Barracuda threat analysts identified GhostFrame as a new phishing kit that hides its malicious activity inside an iframe within a harmless-looking HTML page. It supports easy content and location switching, uses random subdomains for each victim, and employs anti-analysis techniques to enable over a million attacks since September 2025. #GhostFrame #SpectrelA #Barracuda #Microsoft365 #Google
Keypoints
- GhostFrame is a phishing kit that hides malicious activity inside an iframe on a harmless-looking HTML page.
- Attackers can swap phishing content and target regions by changing the iframe source without altering the main distribution page.
- The kit generates random subdomains per victim and uses dynamic subdomain validation to avoid detection.
- Credential harvesting is embedded in image-based login screens using blob URIs to thwart static phishing detectors.
- Anti-analysis features block right-click, F12, and common shortcuts to hinder security researchers.
A deceptively simple kit that’s already launched a million attacks
Takeaways
- Barracuda threat analysts first spotted GhostFrame in September
- Phishing code is hidden in an iframe in a harmless-looking HTML page
- The kit allows for easy content and location switches to help evade detection
- A new subdomain is used for every victim
In September 2025, Barracuda’s threat analysts identified a series of phishing attacks featuring tools and techniques that did not correspond to any known Phishing-as-a-Service (PhaaS) kit. By December the team had identified over a million attacks using this new kit, which it has named GhostFrame in recognition of its novel and stealthy approach.
Source: https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit