Cybersecurity researchers reported four new phishing kits – BlackForce, GhostFrame, InboxPrime AI and Spiderman – that security firms say enable large-scale credential theft, automate email campaigns and incorporate techniques to bypass multi-factor authentication.
BlackForce, first observed in August 2025, is designed to steal credentials and perform man-in-the-browser attacks to capture one-time passwords and bypass MFA, and it is being sold on Telegram for roughly €200–€300, researchers at Zscaler ThreatLabz reported. Zscaler analysts said the kit uses evasion measures such as a blocklist that filters security vendors and crawlers, employs cache-busting JavaScript filenames to force fresh downloads, and forwards harvested credentials in real time to a Telegram bot and a command-and-control panel; the kit can then present fake MFA prompts and redirect victims to the genuine site to hide the compromise.
The GhostFrame kit, detected in September 2025, relies on a benign-looking HTML page that embeds a malicious iframe to deliver phishing pages for Microsoft 365 and Google accounts, a Barracuda researcher said. GhostFrame uses anti-analysis and anti-debugging techniques, generates a random subdomain per visit and includes a loader script that can change the parent page title and favicon; the iframe can be swapped to update phishing content without altering the distributing page and a backup iframe provides a fallback if the loader is blocked.
InboxPrime AI combines phishing kit functionality with artificial intelligence to automate mass-mail campaigns and is marketed under a subscription model on Telegram for about $1,000, researchers at Abnormal said. The platform offers an AI-powered email generator, campaign and template management, spintax support to create varied messages, sender identity randomization and a spam diagnostic module designed to optimize deliverability and evade filtering.
Spiderman is described as a full-stack phishing framework that replicates dozens of European banking login pages and other portals and is being promoted in a Signal group, according to Varonis researchers who said Germany, Austria, Switzerland and Belgium are primary targets. The kit uses ISP allowlisting, geofencing and device filtering to limit access to intended victims, and is capable of capturing cryptocurrency wallet seed phrases, intercepting OTP and PhotoTAN codes, harvesting card data and logging sessions to preserve continuity through multi-step fraud workflows.
These kits join a larger ecosystem of phishing tools and evolving hybrids. Security analysts noted a Salty‑Tycoon hybrid that blends techniques from both families and can evade rules tuned to either variant, an observation documented by ANY.RUN. Other named kits and services cited in reporting include Cephas and Astaroth, which contribute to an increasingly automated and modular phishing landscape.
Researchers and vendors warned that the growing automation and professional interfaces in these offerings lower the barrier to entry for cybercrime, enabling more frequent, higher-volume campaigns that can be harder for defenders to detect and block.