Spiderman Phishing Kit Targets European Banks and Cryptocurrency Services

A new phishing framework named GhostFrame has been linked to over one million attacks. Built around a stealthy iframe architecture, GhostFrame conceals malicious behavior within embedded iframes, allowing attackers to evade detection and dynamically adjust phishing content. The framework employs anti-analysis controls and randomized subdomains to maintain stealth and ensure attack continuity. GhostFrame's attack chain involves a benign-looking outer page that loads a secondary phishing page within an iframe, which contains the actual credential-harvesting components. The framework's emails vary widely in themes, including fake contract notices, HR updates, and password reset requests.

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

The phishing-as-a-service (PhaaS) platform Whisper 2FA has been responsible for nearly one million phishing attacks since July 2025. Whisper 2FA uses AJAX to capture credentials and multi-factor authentication (MFA) codes, effectively bypassing MFA protections. The platform has evolved rapidly, incorporating advanced obfuscation and anti-debugging techniques. Whisper 2FA targets multiple industries by mimicking popular brands such as DocuSign, Adobe, and Microsoft 365. The attacks use urgent lures like invoices or voicemail notifications to prompt users to log in and submit their details. The platform's sophistication and ease of deployment make it a significant threat in the PhaaS landscape, ranking just behind Tycoon and EvilProxy.

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. Additionally, a new phishing automation platform named Quantum Route Redirect (QRR) is targeting Microsoft 365 users worldwide. QRR uses around 1,000 domains hosted on parked or compromised domains to steal credentials. The attacks start with malicious emails impersonating various services, redirecting users to credential harvesting pages. QRR employs a built-in filtering mechanism to distinguish between bots and human visitors, redirecting humans to phishing pages while sending bots to benign sites. QRR has been observed targeting Microsoft 365 accounts across 90 countries, with 76% of attacks directed at U.S. users. The platform offers advanced features such as a configuration panel, monitoring dashboards, intelligent traffic routing, and an analytics dashboard, making it easier for less technically minded cybercriminals to launch sophisticated phishing campaigns. QRR has been observed in the wild since August 2025 and uses a URL pattern of "/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/" for its phishing campaigns. QRR can bypass Microsoft 365 email protections, including Microsoft Exchange Online Protection (EOP), secure email gateways (SEG), and integrated cloud email security (ICES) products. QRR's intelligent redirect system can differentiate between security tools and human visitors, redirecting security tools to legitimate websites and human visitors to phishing pages. QRR has been observed deceiving web application firewall products, enabling attacks to bypass multiple layers of security.

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. The Sneaky 2FA phishing kit has incorporated Browser-in-the-Browser (BitB) functionality to mimic browser address bars and pop-up login forms. This kit uses Cloudflare Turnstile checks to prevent security tools from accessing phishing pages and employs conditional loading techniques to ensure only intended targets can access them. The phishing domains are quickly rotated to minimize detection, and the kit uses obfuscation and disables browser developer tools to resist analysis. Sneaky2FA is a widely used PhaaS platform alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts. The kit uses SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is proxied to the legitimate service through a phishing page that relays valid session tokens to the attackers. Sneaky2FA has added a BitB pop-up that mimics a legitimate Microsoft login window, adjusting dynamically to the victim’s OS and browser. An attacker stealing credentials and active session tokens can authenticate to the victim’s account, even when the two-factor authentication (2FA) protection is active.