GhostFrame Phishing Kit: New Stealthy PhaaS Threat Emerges

Redazione RHC : 14 December 2025 22:59

Barracuda has released details of a new stealthy, evasive phishing-as-a-service (PhaaS) kit that hides malicious content within web page iframes to evade detection and maximize resilience.

This is the first time Barracuda has detected a complete phishing framework built around the iframe technique.

Threat analysts have been monitoring the new PhaaS since September 2025 and have dubbed it GhostFrame . To date, over a million attacks have been attributed to this kit.

Barracuda’s technical analysis shows that GhostFrame’s functionality is deceptively simple, yet highly effective.

Unlike most phishing kits, GhostFrame uses a simple, seemingly innocuous HTML file, with all the malicious activity taking place within an iframe , a small window within a web page that can display content from another source. This approach makes the phishing page appear authentic, but hides its true origin and purpose.

GhostFrame’s most notable features include:

• An innocuous-looking external HTML file that does not contain any phishing content that could trigger detection and uses dynamic code to generate and manipulate subdomain names , so that a new one is generated for each destination.
• However, there are embedded pointers within this page that direct users to a secondary phishing page via an iframe.
• The iframe page hosts the actual phishing components. Attackers hide the credential capture modules within an image streaming function designed for large files , making it difficult for static scanners, which typically look for hardcoded phishing modules, to detect the attack.
• The iframe’s design allows attackers to easily modify the phishing content, test new tricks, or target specific regions, all without modifying the main web page distributing the kit. By simply updating the iframe’s target, the kit can evade detection by security tools that only monitor the external page.
• Like other next-generation phishing kits, GhostFrame aggressively prevents and disrupts inspection. Among other things, it blocks right-clicking, blocks the F12 key (used for development tools) and the Enter key, and prevents the use of common keyboard shortcuts such as Ctrl/Cmd and Ctrl/Cmd+Shift. These shortcuts are often used by security analysts to view source code, save pages, or open development tools.

GhostFrame phishing emails alternate traditional themes, such as fake business deals and fake HR updates. Like other phishing emails, they are designed to trick recipients into clicking on dangerous links or downloading malicious files.

“The discovery of GhostFrame highlights the speed and intelligence with which phishing kits are evolving. GhostFrame is the first example we’ve seen of a phishing platform based almost exclusively on iframes, and attackers are taking full advantage of this capability to increase flexibility and evade detection ,” said Saravanan Mohankumar, director of threat analysis at Barracuda.

“To stay protected, organizations must go beyond static defenses and adopt multi-layered strategies: user training, regular browser updates, security tools to detect suspicious iframes, continuous monitoring, and threat intelligence sharing.”

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli