Cybersecurity researchers have documented 4 new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman which might be able to facilitating credential theft at scale.
BlackForce, first detected in August 2025, is designed to steal credentials and carry out Man-in-the-Browser (MitB) assaults to seize one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The equipment is bought on Telegram boards for wherever between €200 ($234) and €300 ($351).
The equipment, in line with Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, has been used to impersonate over 11 manufacturers, together with Disney, Netflix, DHL, and UPS. It is stated to be in energetic improvement.
“BlackForce options a number of evasion methods with a blocklist that filters out safety distributors, net crawlers, and scanners,” the corporate stated. “BlackForce stays below energetic improvement. Model 3 was extensively used till early August, with variations 4 and 5 being launched in subsequent months.”
Phishing pages linked to the equipment have been discovered to make use of JavaScript recordsdata with what has been described as “cache busting” hashes of their names (e.g., “index-[hash].js”), thereby forcing the sufferer’s net browser to obtain the newest model of the malicious script as a substitute of utilizing a cached model.
In a typical assault utilizing the equipment, victims who click on on a hyperlink are redirected to a malicious phishing web page, after which a server-side examine filters out crawlers and bots, earlier than serving them a web page that is designed to imitate a official web site. As soon as the credentials are entered on the web page, the small print are captured and despatched to a Telegram bot and a command-and-control (C2) panel in real-time utilizing an HTTP consumer referred to as Axios.
When the attacker makes an attempt to log in with the stolen credentials on the official web site, an MFA immediate is triggered. At this stage, the MitB methods are used to show a faux MFA authentication web page to the sufferer’s browser by the C2 panel. Ought to the sufferer enter the MFA code on the bogus web page, it is collected and utilized by the menace actor to realize unauthorized entry to their account.
“As soon as the assault is full, the sufferer is redirected to the homepage of the official web site, hiding proof of the compromise and making certain the sufferer stays unaware of the assault,” Zscaler stated.
GhostFrame Fuels 1M+ Stealth Phishing Assaults
One other nascent phishing equipment that has gained traction since its discovery in September 2025 is GhostFrame. On the coronary heart of the equipment’s structure is a straightforward HTML file that seems innocent whereas hiding its malicious conduct inside an embedded iframe, which leads victims to a phishing login web page to steal Microsoft 365 or Google account credentials.
“The iframe design additionally permits attackers to simply swap out the phishing content material, strive new tips or goal particular areas, all with out altering the principle net web page that distributes the equipment,” Barracuda safety researcher Sreyas Shetty stated. “Additional, by merely updating the place the iframe factors, the equipment can keep away from being detected by safety instruments that solely examine the outer web page.”
Assaults utilizing the GhostFrame equipment begin with typical phishing emails that declare to be about enterprise contracts, invoices, and password reset requests, however are designed to take recipients to the faux web page. The equipment makes use of anti-analysis and anti-debugging to forestall makes an attempt to examine it utilizing browser developer instruments, and generates a random subdomain every time somebody visits the positioning.
The seen outer pages include a loader script that is chargeable for establishing the iframe and responding to any messages from the HTML component. This may embody altering the guardian web page’s title to impersonate trusted companies, modifying the positioning favicon, or redirecting the top-level browser window to a different area.
Within the remaining stage, the sufferer is shipped to a secondary web page containing the precise phishing parts by the iframe delivered through the continuously altering subdomain, thereby making it more durable to dam the menace. The equipment additionally incorporates a fallback mechanism within the type of a backup iframe appended on the backside of the web page within the occasion the loader JavaScript fails or is blocked.
InboxPrime AI Phishing Equipment Automates E mail Assaults
If BlackForce follows the identical playbook as different conventional phishing kits, InboxPrime AI goes a step additional by leveraging synthetic intelligence (AI) to automate mass mailing campaigns. It is marketed on a 1,300-member-strong Telegram channel below a malware-as-a-service (MaaS) subscription mannequin for $1,000, granting purchasers a perpetual license and full entry to the supply code.
“It’s designed to imitate actual human emailing conduct and even leverages Gmail’s net interface to evade conventional filtering mechanisms,” Irregular researchers Callie Baron and Piotr Wojtyla stated.
“InboxPrime AI blends synthetic intelligence with operational evasion methods and guarantees cybercriminals near-perfect deliverability, automated marketing campaign era, and a refined, skilled interface that mirrors official e mail advertising software program.”
The platform employs a user-friendly interface that enables prospects to handle accounts, proxies, templates, and campaigns, mirroring industrial e mail automation instruments. One in every of its core options is a built-in AI-powered e mail generator, which may produce complete phishing emails, together with the topic traces, in a way that mimics official enterprise communication.
In doing so, these companies additional decrease the barrier to entry for cybercrime, successfully eliminating the guide work that goes into drafting such emails. As a substitute, attackers can configure parameters, comparable to language, subject, or business, e mail size, and desired tone, which the toolkit makes use of as inputs to generate convincing lures that match the chosen theme.
What’s extra, the dashboard permits customers to avoid wasting the produced e mail as a reusable template, full with help for spintax to create variations of the e-mail messages by substituting sure template variables. This ensures that no two phishing emails look an identical and helps them bypass signature-based filters that search for related content material patterns.
Among the different supported options in InboxPrime AI are listed under –
- An actual-time spam diagnostic module that may analyze a generated e mail for frequent spam-filter triggers and counsel exact corrections
- Sender id randomization and spoofing, enabling attackers to customise show names for every Gmail session
“This industrialization of phishing has direct implications for defenders: extra attackers can now launch extra campaigns with extra quantity, with none corresponding enhance in defender bandwidth or assets,” Irregular stated. “This not solely accelerates marketing campaign launch time but additionally ensures constant message high quality, permits scalable, thematic focusing on throughout industries, and empowers attackers to run professional-looking phishing operations with out copywriting experience.”
Spiderman Creates Pixel-Good Replicas of European Banks
The third phishing equipment that has come below the cybersecurity radar is Spiderman, which allows attackers to focus on prospects of dozens of European banks and on-line monetary companies suppliers, comparable to Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Financial institution, ING, O2, Volksbank, Klarna, and PayPal.
“Spiderman is a full-stack phishing framework that replicates dozens of European banking login pages, and even some authorities portals,” Varonis researcher Daniel Kelley stated. “Its organized interface supplies cybercriminals with an all-in-one platform to launch phishing campaigns, seize credentials, and handle stolen session knowledge in real-time.”
What’s notable concerning the modular equipment is that its vendor is advertising the answer in a Sign messenger group that has about 750 members, marking a departure from Telegram. Germany, Austria, Switzerland, and Belgium are the first targets of the phishing service.
Like within the case of BlackForce, Spiderman makes use of varied methods like ISP allowlisting, geofencing, and system filtering to establish that solely the meant targets can entry the phishing pages. The toolkit can be geared up to seize cryptocurrency pockets seed phrases, intercept OTP and PhotoTAN codes, and set off prompts to assemble bank card knowledge.
“This versatile, multi-step method is especially efficient in European banking fraud, the place login credentials alone usually aren’t sufficient to authorize transactions,” Kelley defined. “After capturing credentials, Spiderman logs every session with a novel identifier so the attacker can keep continuity by all the phishing workflow.”
Hybrid Salty-Tycoon 2FA Assaults Noticed
BlackForce, GhostFrame, InboxPrime AI, and Spiderman are the newest additions to an extended record of phishing kits like Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth (to not be confused with a Home windows banking trojan of the identical identify) which have emerged over the previous yr.
In a report revealed earlier this month, ANY.RUN stated it noticed a brand new Salty-Tycoon hybrid that is already bypassing detection guidelines tuned to both of them. The brand new assault wave coincides with a pointy drop in Salty 2FA exercise in late October 2025, with early levels matching Salty2FA, whereas later levels load code that reproduces Tycoon 2FA’s execution chain.
“This overlap marks a significant shift; one which weakens kit-specific guidelines, complicates attribution, and offers menace actors extra room to slide previous early detection,” the corporate stated.
“Taken collectively, this supplies clear proof {that a} single phishing marketing campaign, and, extra curiously, a single pattern, comprises traces of each Salty2FA and Tycoon, with Tycoon serving as a fallback payload as soon as the Salty infrastructure stopped working for causes which might be nonetheless unclear.”
