New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

Researchers in cybersecurity have found four new phishing kits called BlackForce, GhostFrame, InboxPrime AI, and Spiderman that can help steal credentials on a large scale.

BlackForce was first seen in August 2025. Its goal is to steal credentials and do Man-in-the-Browser (MitB) attacks to get one-time passwords (OTPs) and get around multi-factor authentication (MFA). On Telegram forums, the kit costs between €200 ($234) and €300 ($351).

Researchers at Zscaler ThreatLabz, Gladis Brinda R, and Ashwathi Sasi say that the kit has been used to pretend to be more than 11 brands, such as Disney, Netflix, DHL, and UPS.  People say that it is being worked on right now.

The company said, "BlackForce has a blocklist that keeps security vendors, web crawlers, and scanners from getting through."  "BlackForce is still being worked on.  Version 3 was very popular until early August, when versions 4 and 5 came out in the following months.

Phishing pages linked to the kit have been found to use JavaScript files with hashes in their names that are said to "bust the cache" (for example, "index-[hash].js"). This makes the victim's web browser download the latest version of the malicious script instead of using a cached version.

In a typical attack with the kit, victims who click on a link are sent to a fake phishing page. Then, a server-side check keeps crawlers and bots from getting through before giving them a page that looks like a real website.  An HTTP client called Axios captures the information and sends it to a Telegram bot and a command-and-control (C2) panel in real time after the credentials are entered on the page.

When the attacker tries to log in to the real website with the stolen credentials, an MFA prompt appears.  At this point, the C2 panel uses MitB techniques to show the victim's browser a fake MFA authentication page.  If the victim enters the MFA code on the fake page, the threat actor collects it and uses it to get into their account without permission.

"Once the attack is over, the victim is sent to the homepage of the real website, which hides any evidence of the breach and keeps the victim from knowing about it," Zscaler said.

GhostFrame Powers More Than 1 Million Stealth Phishing Attacks

GhostFrame is another new phishing kit that has become more popular since it was found in September 2025.  The kit's architecture is based on a simple HTML file that looks harmless but actually has a hidden iframe that leads victims to a phishing login page to steal their Microsoft 365 or Google account credentials.

Barracuda security researcher Sreyas Shetty said, "The iframe design also lets attackers easily change the phishing content, try new tricks, or target specific areas, all without changing the main web page that sends out the kit."  "Also, the kit can avoid being found by security tools that only check the outer page by just changing where the iframe points."

Phishing emails that look like they are about business contracts, invoices, and password reset requests are the first step in attacks using the GhostFrame kit. These emails are meant to take people to the fake page.  The kit makes it hard to look at with browser developer tools by using anti-analysis and anti-debugging. It also makes a new subdomain every time someone visits the site.

The loader script that comes with the visible outer pages sets up the iframe and responds to messages from the HTML element.  This could mean changing the title of the parent page to look like a trusted service, changing the favicon of the site, or sending the top-level browser window to a different domain.

In the last step, the victim is sent to a second page that has the real phishing parts on it. This is done through the iframe that is sent through the subdomain that changes all the time, which makes it harder to stop the threat.  The kit also has a backup iframe at the bottom of the page in case the loader JavaScript doesn't work or is blocked.

The InboxPrime AI Phishing Kit makes email attacks automatic.

BlackForce uses the same methods as other phishing kits, but InboxPrime AI takes it a step further by using AI to automate mass mailing campaigns.  A 1,300-member Telegram channel promotes it as a malware-as-a-service (MaaS) subscription model for $1,000, which gives buyers a lifetime license and full access to the source code.

Callie Baron and Piotr Wojtyla, researchers at Abnormal, said, "It is designed to mimic real human emailing behavior and even uses Gmail's web interface to get around traditional filtering systems."

"InboxPrime AI combines AI with operational evasion methods to give cybercriminals almost perfect delivery, automated campaign creation, and a polished, professional interface that looks like real email marketing software."

The platform has an easy-to-use interface that lets users manage their accounts, proxies, templates, and campaigns, just like commercial email automation tools do.  One of its main features is an AI-powered email generator that can make whole phishing emails, including the subject lines, that look like real business emails.

By doing this, these services make it even easier for people to commit cybercrime by taking away the need to write these kinds of emails by hand.  Instead, attackers can set parameters like language, topic, or industry, email length, and desired tone. The toolkit then uses these inputs to make convincing lures that fit the chosen theme.

The dashboard also lets users save the email they made as a template that can be used again. It even has spintax support, so users can make different versions of the email by changing some template variables.  This makes sure that no two phishing emails look the same, which helps them get past signature-based filters that look for patterns in similar content.

Here are some other features that InboxPrime AI supports:

• A real-time spam diagnostic module that can look at a generated email and find common spam-filter triggers and suggest exact fixes
• Sender identity randomization and spoofing let attackers change the display names for each Gmail session.

"This industrialization of phishing has direct implications for defenders: more attackers can now launch more campaigns with more volume, without any corresponding increase in defender bandwidth or resources," Abnormal said.  "This not only speeds up the start of a campaign, but it also makes sure that the message is always of high quality, allows for scalable, thematic targeting across industries, and gives attackers the tools they need to run professional-looking phishing operations without having to know how to write."

Spiderman Makes Perfect Copies of European Banks

The third phishing kit that cybersecurity experts have noticed is Spiderman. It lets attackers go after customers of many European banks and online financial services, including Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, and PayPal.

Varonis researcher Daniel Kelley said, "Spiderman is a full-stack phishing framework that copies dozens of European banking login pages and even some government portals."  "Its well-organized interface gives cybercriminals a one-stop shop for starting phishing campaigns, stealing credentials, and managing stolen session data in real time."

The seller of the modular kit is promoting it in a Signal messenger group with about 750 members, which is different from Telegram.  The phishing service mainly goes after people in Germany, Austria, Switzerland, and Belgium.

Spiderman uses a number of methods, such as ISP allowlisting, geofencing, and device filtering, to make sure that only the intended targets can get to the phishing pages, just like BlackForce does. The toolkit can also grab cryptocurrency wallet seed phrases, stop OTP and PhotoTAN codes, and send prompts to get credit card information.

Kelley said, "This flexible, multi-step approach works especially well in European banking fraud, where just having login information isn't always enough to authorize transactions."  "After getting the credentials, Spiderman logs each session with a unique ID so the attacker can keep going through the whole phishing workflow."

Hybrid Salty-Tycoon 2FA Attacks Spotted

BlackForce, GhostFrame, InboxPrime AI, and Spiderman are the latest additions to a long list of phishing kits like Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth (not to be confused with a Windows banking trojan of the same name) that have emerged over the past year.

ANY.RUN said in a report released earlier this month that it found a new Salty-Tycoon hybrid that can get around detection rules set for either of them.  The new wave of attacks comes at the same time as a big drop in Salty 2FA activity in late October 2025. The first stages are similar to Salty 2FA, while the later stages load code that replicates Tycoon 2FA's execution chain.

"This overlap is a significant change that weakens kit-specific rules, makes it harder to identify threats, and gives bad actors more room to avoid early detection," the company said.

"All of this together shows that a single phishing campaign, and even more interestingly, a single sample, has traces of both Salty 2FA and Tycoon. Tycoon was used as a backup payload when the Salty infrastructure stopped working for reasons that are still unclear."