New Phishing Kits Employ AI and MFA Bypass

Recent cybersecurity developments reveal significant advancements in phishing tactics, with four new kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—capable of exploiting vulnerabilities and stealing credentials at scale. These advancements raise alarming concerns about the evolution of cyber threats.

BlackForce: An Evolving Threat

BlackForce, identified in August 2025, specializes in credential theft and employs Man-in-the-Browser (MitB) techniques to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). Sold on Telegram for €200 to €300, it has impersonated over 11 brands, including Disney and Netflix, suggesting a level of sophistication that should alarm businesses and consumers alike.

This kit employs various evasion techniques such as a blocklist that filters out security tools. Researchers from Zscaler ThreatLabz emphasize its ongoing development, with successive versions enhancing its capabilities. JavaScript files dubbed “cache busters” are integrated to continually fetch updated malicious scripts, complicating detection efforts.

GhostFrame: Stealth and Adaptability

Another notable kit, GhostFrame, emerged in September 2025 and is primarily characterized by its use of an embedded iframe designed to appear harmless while redirecting victims to fake login pages aimed at compromising Microsoft 365 or Google accounts. This strategic use of an iframe allows attackers to swiftly change content or evade detection by simply modifying the iframe source.

GhostFrame initiates attacks through phishing emails disguised as legitimate business communications. The process incorporates strict measures against analysis, making it increasingly difficult for defenders to identify and counteract the threat.

InboxPrime AI: A New Era of Automation

InboxPrime AI represents a leap forward, employing artificial intelligence to automate phishing campaigns. This kit, available on a Telegram channel, combines human-like emailing behaviors with automation, allowing attackers to manage campaigns effectively and generate convincing phishing emails with minimal effort.

By simplifying the process of creating phishing emails and improving their deliverability, InboxPrime AI lowers the barriers to entry for cybercriminals significantly. This mechanization also contributes to a larger volume of attacks, raising the stakes for cybersecurity defenders who must now contend with more frequent and sophisticated threats.

Spiderman: Targeting Financial Institutions

Spiderman focuses on European banks, offering attackers a framework to replicate login pages and capture sensitive financial data. This kit enhances traditional phishing techniques with methods like geofencing and ISP allowlisting to ensure targeted phishing attempts reach only intended victims.

The versatility of Spiderman is particularly concerning, as it captures not just login credentials but also critical information like cryptocurrency wallet seed phrases and OTP codes. This comprehensive approach signifies a particularly dangerous evolution in phishing tactics.

Adapting Strategies Against Evolving Threats

The emergence of BlackForce, GhostFrame, InboxPrime AI, and Spiderman is part of a broader trend that illustrates how phishing kits are becoming more sophisticated and difficult to detect. Coupled with observations of hybrid attacks like the Salty-Tycoon 2FA, the landscape of credential theft is changing rapidly, challenging security measures.

These developments serve as a reminder to strengthen cybersecurity protocols and remain vigilant against phishing tactics that are continually becoming more adaptive and automated.