Cybercriminals Leverage AI and MFA Bypass Techniques in Advanced Phishing Kits
In recent developments, cybersecurity experts have identified four sophisticated phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—that are revolutionizing credential theft through the integration of artificial intelligence (AI) and multi-factor authentication (MFA) bypass strategies.
BlackForce: A Multifaceted Threat
First detected in August 2025, BlackForce is engineered to steal user credentials and execute Man-in-the-Browser (MitB) attacks, enabling the interception of one-time passwords (OTPs) and the circumvention of MFA protocols. This kit is commercially available on Telegram forums, with prices ranging from €200 ($234) to €300 ($351).
BlackForce has been utilized to impersonate over 11 prominent brands, including Disney, Netflix, DHL, and UPS. Its developers have incorporated several evasion techniques, such as a blocklist that filters out security vendors, web crawlers, and scanners. The kit remains under active development, with versions 4 and 5 released in the months following its initial discovery.
A typical BlackForce attack involves redirecting victims to a counterfeit phishing page upon clicking a malicious link. Server-side checks are employed to exclude bots and crawlers before presenting a page that closely mimics a legitimate website. Once victims input their credentials, the information is transmitted in real-time to a Telegram bot and a command-and-control (C2) panel using the HTTP client Axios.
To bypass MFA, BlackForce utilizes MitB techniques to display a fraudulent authentication page to the victim’s browser via the C2 panel. If the victim enters the MFA code on this deceptive page, the attacker captures it to gain unauthorized access to the account. Post-attack, victims are redirected to the legitimate website’s homepage, concealing evidence of the compromise and leaving them unaware of the breach.
GhostFrame: Stealth and Versatility
Discovered in September 2025, GhostFrame has been linked to over a million stealth phishing attacks. The kit’s architecture centers around a simple HTML file that appears benign while concealing its malicious intent within an embedded iframe. This iframe directs victims to a phishing login page designed to steal Microsoft 365 or Google account credentials.
The iframe design allows attackers to easily swap out phishing content, experiment with new tactics, or target specific regions without altering the main web page distributing the kit. By updating the iframe’s destination, the kit can evade detection by security tools that only scrutinize the outer page.
GhostFrame attacks typically begin with phishing emails masquerading as business contracts, invoices, or password reset requests, leading recipients to the fake login page. The kit employs anti-analysis and anti-debugging measures to thwart inspection via browser developer tools and generates a random subdomain for each site visit, further complicating detection efforts.
InboxPrime AI and Spiderman: AI-Driven Phishing
While specific details about InboxPrime AI and Spiderman are limited, their emergence underscores a growing trend: the incorporation of AI into phishing kits to automate and enhance the effectiveness of attacks. These kits can generate highly convincing phishing emails and websites, making it increasingly challenging for users to discern legitimate communications from fraudulent ones.
The Evolving Landscape of Phishing Attacks
The advent of AI-powered phishing kits like BlackForce, GhostFrame, InboxPrime AI, and Spiderman signifies a significant shift in cybercriminal tactics. By automating the creation of deceptive content and employing advanced evasion techniques, these kits lower the barrier to entry for less technically skilled attackers, enabling them to execute large-scale, sophisticated phishing campaigns.
The integration of AI allows for the rapid generation of personalized phishing content, increasing the likelihood of deceiving recipients. Moreover, the use of MitB attacks to bypass MFA highlights the need for continuous advancements in security measures to counteract these evolving threats.
Mitigating the Threat
To combat the rise of AI-driven phishing attacks, organizations and individuals must adopt a multi-faceted approach:
1. Enhanced User Education: Regular training sessions to raise awareness about the latest phishing tactics and how to recognize suspicious communications.
2. Advanced Email Filtering: Implementing sophisticated email filtering solutions that can detect and block phishing attempts, even those employing AI-generated content.
3. Robust MFA Solutions: Utilizing MFA methods that are resistant to MitB attacks, such as hardware tokens or biometric authentication.
4. Continuous Monitoring: Employing real-time monitoring systems to detect unusual account activities that may indicate a compromise.
5. Incident Response Planning: Developing and regularly updating incident response plans to swiftly address and mitigate the impact of phishing attacks.
As cybercriminals continue to refine their methods, leveraging AI and other advanced technologies, it is imperative for the cybersecurity community to stay ahead by adopting proactive and adaptive defense strategies.
