Cybersecurity experts have uncovered four new phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—capable of large-scale credential theft and bypassing security defenses.

BlackForce, first detected in August 2025, is designed to steal credentials and defeat multi-factor authentication using Man-in-the-Browser attacks. Sold on Telegram for €200–€300, it has impersonated major brands including Disney, Netflix, DHL, and UPS. Researchers say the kit remains in active development with multiple versions released in recent months.

GhostFrame, discovered in September, uses hidden iframes to redirect victims to phishing pages targeting Microsoft 365 and Google accounts. Its design allows attackers to swap content easily and evade detection. The kit employs anti-analysis techniques and generates random subdomains to make blocking more difficult.

InboxPrime AI represents a new wave of phishing-as-a-service, leveraging artificial intelligence to automate email campaigns. Marketed for $1,000 on Telegram, it mimics human emailing behavior, evades spam filters, and generates convincing phishing emails at scale. Experts warn this industrialization of phishing lowers barriers for cybercriminals and increases attack volume.

Spiderman, meanwhile, replicates login pages of dozens of European banks and financial services, including Deutsche Bank, ING, and PayPal. Sold via Signal groups, it uses geofencing and device filtering to target specific regions and can capture OTPs, PhotoTAN codes, and cryptocurrency wallet data. Analysts say its modular design makes it particularly effective in European banking fraud.

The discovery of these kits comes amid reports of hybrid attacks combining elements of older phishing tools like Salty2FA and Tycoon2FA. Researchers caution that evolving overlaps between kits complicate detection and attribution, giving attackers more opportunities to bypass defenses.