Cybersecurity researchers are warning of the development of advanced phishing kits, capable of steal credentials on a large scale and impersonate large companies.
Advanced Phishing Kits
Phishing attacks continue to grow and, together with ransomware, are the great threat in cybersecurity. In the last three years there has been a 119% increase in these threats, according to a Proofpoint report. More recently, four new phishing kits called BlackForce, GhostFrame, InboxPrime AI y Spiderman that are capable of facilitating credential theft by further reducing the entry barrier for cybercrimes, as they are sold en masse in complete packages ready to act.
BlackForce
First detected in August 2025, it is designed to steal credentials and perform man-in-the-browser attacks (MitB) to capture one-time passwords (OTP) and bypass multi-factor authentication (MFA). The kit is sold on the Telegram forums for between 200 and 300 euros. The kit, according to researchers at Zscaler ThreatLabz, has been used to impersonate more than 11 brands, including Disney, Netflix, DHL and UPS.
“BlackForce includes various evasion techniques with a block list that filters out security providers, web trackers and scanners”the company stated. «BlackForce remains in active development. Version 3 was widely used until early August, with versions 4 and 5 released in the following months..
Phishing pages connected to the kit have been found to use JavaScript files with what have been described as ‘cache break’ hashes in their names (e.g. “index-(hash).js”), forcing the victim’s web browser to download the latest version of the malicious script instead of using a cached version.
In a typical attack with this kit, victims who click on a link are redirected to a malicious phishing page. A server check then filters out crawlers and bots, before showing them a page designed to imitate a legitimate website. Once credentials are entered on the page, the data is captured and sent to a Telegram bot and command and control (C2) panel in real time using an HTTP client called Axios.
When the attacker attempts to log in with the stolen credentials to the legitimate website, a multi-factor authentication (MFA) request is triggered. At this stage, MitB techniques are used to display a fake MFA authentication page in the victim’s browser through the C2 panel. If the victim enters the MFA code on the fake page, the attacker collects it and uses it to gain unauthorized access to their account.
GhostFrame
Another of the new advanced phishing kits that has gained traction since its discovery in September 2025 is GhostFrame. Its architecture is based on a simple HTML file that appears harmless, but hides its malicious behavior within an embedded iframe, which directs victims to a phishing login page to steal Microsoft 365 or Google account credentials.
“The iframe design also allows attackers to easily modify phishing content, try new tricks, or attack specific regions, all without modifying the main web page that distributes the kit.”said Sreyas Shetty, security researcher at Barracuda. “In addition, by simply updating the iframe address, the kit can avoid being detected by security tools that only check the external page”.
Attacks using this kit start with typical phishing emails that supposedly deal with business contracts, invoices, and password reset requests, but are designed to direct recipients to the fake page. The kit uses anti-analysis and anti-debugging to prevent inspection attempts with browser development tools and generates a random subdomain every time someone visits the site.
In the final stage, the victim is redirected to a secondary page containing the phishing components through the iframe distributed using the ever-changing subdomain, making it difficult to block the threat. The kit also incorporates a fallback mechanism, a fallback iframe attached to the bottom of the page, in case the loader JavaScript fails or crashes.
InboxPrime AI
If BlackForce follows the same strategy as other traditional phishing kits, InboxPrime AI goes one step further by leveraging artificial intelligence to automate mass email campaigns. It is advertised on a Telegram channel with 1,300 members using a malware-as-a-service (MaaS) subscription model for $1,000, which gives buyers a perpetual license and full access to the source code.
“It is designed to mimic real human email behavior and even leverages Gmail’s web interface to evade traditional filtering mechanisms,” the researchers said. InboxPrime AI combines artificial intelligence with operational evasion techniques and promises cybercriminals near-perfect deliverability, automated campaign generation, and a polished, professional interface that mimics legitimate email marketing software.
The platform uses an intuitive interface that allows customers to manage accounts, proxies, templates and campaigns, mimicking commercial email automation tools. One of its main features is an email generator integrated with artificial intelligence, capable of generating complete phishing emails, including the subject, in a way that mimics legitimate business communication.
In this way, these services further reduce the barrier to entry for cybercrime, effectively eliminating the manual work involved in composing such emails. Instead, attackers can configure parameters such as language, topic or industry, email extension, and desired tone, which the toolkit uses as input to generate convincing lures that fit the chosen topic.
“This industrialization of phishing has direct implications for defenders: more attackers can now launch more campaigns with greater volume, without the corresponding increase in defenders’ bandwidth or resources”they explain. “This not only speeds up campaign launch time, but also ensures consistent message quality, enables scalable thematic targeting across industries, and allows attackers to execute professional-looking phishing operations without requiring copywriting skills.”.
Spiderman
The third phishing kit that has come under the cybersecurity radar is Spiderman, which allows attackers attack customers of dozens of European banks and online financial services providerslike Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna and PayPal.
“Spiderman is a comprehensive phishing framework that replicates dozens of European bank login pages, and even some government portals”said Daniel Kelley, a Varonis researcher. “Its organized interface provides cybercriminals with a comprehensive platform to launch phishing campaigns, capture credentials, and manage stolen session data in real time.”.
The notable thing about the modular kit is that its seller sells it in a Signal messaging group with about 750 members, which represents a change with respect to Telegram. Germany, Austria, Switzerland and Belgium are the main targets of the phishing service.
As with BlackForce, Spiderman uses various techniques, such as Internet Service Provider (ISP) whitelisting, geofencing, and device filtering, to ensure that only recipients can access phishing pages. The toolkit is also equipped to capture seed phrases from cryptocurrency wallets, intercept OTP and PhotoTAN codes, and trigger requests to collect credit card data.
