Cybersecurity researchers have documented a new wave of advanced phishing kits—BlackForce, GhostFrame, InboxPrime AI and Spiderman—that are purpose-built to harvest credentials and one-time passwords (OTPs) at scale. Sold on Telegram and Signal under phishing-as-a-service and malware-as-a-service models, these toolkits give even low-skilled attackers the ability to run highly convincing, automated campaigns against corporate users.
BlackForce, first detected in August 2025, exemplifies the shift. It combines classic credential harvesting with Man-in-the-Browser (MitB) capabilities that intercept OTPs in real time as victims type them in, allowing attackers to bypass multi-factor authentication (MFA) and hijack accounts. After victims enter their details on a fake login page, credentials and OTPs are sent instantly to a command-and-control panel and Telegram bot, and the user is then redirected to the real site to hide evidence of compromise.
AI Supercharges Scale and Believability
Where earlier kits relied on static templates and manually crafted emails, the latest generation uses AI to generate dynamic, context-aware content. InboxPrime AI, for instance, is marketed as an “AI-powered email engine” that automates mass phishing campaigns, mimics human sending behaviour and even leverages webmail interfaces to evade traditional spam filters. It offers criminals near-perfect deliverability and campaign automation that looks closer to legitimate marketing software than underground malware.
GhostFrame and Spiderman focus on stealth and targeting. GhostFrame uses randomised subdomains, anti-analysis and anti-debugging techniques to frustrate security researchers and automated scanners, while Spiderman layers ISP allowlisting, geofencing and device filtering so that only intended victims ever see the phishing pages. Some variants are designed to capture not just login credentials and OTPs, but also PhotoTAN codes, crypto wallet seed phrases and credit card data.
Why OTP-Based MFA Is No Longer Enough
These kits underline a growing consensus in the security community: shared-secret MFA methods like SMS or app-based OTPs are increasingly vulnerable in the age of AI-driven phishing and live-proxy attacks. MitB kits act as an invisible proxy between the victim and the real site, capturing both the credentials and the ephemeral MFA codes fast enough to use them before they expire. Once attackers obtain a valid session cookie, simply changing a password or revoking an OTP does little to kick them out.
Security reports over the past year have also highlighted “MFA fatigue” and real-time OTP theft campaigns targeting Microsoft 365, banking and higher-education accounts. As attackers use AI to generate more convincing lures and scripts, the traditional user-awareness playbook is hitting its limits—humans and pattern-based filters struggle to distinguish between legitimate and malicious communications at this level of polish.
What Enterprises Should Do Differently
Defending against these kits requires more than better spam filters and more training slides. Organisations need to adopt phishing-resistant authentication methods—such as FIDO2 passkeys, hardware security keys, device-bound cryptographic tokens and risk-based, adaptive MFA that cannot be easily proxied or replayed. Where OTPs remain in use, transaction signing and out-of-band verification can reduce the value of intercepted codes.
On the detection side, AI-powered email and web security that analyses behavioural anomalies, domain infrastructure and page behaviour is becoming essential. SOC teams should also watch for signs of MitB and proxy activity, including unusual device fingerprints, rapid geo-shifts, and logins from new autonomous systems immediately after user interaction with email. Combined with strong identity governance and regular phishing simulations tuned to next-gen tactics, this layered approach gives enterprises a fighting chance against AI-enhanced phishing infrastructure.
