Haozi’s Plug-and-Play Phishing Attack Stolen Over $280,000 From Users

A sophisticated phishing-as-a-service operation known as Haozi has emerged as a significant threat in the cybercriminal landscape, facilitating over $280,000 in fraudulent transactions within just five months.

Unlike traditional phishing kits that require technical expertise, Haozi offers a streamlined, user-friendly platform that has democratized cybercrime by eliminating the technical barriers typically associated with launching phishing campaigns.

The operation distinguishes itself through its comprehensive service model, providing everything from automated setup procedures to dedicated customer support channels.

Attackers can deploy fully functional phishing infrastructure with minimal effort, requiring only server credentials to initiate the automated installation process.

This plug-and-play approach has attracted thousands of cybercriminals seeking to capitalize on credential theft and financial fraud.

Netcraft researchers identified Haozi administration panels installed across thousands of phishing hostnames, revealing the extensive reach of this criminal enterprise.

The service operates through a subscription-based model, charging approximately $2,000 for annual access, with shorter-term options available at premium pricing.

The operation maintains active Telegram communities for customer support and knowledge sharing, with the current incarnation attracting over 1,700 followers after the original 7,000-member community was shut down.

The phishing service targets multiple attack vectors, including credential harvesting and two-factor authentication bypass mechanisms.

Victims are presented with convincing replicas of legitimate websites, with the stolen data immediately accessible through Haozi’s administrative dashboard.

The platform’s sophisticated filtering capabilities and anti-detection features enable prolonged campaign operation while evading security measures.

Technical Infrastructure and Deployment Mechanism

Haozi’s technical implementation represents a significant evolution in phishing-as-a-service offerings.

The platform features a public-facing web panel that automates the entire deployment process, as demonstrated in Figure 1 showing the ZE-ADMIN installation interface.

Once an attacker inputs server credentials including IP address, port, username, and authentication details, the system remotely connects to the target server and executes the complete installation without requiring command-line interaction.

The administrative interface provides comprehensive campaign management capabilities.

Users can monitor real-time visitor statistics, manage stolen credentials, and configure traffic filtering rules through an intuitive dashboard interface.

The system tracks various metrics including daily visitors, credential submissions, and geographic distribution of victims, enabling operators to optimize their campaigns for maximum effectiveness while maintaining operational security.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.