Haozi’s Phishing Toolkit Steals Over $280,000 Through Plug-and-Play Attacks

Phishing-as-a-Service (PhaaS) has entered a new era in 2025, exemplified by Haozi a highly automated, subscription based phishing platform that strips away the technical barriers to cybercrime.

While legacy phishing kits required manual configuration and command-line expertise, Haozi’s web-based control panel makes launching sophisticated phishing campaigns as easy as operating any popular Software-as-a-Service (SaaS) solution.

Unlike competing toolkits such as the AI-enabled Darcula suite which still necessitate some command-line interaction Haozi’s frictionless setup is entirely web-driven.

Attackers purchase a server, enter credentials into Haozi’s public-facing panel, and the platform handles backend installation, deployment, and dashboard access without the user needing to execute a single shell command.

“Haozi’s plug-and-play model represents a fundamental shift, lowering the skill floor for cybercrime while increasing scale and impact,” said threat researchers monitoring the PhaaS landscape.

Anatomy of the Haozi Platform

At its core, Haozi is built to emulate the user experience of legitimate SaaS management consoles, but for illicit phishing campaigns. The system consists of three main user flows:

1. Automated Installation
   Haozi’s web panel connects to a purchased VPS using entered credentials, automatically deploying all scripts, phishing templates, and traffic filtering tools.shell# No commands required # Installation triggered via web interface The attacker receives admin credentials upon completion and can immediately access the campaign management dashboard.
2. Campaign Orchestration
   Inside the panel—branded 耗子系统 (Hàozǐ xìtǒng)—users can:
   • Launch multiple phishing campaigns
   • Configure credential and 2FA code theft workflows
   • Apply smart filtering to evade security teams
   • Monitor stolen credentials in real time
   The dashboard’s interface mimics modern admin tools, keeping everything point-and-click, with clear options for customizing phishing flows.
3. Integrated Technical Support
   Haozi distinguishes itself with a robust, always-on customer support model through Telegram. This ecosystem offers:
   • Dedicated after-sales channels for technical issuesFAQ and tutorial accessResource sharing and custom phishing page commissions
   This “customer first” approach is designed to increase user retention, drive subscription renewals, and lower barriers to entry.

Phishing Tactics and Financial Impact

Haozi’s toolset enables highly deceptive social engineering attacks. Notably, its phishing templates can:

• Steal credit card details and instantly test their validity
• Simulate 2FA prompts, requesting additional verification codes based on live card authentication responses
• Use loading and error screens to dynamically adjust victim flows and optimize credential capture rates

The operational ease of Haozi has led to widespread adoption. Netcraft has identified thousands of Hàozi xìtǒng admin panels active on malicious domains.

Telegram-based marketing showcases kit features, routinely demonstrating 2FA phishing and advanced card validation flows.

The platform’s financial success is clear. Since its relaunch in late April 2025, the cryptocurrency wallet linked to Haozi has processed more than $280,000 in transactions—primarily via Tether (USDT).

Pricing models include annual subscriptions (around $2,000 per user), shorter-term access, and paid advertising for third-party criminal services.

Sample Phishing Flow

While Haozi’s backend scripts are proprietary, campaign logic can be abstracted as:

pythonif victim_submits_card():
    show_loading()
    if card_valid():
        if operator_requests_2FA():
            prompt_2FA()
        else:
            complete_transaction()
    else:
        show_error()

Haozi’s rise illustrates the SaaSification of the criminal underground—providing accessible, scalable, and fully supported tools for launching large-scale phishing attacks.

As organizations harden technical defenses, user-centric and social engineering-based phishing is thriving, democratized by platforms like Haozi.

Security teams must adapt, focusing defenses not just on technical vulnerabilities, but also on monitoring for phishing infrastructure at scale and educating end users about these ever-more-convincing scams.