Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that can facilitate large-scale credential theft.
First detected in August 2025, BlackForce is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit is being sold on Telegram forums for between 200 euros ($234) and 300 euros ($351).
According to Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, the kit has been used to impersonate more than 11 brands, including Disney, Netflix, DHL, and UPS. It is currently under active development.
“BlackForce features several evasion techniques with blocklists that exclude security vendors, web crawlers, and scanners,” the company said. “BlackForce continues to be under active development. Version 3 was in widespread use until early August, with versions 4 and 5 released in the following months.”
Phishing pages connected to the kit have been found to use JavaScript files with what are called “cache-busting” hashes in their names (e.g. “index-[hash].js”), which forces the victim’s web browser to download the latest version of the malicious script instead of using the cached version.
In a typical attack using this kit, victims who click on a link are redirected to a malicious phishing page that is then filtered for crawlers and bots through server-side checks before being presented with a page designed to mimic a legitimate website. Once credentials are entered on the page, the details are captured and sent in real-time to the Telegram bot and command and control (C2) panel using an HTTP client called Axios.
When an attacker tries to log in to a legitimate website using stolen credentials, an MFA prompt is triggered. This stage uses the MitB technique to display a fake MFA authentication page to the victim’s browser through the C2 panel. When a victim enters an MFA code on a fake page, that code is collected and used by an attacker to gain unauthorized access to their account.
“Once the attack is complete, the victim is redirected to the home page of the legitimate website, hiding any evidence of the compromise and preventing the victim from being aware of the attack,” Zscaler said.
GhostFrame facilitates over 1 million stealth phishing attacks
Another early phishing kit that has gained attention since its discovery in September 2025 is GhostFrame. The core of the kit’s architecture is a simple HTML file that appears benign while hiding malicious behavior within an embedded iframe. This leads victims to a phishing login page where their Microsoft 365 or Google account credentials are stolen.
“The iframe design allows attackers to easily switch up phishing content, try new tricks, or target specific regions without changing the main web page where they distribute their kits,” said Sreyas Shetty, security researcher at Barracuda. “Additionally, simply updating the location that the iframe points to will prevent the kit from being detected by security tools that only check the outer page.”
Attacks using the GhostFrame kit begin with typical phishing emails that claim to be about business contracts, invoices, or password reset requests, but are designed to redirect recipients to a fake page. The kit uses anti-analysis and anti-debugging to prevent inspection attempts using browser developer tools, and generates a random subdomain every time someone visits your site.
The outer page that is rendered has a loader script that sets up the iframe and responds to messages from the HTML elements. This may include changing the title of the parent page to impersonate a trusted service, changing the site’s favicon, or redirecting the top-level browser window to another domain.
In the final stage, the victim is sent to a secondary page containing the actual phishing component through an iframe delivered via an ever-changing subdomain, making the threat difficult to block. The kit also includes a fallback mechanism in the form of a backup iframe added to the bottom of the page in case the loader JavaScript fails or is blocked.
InboxPrime AI Phishing Kit automates email attacks
While BlackForce follows the same strategy as other traditional phishing kits, InboxPrime AI takes it a step further by leveraging artificial intelligence (AI) to automate mass email campaigns. It is being promoted on a Telegram channel with 1,300 members under a $1,000 Malware-as-a-Service (MaaS) subscription model, which grants buyers a perpetual license and full access to the source code.
“It is designed to mimic real human email sending behavior, and even takes advantage of Gmail’s web interface to bypass traditional filtering mechanisms,” said abnormal researchers Karrie Baron and Piotr Wojtyla.
“InboxPrime AI combines artificial intelligence and operational evasion techniques to promise cybercriminals near-perfect reachability, automatic campaign generation, and a sleek, professional interface that mirrors legitimate email marketing software.”
The platform features a user-friendly interface that allows customers to manage accounts, proxies, templates, and campaigns, mirroring commercial email automation tools. One of its core features includes a built-in AI-powered email generator that allows you to craft entire phishing emails, including the subject line, in a way that mimics legitimate business communications.
In doing so, these services further lower the barrier to entry for cybercrime, effectively eliminating the manual labor required to create such emails. Instead, attackers can set parameters such as language, topic, industry, email length, and desired tone. The toolkit uses these as input to generate persuasive pitches that match your chosen theme.
Additionally, the dashboard allows users to save created emails as reusable templates, and supports spintax to create variations of email messages by replacing certain template variables. This ensures that no two phishing emails look the same and allows them to bypass signature-based filters that look for similar content patterns.
Here are some of the other features supported by InboxPrime AI:
Real-time spam diagnostic module that can analyze generated emails for common spam filter triggers and suggest precise fixes Sender ID randomization and spoofing allows attackers to customize display names for each Gmail session
“This industrialization of phishing has a direct impact on defenders, allowing more attackers to launch more campaigns at higher volumes without requiring a corresponding increase in defender bandwidth and resources,” Abnormal said. “This not only accelerates campaign launch times, but also ensures consistent message quality, enables scalable thematic targeting across industries, and enables attackers to execute professional-looking phishing operations without the need for copywriting expertise.”
Spider-Man creates a pixel-perfect replica of a European bank
The third phishing kit under cybersecurity surveillance is Spiderman. This allows attackers to target customers of dozens of European banks and online financial service providers, including Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, and PayPal.
“Spider-Man is a full-stack phishing framework that replicates dozens of European bank login pages and even some government portals,” said Varonis researcher Daniel Kelly. “Its uncluttered interface provides cybercriminals with an all-in-one platform to launch phishing campaigns, capture credentials, and manage stolen session data in real-time.”
What’s notable about this modular kit is that the seller is selling the solution on the Signal messenger group, which has around 750 members, marking a departure from Telegram. Germany, Austria, Switzerland, and Belgium are the main targets of the phishing service.
As with BlackForce, Spider-Man utilizes various techniques such as ISP whitelisting, geofencing, and device filtering to ensure that only intended targets can access phishing pages. The toolkit also has the ability to capture cryptocurrency wallet seed phrases, intercept OTP and PhotoTAN codes, and trigger prompts to collect credit card data.
“This flexible, multi-step approach is particularly effective for European banking fraud, where login credentials alone are often not sufficient to authorize a transaction,” Kelly explained. “After acquiring credentials, Spider-Man records each session using a unique identifier, allowing attackers to maintain continuity throughout the phishing workflow.”
Hybrid Salty-Tycoon 2FA attack discovered
BlackForce, GhostFrame, InboxPrime AI, and Spiderman are recent additions to a long list of phishing kits that have emerged over the past year, including Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth (not to be confused with the Windows banking Trojan of the same name).
ANY.RUN said in a report published earlier this month that it has observed a new Salty-Tycoon hybrid that has already bypassed detection rules tailored for either Salty or Tycoon. The new attack wave coincides with a sudden drop in Salty 2FA activity in late October 2025, with early stages matching Salty2FA and later stages loading code that reproduces the execution chain of Tycoon 2FA.
“This overlap represents a meaningful shift, weakening kit-specific rules, complicating attribution, and giving attackers more room to bypass early detection,” the company said.
“Taken together, this provides clear evidence that a single phishing campaign, and more interestingly, a single sample, contains traces of both Salty2FA and Tycoon. Tycoon serves as a fallback payload after the Salty infrastructure fails for reasons that are still unknown.”
Source link
