrapper layer is still in use - The internal API path is embedded directly rather than passed as an encrypted parameter
This suggests either a transitional implementation or parallel operator-specific builds of the framework.
Earlier Oriental Gudgeon deployments used multiple exposed API endpoints, most notably: /info/createOrGetUserInfo
This remains a strong pivot point for identifying historic or un-updated deployments.
Encryption Model
Two JavaScript functions manage encrypted communication:
| Function | Purpose |
|---|---|
| n7() | Encrypts internal API path passed via apiName |
| o7() | Encrypts POST/PUT/PATCH/DELETE request body |
Historically, both functions used:
- AES-CBC
- PKCS7 padding
- Randomized IV
- Obfuscated key
New Variant Behaviour
Newly observed samples (Example: https://urlscan.io/result/019d35ac-1394-7348-be0b-45f62ade8dcc#transactions) demonstrate a modified encryption model.
Analysis of POST data reveals continued use of internal endpoints such as: /open/visitors/info/coguicogui
Example payload data:
{
"path": "/open/visitors/info/coguicogui",
"data": {
"browserInfo": {
"version": "604.1",
"tag": "mobile",
"prefix": "webkit",
"isMobile": true,
"isIOS": true,
"isAndroid": false
},
"domain": "pcn-finesh.cn",
"codeName": "英国GOVUK罚款",
"buttons": {
"skip": {
"2": "登录页",
"5": "OTP验证页",
"6": "APP验证页",
"9": "电话拨打页",
"200": "完成"
},
Observed payloads expose structured campaign metadata including:
- Domain targeting
- Multi-stage workflow progression
- Localized UI labels and step mapping
Example workflow fromo the ‘buttons - skip’ values states:
| State | Meaning |
|---|---|
| 2 | Login page |
| 3 | Address page |
| 4 | Card input |
| 5 | OTP verification |
| 6 | App verification |
| 7 | PIN verification |
| 8 | Email verification |
| 9 | Phone interaction |
| 21 | Payment/fine page |
| 200 | Completion |
This confirms:
- Continued reliance on step-based phishing flows
- Strong support for localization and thematic customization
- Reuse of backend orchestration logic across variants
This variant introduces multiple new high-confidence detection opportunities:
- Continued use of
/open/wrapper paths - Reuse of
/visitors/info/validateHumanendpoint - Vue.js frontend fingerprints
Further insight is gained through analysis of local storage usage across the whole Oriental Gudgeon’s framework. The framework intentionally generates pseudo-random storage keys alongside legitimate operational values, likely to frustrate analysis efforts.
This behavior is implemented via a dedicated randomization routine that:
- Creates arbitrary key/value pairs
- Inserts timestamped values
- Shuffles entries prior to storage
These generated entries are never referenced again and appear purely defensive.
Oriental Gudgeon’s shift toward encrypted API routing demonstrates a clear intent to reduce visibility and complicate analysis.
The use of randomized storage artifacts suggests an emerging focus on anti-analysis measures.
Below is a list of brands which have been detected and linked to Oriental Gudgeon:
- Telecommunications & Digital Platforms
- Transport & Logistics
- Retail
- Financial & Investment Groups
- Travel & Services
- JR East - https://urlscan.io/result/019d6e34-b07b-748e-8181-093d1c22a93c
- ETC Meisai (Electronic Toll Collection Statement Service) - https://urlscan.io/result/019d6e22-382d-740f-9f6a-8f1aa52f2d39
More on urlscan Pro
If you want to learn about the urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.