Cybersecurity researchers have documented 4 new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman which can be able to facilitating credential theft at scale.
BlackForce, first detected in August 2025, is designed to steal credentials and carry out Man-in-the-Browser (MitB) assaults to seize one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The package is offered on Telegram boards for wherever between €200 ($234) and €300 ($351).
The package, in keeping with Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, has been used to impersonate over 11 manufacturers, together with Disney, Netflix, DHL, and UPS. It is mentioned to be in lively improvement.
“BlackForce options a number of evasion methods with a blocklist that filters out safety distributors, net crawlers, and scanners,” the corporate mentioned. “BlackForce stays underneath lively improvement. Model 3 was broadly used till early August, with variations 4 and 5 being launched in subsequent months.”
Phishing pages related to the package have been discovered to make use of JavaScript information with what has been described as “cache busting” hashes of their names (e.g., “index-[hash].js”), thereby forcing the sufferer’s net browser to obtain the most recent model of the malicious script as an alternative of utilizing a cached model.
In a typical assault utilizing the package, victims who click on on a hyperlink are redirected to a malicious phishing web page, after which a server-side test filters out crawlers and bots, earlier than serving them a web page that is designed to imitate a respectable web site. As soon as the credentials are entered on the web page, the main points are captured and despatched to a Telegram bot and a command-and-control (C2) panel in real-time utilizing an HTTP shopper referred to as Axios.
When the attacker makes an attempt to log in with the stolen credentials on the respectable web site, an MFA immediate is triggered. At this stage, the MitB methods are used to show a pretend MFA authentication web page to the sufferer’s browser via the C2 panel. Ought to the sufferer enter the MFA code on the bogus web page, it is collected and utilized by the risk actor to realize unauthorized entry to their account.
“As soon as the assault is full, the sufferer is redirected to the homepage of the respectable web site, hiding proof of the compromise and making certain the sufferer stays unaware of the assault,” Zscaler mentioned.
GhostFrame Fuels 1M+ Stealth Phishing Assaults
One other nascent phishing package that has gained traction since its discovery in September 2025 is GhostFrame. On the coronary heart of the package’s structure is a straightforward HTML file that seems innocent whereas hiding its malicious conduct inside an embedded iframe, which leads victims to a phishing login web page to steal Microsoft 365 or Google account credentials.
“The iframe design additionally permits attackers to simply swap out the phishing content material, attempt new tips or goal particular areas, all with out altering the principle net web page that distributes the package,” Barracuda safety researcher Sreyas Shetty mentioned. “Additional, by merely updating the place the iframe factors, the package can keep away from being detected by safety instruments that solely test the outer web page.”
Assaults utilizing the GhostFrame package start with typical phishing emails that declare to be about enterprise contracts, invoices, and password reset requests, however are designed to take recipients to the pretend web page. The package makes use of anti-analysis and anti-debugging to forestall makes an attempt to examine it utilizing browser developer instruments, and generates a random subdomain every time somebody visits the location.
The seen outer pages include a loader script that is chargeable for establishing the iframe and responding to any messages from the HTML factor. This may embrace altering the father or mother web page’s title to impersonate trusted providers, modifying the location favicon, or redirecting the top-level browser window to a different area.
Within the ultimate stage, the sufferer is shipped to a secondary web page containing the precise phishing elements via the iframe delivered by way of the continuously altering subdomain, thereby making it more durable to dam the risk. The package additionally incorporates a fallback mechanism within the type of a backup iframe appended on the backside of the web page within the occasion the loader JavaScript fails or is blocked.
InboxPrime AI Phishing Equipment Automates E-mail Assaults
If BlackForce follows the identical playbook as different conventional phishing kits, InboxPrime AI goes a step additional by leveraging synthetic intelligence (AI) to automate mass mailing campaigns. It is marketed on a 1,300-member-strong Telegram channel underneath a malware-as-a-service (MaaS) subscription mannequin for $1,000, granting purchasers a perpetual license and full entry to the supply code.
“It’s designed to imitate actual human emailing conduct and even leverages Gmail’s net interface to evade conventional filtering mechanisms,” Irregular researchers Callie Baron and Piotr Wojtyla mentioned.
“InboxPrime AI blends synthetic intelligence with operational evasion methods and guarantees cybercriminals near-perfect deliverability, automated marketing campaign era, and a sophisticated, skilled interface that mirrors respectable e-mail advertising software program.”
The platform employs a user-friendly interface that permits clients to handle accounts, proxies, templates, and campaigns, mirroring industrial e-mail automation instruments. Considered one of its core options is a built-in AI-powered e-mail generator, which might produce complete phishing emails, together with the topic strains, in a fashion that mimics respectable enterprise communication.
In doing so, these providers additional decrease the barrier to entry for cybercrime, successfully eliminating the handbook work that goes into drafting such emails. As a replacement, attackers can configure parameters, akin to language, matter, or trade, e-mail size, and desired tone, which the toolkit makes use of as inputs to generate convincing lures that match the chosen theme.
What’s extra, the dashboard allows customers to save lots of the produced e-mail as a reusable template, full with help for spintax to create variations of the e-mail messages by substituting sure template variables. This ensures that no two phishing emails look equivalent and helps them bypass signature-based filters that search for comparable content material patterns.
A few of the different supported options in InboxPrime AI are listed beneath –
An actual-time spam diagnostic module that may analyze a generated e-mail for widespread spam-filter triggers and counsel exact corrections
Sender id randomization and spoofing, enabling attackers to customise show names for every Gmail session
“This industrialization of phishing has direct implications for defenders: extra attackers can now launch extra campaigns with extra quantity, with none corresponding improve in defender bandwidth or assets,” Irregular mentioned. “This not solely accelerates marketing campaign launch time but additionally ensures constant message high quality, allows scalable, thematic concentrating on throughout industries, and empowers attackers to run professional-looking phishing operations with out copywriting experience.”
Spiderman Creates Pixel-Excellent Replicas of European Banks
The third phishing package that has come underneath the cybersecurity radar is Spiderman, which allows attackers to focus on clients of dozens of European banks and on-line monetary providers suppliers, akin to Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Financial institution, ING, O2, Volksbank, Klarna, and PayPal.
“Spiderman is a full-stack phishing framework that replicates dozens of European banking login pages, and even some authorities portals,” Varonis researcher Daniel Kelley mentioned. “Its organized interface offers cybercriminals with an all-in-one platform to launch phishing campaigns, seize credentials, and handle stolen session information in real-time.”
What’s notable in regards to the modular package is that its vendor is advertising the answer in a Sign messenger group that has about 750 members, marking a departure from Telegram. Germany, Austria, Switzerland, and Belgium are the first targets of the phishing service.
Like within the case of BlackForce, Spiderman makes use of varied methods like ISP allowlisting, geofencing, and machine filtering to determine that solely the meant targets can entry the phishing pages. The toolkit can also be geared up to seize cryptocurrency pockets seed phrases, intercept OTP and PhotoTAN codes, and set off prompts to assemble bank card information.
“This versatile, multi-step method is especially efficient in European banking fraud, the place login credentials alone typically aren’t sufficient to authorize transactions,” Kelley defined. “After capturing credentials, Spiderman logs every session with a singular identifier so the attacker can keep continuity via your entire phishing workflow.”
Hybrid Salty-Tycoon 2FA Assaults Noticed
BlackForce, GhostFrame, InboxPrime AI, and Spiderman are the most recent additions to a protracted checklist of phishing kits like Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth (to not be confused with a Home windows banking trojan of the identical identify) which have emerged over the previous 12 months.
In a report printed earlier this month, ANY.RUN mentioned it noticed a brand new Salty-Tycoon hybrid that is already bypassing detection guidelines tuned to both of them. The brand new assault wave coincides with a pointy drop in Salty 2FA exercise in late October 2025, with early phases matching Salty2FA, whereas later phases load code that reproduces Tycoon 2FA’s execution chain.
“This overlap marks a significant shift; one which weakens kit-specific guidelines, complicates attribution, and provides risk actors extra room to slide previous early detection,” the corporate mentioned.
“Taken collectively, this offers clear proof {that a} single phishing marketing campaign, and, extra curiously, a single pattern, incorporates traces of each Salty2FA and Tycoon, with Tycoon serving as a fallback payload as soon as the Salty infrastructure stopped working for causes which can be nonetheless unclear.”
