A New Ransomware Emerges
Cybersecurity researchers have recently documented four advanced phishing kits. The phishin kits enable large-scale credential theft by incorporating cutting-edge techniques. Some example of the techniques such as artificial intelligence and multi-factor authentication bypass methods.
These kits are openly sold on underground forums, making it easier for even novice attackers to launch massive campaigns. As a result, phishing threats are becoming harder to detect and far more effective at deceiving victims.
BlackForce: Bypassing MFA with Man-in-the-Browser Attacks
First detected in August 2025, the BlackForce kit has been continuously evolving with newer versions that grow increasingly sophisticated. It not only captures usernames and passwords but also performs Man-in-the-Browser attacks to display fake MFA pages exactly when an OTP is sent, allowing attackers to seize full account control.
Attackers frequently use it to impersonate major brands in streaming and shipping services. Additionally, BlackForce employs advanced evasion tactics. Including blocking security scanners and using random hashes in JavaScript files to force fresh malicious script downloads. Once credentials are stolen, the data is instantly forwarded to a Telegram bot and control panel. While victims are seamlessly redirected to the legitimate site without suspecting anything.
GhostFrame: Stealthy Attacks
Since gaining traction in September 2025, GhostFrame has powered over one million hard-to-trace phishing attacks. The kit conceals its malicious content inside an iframe on an otherwise innocent-looking HTML page. The kit enabling attackers to quickly swap targets or regions without altering the main distribution page.
Phishing emails typically pretend to involve business contracts or password resets, directing victims to ever-changing random subdomains. It also includes anti-analysis features and a backup iframe fallback. The goal is to stay operational even if parts of the script are blocked. This approach makes GhostFrame particularly effective against corporate accounts like Microsoft 365 or Google.
InboxPrime AI: AI Powered Automation for Phishing
Unlike traditional kits, InboxPrime AI takes phishing to the next level by using artificial intelligence. The use of AI is to automatically generate highly realistic emails that closely mimic genuine business communication. Sold through a subscription model on Telegram channels, it offers a professional interface complete with an AI email generator that adjusts language, topic, length, and tone based on user preferences.
Supporting features like real-time spam diagnostics, spintax variations, and sender identity spoofing make these emails extremely difficult for filters to catch. Consequently, attackers can run large-scale campaigns with consistent high quality without needing any writing expertise, dramatically speeding up and expanding attack volumes.
Spiderman: Pixel-Perfect Replicas Targeting Banks
Spiderman is a comprehensive full-stack kit focused on European banking and financial services customers. This kit creating near-identical replicas of login pages down to the smallest details. Marketed in private Signal groups, it includes geographic and device filters to ensure only intended targets reach the phishing pages.
Beyond basic credentials, it captures cryptocurrency wallet seed phrases, OTP codes, and credit card information through staged prompts. This multi-step method works especially well with European banking systems that require extra verification, allowing attackers to maintain session continuity throughout the fraud process.
Trends and Evolution
In addition to these four new kits, researchers have observed emerging hybrids that combine elements from older tools like Salty 2FA and Tycoon 2FA, helping them evade kit-specific detection rules. This shift clearly shows that the phishing ecosystem is evolving rapidly as attackers share and merge techniques to improve effectiveness and longevity.
How to Prevent It
To protect yourself from these threats, always verify sender email addresses and links before clicking, and enable hardware-based authentication keys that are much harder to bypass than SMS OTPs. Train your team to spot subtle warning signs, such as urgent requests or minor inconsistencies on login pages. However, the best defense requires advanced technology layers. For example, deploy AI-driven threat detection solutions that identify emerging phishing patterns in real-time across emails and web traffic.
Additionally, use 24/7 monitoring services managed by expert teams to continuously analyze network activity, blocking threats before they cause damage. By combining user awareness with proactive protection, you can significantly reduce the risk of credential theft.
Sleep well, we got you covered.
