Perceptive Security
SOC/SIEM Consultancy
New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale
Published:
12 December 2025 at 14:04:00
Alert date:
12 December 2025 at 15:01:07
Source:
thehackernews.com
Cybersecurity researchers discovered four new phishing kits (BlackForce, GhostFrame, InboxPrime AI, and Spiderman) capable of large-scale credential theft. BlackForce, detected in August 2025, performs Man-in-the-Browser attacks to capture OTPs and bypass multi-factor authentication. These kits use AI technology to enhance their effectiveness and scale credential harvesting operations.
Technical details
Four advanced phishing kits have been identified: BlackForce, GhostFrame, InboxPrime AI, and Spiderman. BlackForce performs Man-in-the-Browser (MitB) attacks to bypass MFA, uses cache busting hashes in JavaScript filenames, sends stolen credentials via Axios HTTP client to Telegram bots and C2 panels, and displays fake MFA pages through C2 panels. GhostFrame uses malicious iframes within harmless HTML files, generates random subdomains, includes anti-analysis and anti-debugging features, and has fallback mechanisms. InboxPrime AI leverages AI for automated email generation, uses spintax for email variations, includes real-time spam diagnostics, and operates as MaaS. Spiderman targets European banks with ISP allowlisting, geofencing, device filtering, captures cryptocurrency wallet seeds and OTP codes, and maintains session continuity. A hybrid Salty-Tycoon variant has also emerged combining features of both kits.
Mitigation steps:
Organizations should implement advanced email filtering to detect AI-generated phishing emails, monitor for JavaScript files with cache busting patterns, block random subdomain generation, implement iframe security policies, monitor for Axios HTTP client abuse, watch for Telegram bot communications, enhance MFA bypass detection, implement geofencing and device filtering awareness, monitor for cryptocurrency wallet seed phrase capture attempts, and update security rules to detect hybrid phishing kit variants that combine multiple kit characteristics.
Affected products:
Disney
Netflix
DHL
UPS
Microsoft 365
Google
Gmail
Blau
CaixaBank
Comdirect
Commerzbank
Deutsche Bank
ING
O2
Volksbank
Klarna
PayPal
Related links:
https://thehackernews.com/2023/05/hackers-targeting-italian-corporate.html
https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit
https://www.keycdn.com/support/what-is-cache-busting
https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit
https://abnormal.ai/blog/inboxprime-ai-phishing-kit
https://www.varonis.com/blog/spiderman-phishing-kit
https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html
https://thehackernews.com/2025/11/new-evalusion-clickfix-campaign.html
https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html
https://thehackernews.com/2025/10/threatsday-bulletin-15b-crypto-bust.html
https://blog.barracuda.com/2025/11/12/email-threat-radar-november-2025
https://cybersecsentinel.com/astaroth-phishing-kit-exploits-2fa-weaknesses-in-gmail-and-o365/
https://thehackernews.com/2024/10/astaroth-banking-malware-resurfaces-in.html
https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/
Related CVE's:
Related threat actors:
IOC's:
JavaScript files with cache busting hashes (e.g., index-[hash].js), Random subdomain generation, Iframe-based phishing pages, Axios HTTP client usage for credential exfiltration, Telegram bot integration for data collection, Anti-debugging and anti-analysis techniques
This article was created with the assistance of AI technology by Perceptive.