New Advanced Phishing Kits Use AI And Mfa Bypass Tactics To Steal...
Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale.
BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit is sold on Telegram forums for anywhere between €200 ($234) and €300 ($351).
The kit, according to Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, has been used to impersonate over 11 brands, including Disney, Netflix, DHL, and UPS. It's said to be in active development.
"BlackForce features several evasion techniques with a blocklist that filters out security vendors, web crawlers, and scanners," the company said. "BlackForce remains under active development. Version 3 was widely used until early August, with versions 4 and 5 being released in subsequent months."
Phishing pages connected to the kit have been found to use JavaScript files with what has been described as "cache busting" hashes in their names (e.g., "index-[hash].js"), thereby forcing the victim's web browser to download the latest version of the malicious script instead of using a cached version.
In a typical attack using the kit, victims who click on a link are redirected to a malicious phishing page, after which a server-side check filters out crawlers and bots, before serving them a page that's designed to mimic a legitimate website. Once the credentials are entered on the page, the details are captured and sent to a Telegram bot and a command-and-control (C2) panel in real-time using an HTTP client called Axios.
When the attacker attempts to log in with the stolen credentials on the legitimate website, an MFA prompt is triggered. At this stage, the MitB techniques are used to display a fake MFA authentication page to the victim's browser through the C2 panel. Should the victim enter the MFA code on the bogus page, it's collected and used by the threat actor to gain unauthorized access to their account.
"Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring the victim remains unaware of the attack," Zscaler said.
Another nascent phishing kit that has gained traction since its discovery in September 2025 is GhostFrame. At the heart of the kit's architecture is a simple HTML file that a
Source: The Hacker News
