New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale
Summary:
Cybersecurity researchers have documented the emergence of four sophisticated phishing kits, BlackForce, GhostFrame, InboxPrime AI, and Spiderman, designed to facilitate large-scale credential theft and bypass modern security perimeters. BlackForce, first identified by Zscaler ThreatLabz in August 2025, utilizes Man-in-the-Browser (MitB) techniques and an asynchronous C2 architecture to intercept real-time credentials and OTPs from users of over 11 major brands, including Netflix and DHL. GhostFrame has been observed fueling over one million attacks through a unique "iframe-first" design; it embeds malicious components within harmless-looking HTML files and generates a unique subdomain for every victim, effectively neutralizing static URL filters. InboxPrime AI represents the "professionalization" of phishing lures, leveraging generative AI to automate mass-mailing campaigns with "perfect" deliverability by operating directly within legitimate Gmail web interfaces. Finally, Spiderman has emerged as a specialized framework targeting dozens of European financial institutions and cryptocurrency platforms. Marketed via private Signal groups, Spiderman produces "pixel-perfect" replicas of banking portals to harvest not only login data but also PhotoTAN codes and cryptocurrency seed phrases in real-time.
Security Officer Comments:
The discovery of these kits highlights a significant evolution in the Phishing-as-a-Service (PhaaS) ecosystem, shifting toward automated Adversary-in-the-Middle (AiTM) capabilities. By acting as a live proxy between the victim and the legitimate service, these kits render traditional Multi-Factor Authentication (MFA), such as SMS codes or push notifications, increasingly ineffective. The "industrialization" of social engineering via InboxPrime AI is particularly concerning, as it allows attackers to bypass signature-based email filters by generating unique, contextually relevant lures for every target. Furthermore, the use of "cache-busting" JavaScript and dynamic subdomains by kits like BlackForce and GhostFrame demonstrates a clear intent to frustrate automated sandbox analysis and manual forensic investigation.
Suggested Corrections:
To defend against these high-fidelity phishing threats, organizations should implement a layered defense strategy that focuses on identity integrity and behavioral detection.
Link(s):
https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html
Cybersecurity researchers have documented the emergence of four sophisticated phishing kits, BlackForce, GhostFrame, InboxPrime AI, and Spiderman, designed to facilitate large-scale credential theft and bypass modern security perimeters. BlackForce, first identified by Zscaler ThreatLabz in August 2025, utilizes Man-in-the-Browser (MitB) techniques and an asynchronous C2 architecture to intercept real-time credentials and OTPs from users of over 11 major brands, including Netflix and DHL. GhostFrame has been observed fueling over one million attacks through a unique "iframe-first" design; it embeds malicious components within harmless-looking HTML files and generates a unique subdomain for every victim, effectively neutralizing static URL filters. InboxPrime AI represents the "professionalization" of phishing lures, leveraging generative AI to automate mass-mailing campaigns with "perfect" deliverability by operating directly within legitimate Gmail web interfaces. Finally, Spiderman has emerged as a specialized framework targeting dozens of European financial institutions and cryptocurrency platforms. Marketed via private Signal groups, Spiderman produces "pixel-perfect" replicas of banking portals to harvest not only login data but also PhotoTAN codes and cryptocurrency seed phrases in real-time.
Security Officer Comments:
The discovery of these kits highlights a significant evolution in the Phishing-as-a-Service (PhaaS) ecosystem, shifting toward automated Adversary-in-the-Middle (AiTM) capabilities. By acting as a live proxy between the victim and the legitimate service, these kits render traditional Multi-Factor Authentication (MFA), such as SMS codes or push notifications, increasingly ineffective. The "industrialization" of social engineering via InboxPrime AI is particularly concerning, as it allows attackers to bypass signature-based email filters by generating unique, contextually relevant lures for every target. Furthermore, the use of "cache-busting" JavaScript and dynamic subdomains by kits like BlackForce and GhostFrame demonstrates a clear intent to frustrate automated sandbox analysis and manual forensic investigation.
Suggested Corrections:
To defend against these high-fidelity phishing threats, organizations should implement a layered defense strategy that focuses on identity integrity and behavioral detection.
- Deploy Phishing-Resistant MFA: Transition from OTP and push-based authentication to FIDO2/WebAuthn (YubiKeys or Passkeys). These methods utilize hardware-backed origin binding, which prevents credentials from being used on a proxied phishing site.
- Enforce Device Compliance: Utilize Conditional Access policies to ensure that only managed, compliant, or known-IP devices can access sensitive corporate resources. This mitigates the risk of an attacker using a stolen session token from an unauthorized machine.
- Enhance Browser Security: Implement HTTP Content Security Policies (CSP) and frame-busting headers to prevent the unauthorized embedding of login pages in iframes, a primary tactic used by the GhostFrame kit.
- AI-Enhanced Email Filtering: Adopt Integrated Cloud Email Security (ICES) solutions that use machine learning to detect linguistic anomalies and sender behavior shifts, rather than relying solely on static blacklists of malicious URLs.
- Active Brand Protection: Engage in proactive domain monitoring to identify and take down typo-squatted domains or unauthorized clones of the organization's login infrastructure before they are utilized in active campaigns.
Link(s):
https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html