Bad sushi: China-nexus phishers shift to residential proxies

By April–May 2025 a widespread phishing campaign shifted to leveraging residential proxy networks and exploded in scale, moving from thousands to over a million source IPs across 173 countries and 8,893 ASNs. The campaign increased IPv6 spam emissions, used generic/non-existent HELOs, .top redirectors, and hosted phishing landing pages on cloud VPS providers (notably Alibaba and Tencent), enabling rapid, high-volume distribution and regional spikes such as heavy activity in Latin America.