Cybersecurity researchers have documented four new phishing kits named Blackforce, Ghostframe, InboxPrime AI and Spiderman Which are capable of facilitating credential theft on a large scale.
Blackforce, which was first discovered in August 2025, is designed to steal credentials and conduct man-in-the-browser (MITB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). This kit is sold on Telegram forums for anywhere between €200 ($234) and €300 ($351).
According to Zscaler ThreatLabz researchers Gladys Brinda R and Ashwathi Sasi, the kit has been used to impersonate more than 11 brands, including Disney, Netflix, DHL and UPS. It is said to be in active development.
“Blackforce has multiple evasion techniques in place with a blocklist that filters out security vendors, web crawlers, and scanners,” the company said. “Blackforce is under active development. Version 3 was widely used by the beginning of August, with versions 4 and 5 released in the following months.”
Phishing pages associated with the kit have been found to use JavaScript files with what have been described as “cache busting” hashes in their names (for example, “index-[hash].js”), forcing the victim’s web browser to download the latest version of the malicious script instead of using the cached version.
In a typical attack using the kit, victims who click on a link are redirected to a malicious phishing page, after which a server-side check filters out crawlers and bots before they are given a page designed to mimic a legitimate website. Once the credentials are entered on the page, the details are captured and sent to the Telegram bot and command-and-control (C2) panel in real-time using an HTTP client called Axios.
When an attacker tries to log in to a legitimate website with stolen credentials, an MFA prompt is triggered. At this stage, MitB techniques are used to display a fake MFA authentication page on the victim’s browser through the C2 panel. If the victim entered the MFA code on the fraudulent page, it is collected and used by the threat actor to gain unauthorized access to their account.
“Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring that the victim remains unaware of the attack,” Zscheller said.
Ghostframe Fuels 1M+ Sneak Phishing Attacks
Another emerging phishing kit that has gained popularity since its discovery in September 2025 is Ghostframe. At the heart of the kit’s architecture is a simple HTML file that appears harmless while hiding its malicious behavior within an embedded iframe, which leads victims to a phishing login page designed to steal Microsoft 365 or Google account credentials.
“The iframe design allows attackers to easily switch phishing content, try new tactics, or target specific areas without changing the main web page that delivers the kit,” said Barracuda security researcher Shreyas Shetty. “Furthermore, by simply updating the iframe point, the kit can avoid detection by security tools that only check the external page.”
Attacks using the Ghostframe kit begin with typical phishing emails that claim to be business contracts, invoices, and password reset requests, but are designed to lead recipients to a fake page. The kit uses anti-analysis and anti-debugging to prevent attempts to inspect it using browser developer tools, and generates a random subdomain every time someone visits the site.
Visible external pages come with a loader script that is responsible for setting up the iframe and responding to any messages from the HTML element. This may include changing the title of the originating page, modifying the site favicon, or redirecting the top-level browser window to another domain to impersonate trusted services.
In the final step, the victim is sent to a secondary page containing the actual phishing components via an iframe distributed through a constantly changing subdomain, making the threat harder to stop. The kit also includes a fallback mechanism in the form of a backup iframe added to the bottom of the page in case the loader JavaScript fails or is blocked.
InboxPrime AI phishing kit automates email attacks
If Blackforce follows the same playbook as other traditional phishing kits, InboxPrime AI goes a step further by leveraging artificial intelligence (AI) to automate mass mailing campaigns. It is advertised on a 1,300-member-strong Telegram channel under a Malware-as-a-Service (MaaS) subscription model for $1,000, giving buyers a perpetual license and full access to the source code.
Paranormal researchers Kelly Baron and Piotr Wojtyła said, “It is designed to mimic real human emailing behavior and even takes advantage of Gmail’s web interface to avoid traditional filtering mechanisms.”
“InboxPrime AI blends artificial intelligence with operational evasion techniques and promises cybercriminals nearly full deliverability capabilities, automated campaign generation, and a polished, professional interface that mirrors legitimate email marketing software.”
The platform employs a user-friendly interface that allows clients to manage accounts, proxies, templates, and campaigns, mirroring commercial email automation tools. One of its main features is a built-in AI-powered email generator, which can produce entire phishing emails, including subject lines, in a way that mimics legitimate business communications.
In doing so, these services further lower the barrier of entry for cybercriminals, effectively eliminating the manual work involved in formatting such emails. Instead, attackers can configure parameters such as language, subject or industry, email length, and desired tone, which the toolkit uses as input to generate solid attractors that match the chosen topic.
Additionally, the dashboard enables users to save produced emails as reusable templates, complete with Spintex’s support for creating variations of email messages by substituting certain template variables. This ensures that no two phishing emails look alike and helps them bypass signature-based filters that look for similar content patterns.
Some other features supported in InboxPrime AI are listed below –
- A real-time spam diagnostic module that can analyze generated emails for common spam-filter triggers and suggest precise fixes
- Sender identity randomization and spoofing, enabling attackers to customize display names for each Gmail session
“This industrialization of phishing has a direct impact on defenders: more attackers can now launch more campaigns at higher volumes, without any increase in defender bandwidth or resources,” Abnormal said. “This not only speeds up campaign launch times but also ensures consistent message quality, enables scalable, thematic targeting across industries, and empowers attackers to run professional-looking phishing operations without copywriting expertise.”
Spiderman created pixel-perfect replicas of European banks
The third phishing kit that has come under the cybersecurity radar is Spiderman, which allows attackers to target customers of dozens of European banks and online financial service providers, such as Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, and PayPal.
“Spiderman is a full-stack phishing framework that mimics dozens of European banking login pages and even some government portals,” said Varonis researcher Daniel Kelly. “Its organized interface provides cybercriminals with an all-in-one platform to launch phishing campaigns, capture credentials, and manage stolen session data in real-time.”
What’s notable about the modular kit is that its vendor is marketing the solution in the Signal messenger group that has around 750 members, which is separate from Telegram. Germany, Austria, Switzerland and Belgium are the primary targets of the phishing service.
Like the case of Blackforce, Spiderman uses various techniques such as ISP permission lists, geofencing, and device filtering to ensure that only intended targets can access phishing pages. The toolkit is also equipped to capture cryptocurrency wallet seed phrases, intercept OTP and PhotoTAN codes, and trigger signals to collect credit card data.
“This flexible, multi-step approach is particularly effective in European banking fraud, where login credentials alone are often not sufficient to authorize a transaction,” Kelly explained. “After capturing credentials, Spiderman logs each session with a unique identifier so the attacker can maintain continuity through the entire phishing workflow.”
Hybrid Salty-Tycoon 2FA attacks observed
Blackforce, Ghostframe, InboxPrime AI and Spiderman are the latest additions to the long list of phishing kits like Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cepheus and Astaroth (not to be confused with the Windows banking Trojan of the same name) that have emerged in the past year.
In a report published earlier this month, ANY.RUN said it had spotted a new Salty-Tycoon hybrid that is already bypassing the detection rules associated with either of them. The new attack wave coincides with a sharp decline in Salty2FA activity in late October 2025, with the early stages matching Salty2FA, while later stages load code that reproduces Tycoon2FA’s execution chain.
The company said, “This overlap marks a meaningful change; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to evade early detection.”
“Taken together, this provides clear evidence that a single phishing campaign, and, more interestingly, a single sample, contained traces of both Salty2fa and Tycoon, with Tycoon serving as a fallback payload when the Salty infrastructure stopped working for reasons that are still unclear.”
