top of page
Search

Advanced Phishing Kits Leverage AI and MFA Bypass Tactics

  • Dec 12, 2025
  • 3 min read

Key Findings


  • Four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman are capable of facilitating credential theft at scale.

  • BlackForce is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA).

  • GhostFrame uses an iframe-based approach to hide its malicious behavior and easily switch out phishing content.

  • InboxPrime AI leverages artificial intelligence (AI) to automate mass mailing campaigns and evade traditional filtering mechanisms.

  • Spiderman is a sophisticated phishing kit that uses AI and machine learning to generate unique phishing pages and bypass MFA.


Background


Cybersecurity researchers have documented four new phishing kits that are capable of facilitating credential theft at scale. These kits, named BlackForce, GhostFrame, InboxPrime AI, and Spiderman, employ various techniques to evade detection and compromise user accounts.


BlackForce: Credential Theft and MFA Bypass


  • BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA).

  • The kit is sold on Telegram forums for anywhere between €200 ($234) and €300 ($351) and has been used to impersonate over 11 brands, including Disney, Netflix, DHL, and UPS.

  • BlackForce features several evasion techniques, such as a blocklist that filters out security vendors, web crawlers, and scanners, and the use of "cache busting" hashes in JavaScript file names to force the victim's web browser to download the latest version of the malicious script.

  • In a typical attack, victims are redirected to a malicious phishing page, and the captured credentials are sent to a Telegram bot and a command-and-control (C2) panel in real-time. The MitB techniques are then used to display a fake MFA authentication page to the victim, allowing the threat actor to gain unauthorized access.


GhostFrame: Stealthy Phishing Attacks


  • GhostFrame, discovered in September 2025, uses a simple HTML file that appears harmless while hiding its malicious behavior within an embedded iframe, leading victims to a phishing login page.

  • The iframe design allows attackers to easily switch out the phishing content, try new tricks, or target specific regions without changing the main web page that distributes the kit.

  • Attacks using the GhostFrame kit commence with typical phishing emails that claim to be about business contracts, invoices, and password reset requests, but are designed to take recipients to the fake page.

  • The kit uses anti-analysis and anti-debugging techniques to prevent attempts to inspect it using browser developer tools and generates a random subdomain each time someone visits the site.


InboxPrime AI: Automated Email Attacks


  • InboxPrime AI, advertised on a 1,300-member-strong Telegram channel under a malware-as-a-service (MaaS) subscription model for $1,000, leverages artificial intelligence (AI) to automate mass mailing campaigns.

  • The kit is designed to mimic real human emailing behavior and leverage Gmail's web interface to evade traditional filtering mechanisms, promising cybercriminals near-perfect deliverability, automated campaign generation, and AI-powered content generation.


Spiderman: AI-Powered Phishing with MFA Bypass


  • Spiderman is a sophisticated phishing kit that uses AI and machine learning to generate unique phishing pages and bypass MFA.

  • The kit is sold on underground forums for around $1,500 and has been observed targeting a wide range of organizations, including financial institutions, e-commerce platforms, and cloud-based service providers.

  • Spiderman employs advanced techniques, such as dynamic page generation, browser fingerprinting, and the use of machine learning models to evade detection and bypass MFA.

  • The kit's MFA bypass capabilities are particularly concerning, as they allow threat actors to gain unauthorized access to targeted accounts even when protected by additional security measures.


Sources


  • https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html

  • https://blog.netmanageit.com/new-advanced-phishing-kits-use-ai-and-mfa-bypass-tactics-to-steal-credentials-at-scale/

  • https://x.com/shah_sheikh/status/1999483208954707983

  • https://x.com/Dinosn/status/1999487516244869336

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page