GhostFrame stealthy iframe phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The GhostFrame phishing campaign has been tied to more than one million attacks, raising the risk of large-scale credential theft through a stealthy delivery chain. Its iframe-based design helps attackers hide malicious content, swap lures, and evade scanners without changing the visible page. The operation uses fake contract, HR, invoice, and password-reset messages to reach email recipients and employees. Reported on 2025-12-04, the activity shows how phishing kits are evolving to stay resilient under detection pressure.
Related Happenings
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware Activity
First: 12.12.2025 16:04
Last: 12.12.2025 16:04
Sources 1
About this happening:
**BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
BlackForce, GhostFrame, InboxPrime AI, and Spiderman phishing kits scaling credential theft
Malware ActivityAbout this happening: **BlackForce**, **GhostFrame**, **InboxPrime AI**, and **Spiderman** are newly documented phishing kits that expand **credential theft at scale** and make it easier to bypass **MF...
Whisper 2FA phishing campaign targeting accounts across multiple industries
Campaign
First: 15.10.2025 18:00
Last: 15.10.2025 18:00
Sources 1
About this happening:
**Whisper 2FA** has become a high-volume **phishing campaign** that has driven **nearly one million attacks** against **accounts across multiple industries** since **July 2025**....
Whisper 2FA phishing campaign targeting accounts across multiple industries
CampaignAbout this happening: **Whisper 2FA** has become a high-volume **phishing campaign** that has driven **nearly one million attacks** against **accounts across multiple industries** since **July 2025**....
Timeline
-
04.12.2025 16:30 2 articles · 5mo ago
Barracuda identifies the GhostFrame phishing framework
Initial DisclosureBarracuda identifies GhostFrame, a phishing framework built around a stealthy iframe architecture, and links it to more than one million attacks. The kit hides credential-harvesting content inside an embedded iframe, uses randomized subdomains for delivery, and adds anti-analysis controls that block right-click actions, the F12 key, Enter, and common inspection shortcuts. The lures include fake contract notices, HR updates, invoice messages, and password-reset requests, while defensive guidance focuses on browser updates, email gateways, web filters, iframe restrictions, and redirect monitoring.
Show sources
- New GhostFrame Phishing Framework Hits Over One Million Attacks — www.infosecurity-magazine.com — 04.12.2025 16:30
- New GhostFrame Phishing Framework Hits Over One Million Attacks — www.infosecurity-magazine.com — 04.12.2025 16:30