Cybersecurity researchers have uncovered four sophisticated phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—that dramatically escalate credential-theft operations through advanced automation, MFA bypass, and evasion techniques.
These next-generation kits are being actively sold across Telegram and Signal, enabling threat actors to launch scalable, high-precision attacks targeting global enterprises, financial institutions, and cloud email platforms.
BlackForce: AI-Aided Credential Theft and MFA Bypass
First detected in August 2025, BlackForce is engineered to steal user credentials, capture OTPs in real time, and bypass MFA using Man-in-the-Browser (MitB) techniques. The kit is openly sold on Telegram for €200–€300 ($234–$351).
Researchers from Zscaler ThreatLabz report that BlackForce has been used to impersonate more than 11 major brands, including Netflix, Disney, DHL, and UPS, and continues to receive frequent updates.
Key Capabilities
- Advanced evasion via blocklists to filter out security scanners and crawlers
- Cache-busting JavaScript files (e.g., index-[hash].js) ensuring victims always load the latest malicious script
- Real-time credential exfiltration to Telegram bots and a C2 panel using Axios
- MitB-powered fake MFA pages that harvest OTPs while attackers log in to legitimate sites
- Seamless victim redirection to legitimate homepages to conceal the compromise
GhostFrame: Over 1 Million Stealth Phishing Attacks
Discovered in September 2025, GhostFrame has quickly become one of the fastest-spreading phishing kits, using an embedded iframe architecture to deliver stealthy Microsoft 365 and Google account phishing pages.
Barracuda researcher Sreyas Shetty notes that the iframe allows attackers to refresh phishing content without modifying the visible parent page—effectively bypassing traditional detection tools.
Notable Features
- Harmless-looking parent HTML file with hidden malicious iframe
- Dynamic subdomains that change with every visit, complicating domain-based blocking
- Anti-analysis and anti-debugging protections
- Loader scripts capable of:
- Changing page titles
- Switching favicons
- Redirecting browser windows
- Backup iframes to ensure continuity when primary scripts fail
The result is a highly adaptive phishing kit capable of evading enterprise defenses at scale.
InboxPrime AI: Automated AI-Generated Phishing Campaigns
InboxPrime AI represents a major leap in phishing kit evolution by integrating generative AI to automate entire email-based attack chains. Marketed under a $1,000 malware-as-a-service (MaaS) license, the kit offers perpetual access along with full source code.
Abnormal Security researchers confirm that the tool mimics natural human emailing behavior and even uses the Gmail web interface to bypass spam filters.
Core Capabilities
- AI-powered email generator that creates full phishing emails, subject lines, and tone-matched content
- Automated campaign building similar to legitimate email marketing software
- Spintax support for endless message variations, bypassing signature-based detection
- Sender identity spoofing and randomization per Gmail session
- Built-in spam diagnostic module to reduce detection risk
InboxPrime AI significantly lowers the barrier for cybercriminals, enabling anyone to deploy high-volume, highly convincing phishing campaigns with minimal effort.
Spiderman: Full-Stack Banking Phishing Framework Targeting Europe
The Spiderman phishing kit targets customers of major European banks and financial service providers, including Deutsche Bank, ING, Volksbank, CaixaBank, PayPal, and more.
Varonis researcher Daniel Kelley describes Spiderman as a “full-stack phishing framework” that clones dozens of banking login portals with pixel-perfect accuracy.
Key Target Regions
- Germany
- Austria
- Switzerland
- Belgium
Major Functionalities
- ISP allowlisting, geofencing, and device filtering to ensure only targeted victims access phishing pages
- OTP, PhotoTAN, and credit-card data harvesting
- Cryptocurrency wallet seed-phrase capture
- Real-time session tracking using unique identifiers
The kit is distributed via a private Signal group, marking a shift away from Telegram’s dominant cybercrime marketplace.
Hybrid Salty-Tycoon 2FA Attacks Emerge
The newest threat observed by ANY.RUN is a hybrid phishing toolkit combining components of Salty 2FA and Tycoon 2FA, two well-known MFA bypass kits.
The hybrid campaign:
- Appears to begin with Salty2FA behavior
- Switches mid-attack to Tycoon 2FA’s execution chain
- Uses Tycoon as a fallback when Salty infrastructure becomes unavailable
This blending of codebases weakens kit-specific detection rules and complicates attribution, signaling a dangerous shift toward modular, interoperable phishing ecosystems.
Conclusion: AI and Modular Architectures Are Redefining Phishing at Scale
BlackForce, GhostFrame, InboxPrime AI, and Spiderman demonstrate how phishing kits are evolving into AI-driven, automated, MFA-bypassing platforms that:
- Deliver higher success rates
- Evade traditional detection tools
- Scale campaigns to millions of targets
- Enable attackers with minimal skills to run professional-grade operations
These developments underscore the need for advanced threat intelligence, behavioral defenses, and continuous monitoring to counter the next wave of phishing-as-a-service (PhaaS).