No Coding, No Problem: Phishing with a Click

Phishing-as-a-Service operations are becoming increasingly user-friendly, and Haozi epitomizes this trend. Unlike legacy phishing kits that require attackers to configure scripts or infrastructure manually, Haozi offers a sleek, public-facing web panel. Once an attacker purchases a server and puts its credentials into the panel, the phishing software is automatically set up, with no need to run a single command.

Figure 1. Haozi setup web panel, hosted on a Haozi domain. After inputting server credentials, this connects to the server and runs the installation.

This frictionless setup contrasts with other PhaaS tools like the AI-enabled Darcula suite, where minimal command-line usage is still necessary. Haozi eliminates even that, positioning itself as the “plug-and-play” option for aspiring cybercriminals.

Figure 2. 耗子系统  (Hàozǐ xìtǒng) phishing administration panel screenshot.

Haozi’s admin panel functions similarly to what we’ve observed from other PhaaS kit providers. An attacker provides server credentials to a Haozi-managed installation service, which remotely deploys the phishing kit, returns admin access credentials, and launches the dashboard. Inside this panel, users can manage phishing campaigns, configure traffic filtering, and review stolen credentials. The experience is streamlined and familiar, borrowing design cues from other modern phishing dashboards.

Netcraft has detected Hàozǐ xìtǒng administration panels installed on thousands of phishing hostnames.

Figure 3. Example of a Haozi phishing dashboard.

Haozi’s video ads serve as early marketing tools to showcase kit capabilities such as phishing for Two Factor Authentication (2FA) codes and simulating card verification prompts. After the victim submits their credit card information, the phishing kit displays a loading screen while the kit operator decides whether to prompt for a two-factor authentication (2FA) code. Based on the response they receive when attempting to use the stolen card, the operator can redirect the victim to a page requesting a verification code, simulate an in-app prompt, reject the card if the details are invalid, or bypass the 2FA step if the operator doesn’t require a 2FA code.

Figure 4A. Haozi Telegram advertisement demonstrating 2FA phishing using the Haozi kit. 2FA phishing options.

Figure 4B. Haozi Telegram advertisement demonstrating 2FA phishing using the Haozi kit. 2FA phishing page shown to victims.

A "Customer First" Criminal Enterprise

What also sets Haozi apart is its customer service model. A dedicated after-sales Telegram channel exists to help users debug issues and optimize their phishing campaigns. This technical support, paired with a fully automated panel, makes Haozi exceptionally accessible even to those with no cybersecurity expertise.

Figure 5A, B. (Chinese, English) Sales points from one of the Haozi Telegram administrators.

Haozi has structured its operations with distinct Telegram channels for after-sales support, FAQs, and even resource sharing. They offer a full-service ecosystem where users can find tutorials, ask questions, commission custom phishing pages and trade phishing intel. In both cases, support services are not a side benefit — they are core product features designed to drive engagement and subscription renewals.

At its peak, the original Haozi Telegram community hosted nearly 7,000 members. Though the initial community was eventually shut down, Haozi has already bounced back. Since April 28, 2025, it has gained more than 1,700 new followers, indicating a rapid re-engagement of its user base.

Figure 6. 'ZE-ADMIN’ phishing administration panel, demonstrated in a video posted in a Haozi Telegram channel. This appears to be an alternate or older version of the Hàozǐ xìtǒng panel.

Pricing Model

Haozi operates on a subscription model, charging around $2,000 for annual access (with higher pricing on shorter terms) and ad hoc sales. Fraudsters looking to purchase these kits are directed to communicate with one of many Haozi business Telegram accounts.

Figure 7 A, B. (Chinese, English) Haozi end-of-spring update post.

Haozi also offers paid advertising space to connect phishing kit buyers with services such as third-party SMS vendors. In these circumstances, Haozi acts as a middleman, using their position as community gatekeepers to extract additional revenue. The Tether (USDT) address attached to these advertisements and middleman services has received more than $280,000, with many recent withdrawals of thousands of dollars each.

The use of cryptocurrency for Haozi payments helps preserve anonymity and reinforces the service’s appeal among cybercriminals.

Figure 8. Demonstration of stolen credit/debit card interface, from a Haozi Telegram advertisement.

Why PhaaS Is Thriving in 2025

The growing popularity of services like Haozi reflects a broader shift in cybercriminal activity. As enterprise security teams become more effective at detecting and addressing intrusion attempts, attackers are deploying social engineering and phishing scams, tactics that don’t require breaching a hardened perimeter.

PhaaS offerings lower the skill floor and scale campaigns through automation and community support. These new models function more like SaaS businesses than black-market hacking groups, complete with subscription pricing, customer service, and product updates.

Disrupting the Ecosystem

Netcraft continuously monitors and disrupts PhaaS infrastructure by detecting and removing malicious domains at scale.

As groups like Haozi innovate to simplify and improve phishing attacks, organizations must evolve in parallel, arming themselves with real-time threat intelligence, automated takedown capabilities, and broader visibility into phishing infrastructure before attacks reach their customers or employees.

To stay informed on evolving phishing tactics —and how to counter them — visit our blog and or request a demo.