Date: December 15, 2025 Threat Level: High Target Audience: SOC Analysts, CTI Researchers, Threat Hunters
A new wave of sophisticated Phishing-as-a-Service (PhaaS) kits has been documented in late 2025, marking a significant escalation in the industrialization of credential theft. I have identified four distinct kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—that are designed to bypass modern defenses like Multi-Factor Authentication (MFA) and automated scanning.
This report breaks down the technical capabilities, evasion techniques, and Indicators of Compromise (IOCs) for each kit to assist defensive teams in detection and mitigation.
1. BlackForce: The Man-in-the-Browser Specialist
Discovered: August 2025 Primary Source: Zscaler ThreatLabz Market Price: €200–€300 (Telegram)
BlackForce is a highly aggressive kit designed for real-time data interception. It moves beyond simple credential harvesting by employing Man-in-the-Browser (MitB) tactics to defeat MFA protections.
Technical Capabilities & TTPs
- Real-Time Interception: The kit uses an HTTP client (Axios) to transmit captured data to a Command and Control (C2) panel and Telegram bot in real-time, allowing attackers to use OTPs immediately before they expire.
- Man-in-the-Browser (MitB): It injects malicious scripts to intercept One-Time Passwords (OTPs) and session tokens, effectively bypassing standard 2FA/MFA implementations.
- Dynamic Evasion:
- Blocklisting: Server-side filtering drops connection requests from known security vendor IPs, web crawlers, and automated scanners.
- Live Modification: The kit dynamically alters the parent page’s title and favicon to impersonate trusted services (e.g., changing the tab to look like a legitimate “Sign In” page).
- Fallback Mechanism: A backup iframe is appended to the bottom of the page. If the primary loader JavaScript is blocked by a browser security control, this secondary iframe triggers to ensure the phishing content still loads.
Targets: Over 11 major global brands, including Disney, Netflix, DHL, and UPS.
2. GhostFrame: The “Invisible” Iframe Framework
Discovered: September 2025 Primary Source: Barracuda Key Feature: Full Iframe Architecture
GhostFrame represents a shift in evasion engineering. Unlike traditional kits that use iframes as a component, GhostFrame is built entirely around an iframe architecture to hide malicious content from static analysis tools.
Technical Capabilities & TTPs
- Iframe Obfuscation: The outer HTML page is benign and contains no malicious code. It dynamically loads the phishing content into an iframe from a completely different source, blinding security tools that only scan the parent URL.
- Dynamic Subdomains: For every single victim, the kit generates a unique subdomain. This renders domain-based reputation blocking ineffective, as each attack URL is “fresh.”
- Blob URI Forms: Instead of standard HTML forms (which scanners look for), GhostFrame loads login screens (e.g., Microsoft 365, Google) as Blob URI images. The “login fields” are rendered over these images, hiding the actual form code from static parsers.
- Aggressive Anti-Analysis:
- Blocks right-click context menus.
- Disables the F12 key (Developer Tools).
- Blocks common shortcuts (Ctrl+U, Ctrl+Shift+I) and even the Enter key in specific contexts to prevent analysts from easily inspecting the DOM.
Targets: Microsoft 365 and Google credentials.
3. InboxPrime AI: The Automated Social Engineer
Discovered: October 2025 Primary Source: Abnormal Security Key Feature: AI-Driven Content Generation
InboxPrime AI focuses on the delivery phase of the kill chain. It leverages Large Language Models (LLMs) to automate the creation of high-quality phishing emails that bypass traditional spam filters and “bad grammar” detection.
Technical Capabilities & TTPs
- AI Content Engine: A built-in module generates phishing emails with perfect grammar, professional tone, and context-aware subject lines. It mimics legitimate business communication styles to increase click-through rates.
- Spintax Support: The kit supports “Spintax” (Spin Syntax), allowing it to automatically generate thousands of slight variations of the same email template. This prevents hash-based or signature-based detection of the email body.
- Sender Identity Spoofing:
- The kit integrates directly with Gmail’s web interface.
- It automates the rotation of sender identities (Display Names) across compromised or burner accounts, making emails appear to come from trusted internal users or vendors.
- Spam Diagnostics: Includes a pre-send “spam check” module that analyzes the generated email against common spam filters and suggests changes to improve deliverability.
Targets: Mass-mailing campaigns targeting corporate inboxes.
4. Spiderman: The Banking & Crypto Drainer
Discovered: Late 2025 Primary Source: Varonis Distribution: Signal (Departure from Telegram)
Spiderman is a premium, modular kit specifically engineered for high-value financial theft. It is currently being marketed in a private Signal group with ~750 members, indicating a shift away from the more exposed Telegram ecosystem.
Technical Capabilities & TTPs
- Pixel-Perfect Cloning: The kit can instantly generate exact replicas of login pages for dozens of major European banks.
- Real-Time Data Harvesting:
- PhotoTAN & OTPs: Capable of intercepting PhotoTAN codes (used in European banking) and standard SMS OTPs in real-time.
- Crypto Drainers: Dedicated modules to steal seed phrases for wallets like MetaMask, Ledger, and Exodus.
- Geofencing & Filtering:
- ISP Allowlisting: Only allows traffic from residential ISPs in target countries (e.g., Germany, Austria, Switzerland).
- Device Filtering: Drops connections from data centers, VPNs, and known security research networks (ASNs).
- Session Monitoring: Operators use a dashboard to monitor victim sessions live. They can manually trigger specific prompts (e.g., “Enter your credit card number”) based on the victim’s actions.
Targets: European financial institutions (Deutsche Bank, Commerzbank, ING) and cryptocurrency holders.
