AI and MFA Bypass Techniques Are Used by New Advanced Phishing Kits -

Post Views: 2

AI and MFA Bypass Techniques Are Used by New Advanced Phishing Kits

Four new phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—that can enable large-scale identity theft have been identified by cybersecurity researchers.
BlackForce, which was initially discovered in August 2025, is intended to steal login credentials and carry out Man-in-the-Browser (MitB) attacks to obtain one-time passwords (OTPs) and get around multi-factor authentication (MFA). On Telegram forums, the equipment may be purchased for anywhere from €200 ($234) to €300 ($351).

Researchers Gladis Brinda R and Ashwathi Sasi of Zscaler ThreatLabz claim that the kit has been used to spoof more than 11 brands, including Disney, Netflix, DHL, and UPS. It is reportedly undergoing active development.

“BlackForce features several evasion techniques with a blocklist that filters out security vendors, web crawlers, and scanners,” the business stated. “BlackForce is still being developed. Up until early August, version 3 was extensively utilized; versions 4 and 5 were issued in the months that followed.

In order to force the victim’s web browser to download the most recent version of the malicious script rather than using a cached version, phishing pages linked to the kit have been discovered to use JavaScript files with what have been called “cache busting” hashes in their names (e.g., “index-[hash].js”).

When a victim clicks on a link in a typical assault utilizing the kit, they are taken to a malicious phishing page. A server-side check then removes crawlers and bots before presenting them with a page that is meant to look like a reputable website. After entering the credentials on the page, the information is recorded and transmitted in real-time via an HTTP client called Axios to a Telegram bot and a command-and-control (C2) panel.

An MFA prompt appears when the attacker tries to access the legitimate website using the credentials they stole. At this point, the victim’s browser is shown a phony MFA authentication page via the C2 panel using the MitB tactics. If the victim enters the MFA code on the fraudulent page, the threat actor collects it and uses it to access their account without authorization.

“Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring the victim remains unaware of the attack,” Zscaler stated.

GhostFrame Fuels 1M+ Stealth Phishing Attacks

GhostFrame is another emerging phishing kit that has gained popularity since it was discovered in September 2025. The core of the kit’s architecture is a straightforward HTML file that seems innocuous but conceals its malicious activity inside an embedded iframe, directing victims to a phishing login page where they can obtain their Google or Microsoft 365 account credentials

According to Sreyas Shetty, a security researcher at Barracuda, “the iframe design also allows attackers to easily switch out the phishing content, try new tricks, or target specific regions, all without changing the main web page that distributes the kit.” “Further, by simply updating where the iframe points, the kit can avoid being detected by security tools that only check the outer page.”

Attacks utilizing the GhostFrame kit start with standard phishing emails that pretend to be about invoices, business contracts, and requests for password resets but are actually intended to direct recipients to a phony website. The kit creates a random subdomain every time someone visits the website and employs anti-analysis and anti-debugging to thwart attempts to examine it using browser developer tools.

A loader script that sets up the iframe and reacts to any messages from the HTML element is included with the visible outer pages. This can involve altering the site favicon, rerouting the top-level browser window to a different domain, or changing the parent page’s title to mimic trusted services.

In the last phase, the iframe provided via the dynamic subdomain takes the victim to a secondary page that contains the actual phishing components, making it more difficult to stop the threat. In the case that the loader JavaScript fails or is blocked, the kit also includes a fallback mechanism in the form of a backup iframe appended at the bottom of the page.

InboxPrime AI Phishing Kit Automates Email Attacks

InboxPrime AI goes one step further by using artificial intelligence (AI) to automate bulk mailing campaigns, even if BlackForce uses the same strategy as other conventional phishing kits. It is promoted in a 1,300-person Telegram group under a $1,000 malware-as-a-service (MaaS) subscription model that gives buyers complete access to the source code and a perpetual license.

According to Callie Baron and Piotr Wojtyla, researchers at Abnormal, “it is designed to mimic real human emailing behavior and even leverages Gmail’s web interface to evade traditional filtering mechanisms.”

“InboxPrime AI blends artificial intelligence with operational evasion techniques and promises cybercriminals near-perfect deliverability, automated campaign generation, and a polished, professional interface that mirrors legitimate email marketing software.”

Similar to commercial email automation systems, the platform’s user-friendly interface enables users to manage accounts, proxies, templates, and campaigns. Its integrated AI-powered email generator, which can create full phishing emails, including the subject lines, in a way that resembles authentic business correspondence, is one of its primary advantages.

By doing this, these firms effectively eliminate the physical labor involved in creating such emails, hence lowering the barrier to entry for cybercriminals. Instead, attackers can set up criteria that the toolkit utilizes as inputs to create plausible lures that fit the selected theme, such as language, topic, or industry, email length, and desired tone.

Additionally, the dashboard allows users to save the generated email as a reusable template with support for spintax, which allows users to modify the email messages by changing certain template variables. This lets them get around signature-based filters that search for similar content patterns and guarantees that no two phishing emails look the same.

The following is a list of some other features that InboxPrime AI supports:

A real-time spam diagnostic tool that may identify typical spam-filter triggers in a generated email and recommend specific fixes.
Attackers can alter display names for every Gmail session by using sender identity spoofing and randomization.

“This industrialization of phishing has direct implications for defenders: more attackers can now launch more campaigns with more volume, without any corresponding increase in defender bandwidth or resources,” Abnormal stated. “This not only accelerates campaign launch time but also ensures consistent message quality, enables scalable, thematic targeting across industries, and empowers attackers to run professional-looking phishing operations without copywriting expertise.”

Spiderman Creates Pixel-Perfect Replicas of European Banks

Spiderman is the third phishing kit that has caught cybersecurity’s attention. It allows hackers to target clients of numerous European banks and online financial service providers, including Blau, CaixaBank, Comdirect, Commerzbank, Deutsche Bank, ING, O2, Volksbank, Klarna, and PayPal.

According to Daniel Kelley, a researcher at Varonis, “Spiderman is a full-stack phishing framework that replicates dozens of European banking login pages, and even some government portals.” “Its organized interface provides cybercriminals with an all-in-one platform to launch phishing campaigns, capture credentials, and manage stolen session data in real-time.”

The modular kit is noteworthy since, in contrast to Telegram, its seller is promoting the solution in a Signal messaging group with roughly 750 members. The phishing service’s main targets are Germany, Austria, Switzerland, and Belgium.

Similar to BlackForce, Spiderman employs a number of strategies, including device screening, geofencing, and ISP allowlisting, to ensure that only the intended targets can view the phishing pages. Additionally, the toolkit can intercept OTP and PhotoTAN codes, record cryptocurrency wallet seed phrases, and initiate prompts to collect credit card information.

“This flexible, multi-step approach is particularly effective in European banking fraud, where login credentials alone often aren’t enough to authorize transactions,” Kelley said. “After capturing credentials, Spiderman logs each session with a unique identifier so the attacker can maintain continuity through the entire phishing workflow.”

Hybrid Salty-Tycoon 2FA Attacks Spotted

BlackForce, GhostFrame, InboxPrime AI, and Spiderman are just a few of the several phishing kits that have surfaced in the last year, including Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth (not to be confused with a Windows banking malware of the same name).

ANY.RUN claimed to have seen a new Salty-Tycoon hybrid that is already evading detection rules tailored to either of them in a study released earlier this month. Early stages of the new assault wave mirror Salty2FA, whereas later stages load code that replicates the execution chain of Tycoon 2FA. This coincides with a significant decline in Salty 2FA activity in late October 2025.

“This overlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to slip past early detection,” the business stated.

“Taken together, this provides clear evidence that a single phishing campaign, and, more interestingly, a single sample, contains traces of both Salty 2FA and Tycoon, with Tycoon serving as a fallback payload once the Salty infrastructure stopped working for reasons that are still unclear.”

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Fake QR Codes Emerging As New Threat, Experts Alert UPI Users