Ethical Hacking News
Four new phishing kits – BlackForce, GhostFrame, InboxPrime AI, and Spiderman – have been identified by researchers, each leveraging advanced techniques such as AI and MFA bypass tactics to steal sensitive information from unsuspecting victims. These kits pose a significant threat to organizations and individuals alike, emphasizing the need for effective countermeasures to protect against credential theft at scale.
Four new phishing kits have been identified: BlackForce, GhostFrame, InboxPrime AI, and Spiderman. BlackForce uses AI-driven techniques to evade detection by security software. GhostFrame has a simple HTML file architecture with an embedded iframe that leads victims to a phishing login page. Spiderman is a full-stack phishing framework that replicates dozens of European banking login pages. InboxPrime AI is a malware-as-a-service subscription model that automates mass mailing campaigns using AI.
In a recent development that has sent shockwaves through the cybersecurity community, researchers have identified four new phishing kits – BlackForce, GhostFrame, InboxPrime AI, and Spiderman – that are capable of facilitating credential theft at scale. These advanced phishing kits leverage artificial intelligence (AI) and multi-factor authentication (MFA) bypass tactics to steal sensitive information from unsuspecting victims.
The BlackForce kit is the first of its kind to utilize AI-driven techniques to evade detection by security software. According to Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, the kit features several evasion techniques that filter out security vendors, web crawlers, and scanners from a blocklist. This allows BlackForce to remain under active development, with new versions being released regularly.
The kit's phishing pages are designed to mimic legitimate websites, complete with cache-busting hashes in their JavaScript file names. This forces the victim's browser to download the latest version of the malicious script instead of using a cached version. Upon clicking on a link, victims are redirected to a malicious phishing page that captures their credentials and sends them to a Telegram bot and a command-and-control (C2) panel in real-time using an HTTP client called Axios.
In addition to BlackForce, GhostFrame is another nascent phishing kit that has gained traction since its discovery in September 2025. The kit's architecture is built around a simple HTML file that appears harmless while hiding malicious behavior within an embedded iframe. This iframe leads victims to a phishing login page where they can steal Microsoft 365 or Google account credentials.
GhostFrame uses various techniques such as ISP allowlisting, geofencing, and device filtering to ensure that only intended targets can access the phishing pages. The toolkit also captures cryptocurrency wallet seed phrases, intercepts OTP and PhotoTAN codes, and triggers prompts to gather credit card data.
Another notable development is the emergence of Spiderman, a full-stack phishing framework that replicates dozens of European banking login pages, including government portals. This kit allows attackers to target customers of dozens of European banks and online financial services providers.
Spiderman's modular design makes it easy for attackers to switch out the phishing content, try new tricks, or target specific regions without changing the main web page that distributes the kit. Furthermore, by simply updating where the iframe points, the kit can avoid being detected by security tools that only check the outer page.
The latest addition to the list of phishing kits is InboxPrime AI, which automates mass mailing campaigns using artificial intelligence (AI). This service is advertised on a 1,300-member-strong Telegram channel under a malware-as-a-service (MaaS) subscription model for $1,000. It grants purchasers a perpetual license and full access to the source code.
InboxPrime AI blends AI-driven techniques with operational evasion methods, promising cybercriminals near-perfect deliverability, automated campaign generation, and a polished interface that mirrors legitimate email marketing software. The platform employs a user-friendly interface that allows customers to manage accounts, proxies, templates, and campaigns, mirroring commercial email automation tools.
One of its core features is a built-in AI-powered email generator that can produce entire phishing emails, including the subject lines, in a manner that mimics legitimate business communication. This ensures that no two phishing emails look identical and helps them bypass signature-based filters that look for similar content patterns.
The emergence of these advanced phishing kits highlights the growing sophistication of cybercrime tactics and the need for effective countermeasures to protect against credential theft at scale. As threat actors continue to innovate and exploit vulnerabilities in security software, it is essential for defenders to stay vigilant and adapt their strategies to combat these evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Advanced-Phishing-Kits-Leverage-AI-and-MFA-Bypass-Tactics-to-Steal-Credentials-at-Scale-ehn.shtml
https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html
Published: Fri Dec 12 08:24:21 2025 by llama3.2 3B Q4_K_M
