Full Report
Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale. BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit
Analysis Summary
# Tool/Technique: BlackForce Phishing Kit
## Overview
BlackForce is one of four new advanced phishing kits documented by researchers, designed specifically to steal user credentials at scale. Its primary focus is credential harvesting and executing Man-in-the-Browser (MitB) attacks to capture One-Time Passwords (OTPs) and successfully bypass Multi-Factor Authentication (MFA).
## Technical Details
- Type: Attack Tool (Phishing Kit)
- Platform: Web-based (Impersonates various web services)
- Capabilities: Credential theft, MFA bypass via MitB, bot/crawler evasion.
- First Seen: August 2025
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred based on described functionality (credential theft, MFA bypass, evasion).*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied delivery via link)
- **TA0005 - Defense Evasion**
- T4029 - Block Evasion (Explicitly mentioned environment filtering)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (Implied initial credential theft)
## Functionality
### Core Capabilities
- **Credential Theft:** Steals credentials entered by victims on the forged login pages.
- **Brand Impersonation:** Used to impersonate over 11 major brands, including Disney, Netflix, DHL, and UPS.
- **Data Exfiltration:** Stolen credentials are sent in real-time to a Telegram bot and a dedicated command-and-control (C2) panel.
- **Post-Compromise Redirection:** After a successful attack (or attempt), victims are redirected to the legitimate website's homepage to conceal the compromise.
### Advanced Features
- **Man-in-the-Browser (MitB) Attacks:** Used specifically during the MFA phase to present a fake MFA prompt to the victim after the attacker has attempted to log in with stolen credentials.
- **MFA Bypass:** By capturing the OTP entered into the fake MitB prompt, the kit allows the attacker to gain unauthorized access.
- **Evasion Techniques:** Features a blocklist specifically designed to filter out and prevent interaction with security vendors, web crawlers, and scanners.
- **Cache Busting:** Uses JavaScript files with unique hashes in their filenames (e.g., "index-[hash].js") to force the victim's browser to download the freshest version of the malicious script, avoiding cached versions.
- **Active Development:** Reported to be in active development, with versions 4 and 5 succeeding version 3 in subsequent months following August 2025.
## Indicators of Compromise
- File Hashes: N/A (Details not provided in context)
- File Names: JavaScript files containing cache-busting hashes (e.g., "index-[hash].js")
- Registry Keys: N/A
- Network Indicators: Communications routed to Telegram bots and a C2 panel via Axios.
- Behavioral Indicators: Use of the Axios HTTP client for real-time data submission; serving login pages based on server-side checks that filter non-human traffic.
## Associated Threat Actors
- Threat actors marketing and purchasing the kit on Telegram forums. (No specific named groups mentioned in context.)
## Detection Methods
- Signature-based detection: Developing signatures against specific kit code structures or C2 endpoints (if known).
- Behavioral detection: Monitoring for the execution of JavaScript files using cache-busting patterns or unusual outbound HTTP traffic to non-standard destinations (like Telegram bots) immediately following form submission.
- YARA rules if available: N/A
## Mitigation Strategies
- **Prevention measures:** User education regarding phishing, especially around MFA prompts that appear unexpectedly or outside expected application flows.
- **Hardening recommendations:** Employing robust MFA solutions that utilize FIDO2/hardware tokens over OTPs where possible; implementing network filtering/whitelisting to restrict outbound access to known C2 infrastructure (though this is difficult with Telegram bots).
## Related Tools/Techniques
- GhostFrame Phishing Kit
- InboxPrime AI Phishing Kit
- Spiderman Phishing Kit
---
# Tool/Technique: GhostFrame Phishing Kit
## Overview
GhostFrame is a newly prominent phishing kit discovered in September 2025. It specializes in stealth by embedding its primary malicious function within an invisible iframe, allowing it to easily switch targets and evade detection by only scanning the outer, seemingly benign web page. It generally aims to steal Microsoft 365 or Google account credentials.
## Technical Details
- Type: Attack Tool (Phishing Kit)
- Platform: Web-based (Targets M365/Google authentication flows)
- Capabilities: Stealth phishing delivery via concealed iframe, anti-analysis techniques, dynamic subdomain generation.
- First Seen: September 2025
## MITRE ATT&CK Mapping
*Note: Inferred mapping based on description of iframe delivery and anti-analysis.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1497 - Virtualization/Sandbox Evasion (Implied by anti-debugging checks)
## Functionality
### Core Capabilities
- **Stealth Delivery:** The core phishing login page is hidden within an embedded iframe inside a seemingly harmless HTML file.
- **Content Switching:** Attackers can easily change the phishing content or target regions simply by updating the iframe's pointer address without altering the main host page.
- **Impersonation:** The loader script modifies the visible parent page elements (title, favicon) to impersonate trusted services.
- **Dynamic Hostnames:** Generates a random subdomain upon each site visit, aiding in evasion.
### Advanced Features
- **Anti-Analysis/Anti-Debugging:** Includes mechanisms designed to prevent inspection using standard browser developer tools.
- **Parent Window Manipulation:** The outer page's loader script can manipulate the top-level browser window, including changing the URL of the top window domain, potentially masking the origin of the attack.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on the embedding mechanism)
- Behavioral Indicators: Detection of a seemingly harmless page that quickly loads resources via an iframe; rapid modification of the browser window title or favicon upon page load.
## Associated Threat Actors
- Threat actors utilizing this kit for M365 and Google credential theft. (No specific named groups mentioned in context.)
## Detection Methods
- Signature-based detection: Signatures targeting known iframe redirection patterns or specific anti-analysis script code snippets.
- Behavioral detection: Monitoring for parent window manipulation or rapid loading of external content via embedded iframes following initial page load.
- YARA rules if available: N/A
## Mitigation Strategies
- **Prevention measures:** Inspecting underlying HTML structure for suspicious iframes, especially on pages linked from unexpected emails; browser extensions to sandbox or block suspicious iframe activity.
- **Hardening recommendations:** Ensuring modern email gateways strip dynamic URL parameters that could lead to sophisticated redirect chains.
## Related Tools/Techniques
- BlackForce Phishing Kit
- InboxPrime AI Phishing Kit
- Spiderman Phishing Kit