Haozi’s Plug-and-Play Phishing Attack Steals Over $280,000 from Users

Netcraft security researchers have identified a significant resurgence of the Chinese-language Haozi Phishing-as-a-Service (PhaaS) operation, distinguished by its cartoon mouse mascot and frictionless cybercrime toolkit.

The group’s cryptocurrency wallet has processed over $280,000, with substantial recent withdrawals, while thousands of their administration panels have been detected across the internet.

What makes Haozi particularly dangerous is its complete elimination of technical barriers, allowing virtually anyone to deploy sophisticated phishing campaigns regardless of their technical expertise.

Zero-Technical-Skill Phishing Platform

Haozi has redefined the PhaaS landscape with its web-based installation process that requires no command-line knowledge or manual configuration.

Unlike legacy phishing kits or even more modern alternatives like the Darcula suite that still demand minimal technical skills, Haozi offers a completely automated deployment system.

Attackers simply purchase server space, input credentials into Haozi’s sleek web panel, and the system autonomously installs and configures the entire phishing infrastructure.

The platform’s administrative dashboard provides comprehensive campaign management capabilities, including sophisticated traffic filtering, credential harvesting, and advanced Two-Factor Authentication (2FA) bypass techniques.

When victims submit payment card information, operators can dynamically determine whether to prompt for verification codes, simulate in-app authentication requests, or circumvent security measures entirely based on real-time assessment of the stolen credentials’ validity.

Netcraft’s investigation revealed thousands of “Hàozǐ xìtǒng” (Haozi system) administration panels across numerous phishing domains, indicating widespread adoption of this toolkit among cybercriminals seeking low-friction attack vectors.

The operation’s design philosophy prioritizes usability and automation, essentially transforming complex phishing campaigns into point-and-click operations accessible to even the most technically inexperienced attackers.

Service-Oriented Criminal Enterprise

Haozi operates with a business model strikingly similar to legitimate software companies, complete with dedicated technical support channels on Telegram for debugging, campaign optimization, and customer assistance.

Their ecosystem includes resource-sharing networks, FAQs, and customization services where users can commission bespoke phishing pages tailored to specific targets.

Despite having its original 7,000-member Telegram community shut down, Haozi demonstrated remarkable resilience by acquiring over 1,700 new followers since April 28, 2025.

The group maintains a subscription-based pricing structure charging approximately $2,000 for annual access, with premium rates for shorter-term engagements.

Beyond direct subscription revenue, Haozi monetizes its platform by selling advertising space and acting as an intermediary between phishing kit buyers and third-party service providers such as SMS vendors.

This middleman position allows them to extract additional revenue while expanding their cybercriminal ecosystem.

The proliferation of user-friendly PhaaS platforms represents a strategic shift in cybercriminal methodology as enterprise security teams become more effective at detecting network intrusions.

These operations now function essentially as SaaS businesses, complete with subscription models, customer support infrastructure, and regular product updates significantly lowering the barriers to entry for cybercrime while creating sustainable revenue streams for the operators behind these increasingly sophisticated phishing ecosystems.