Cybersecurity researchers from INKY have recently discovered four new advanced phishing kits. These kits leverage artificial intelligence and advanced evasion techniques to facilitate unprecedented mass credential theft at scale. The kits, BlackForce, GhostFrame, InboxPrime AI and Spiderman, have parlayed themselves into some of the most troubling threats on the digital landscape. Such developments allow cybercriminals to conduct the most sophisticated and fruitful phishing campaigns with the lowest efforts, giving security experts serious cause for concern.
What makes InboxPrime AI unique is its AI-driven capabilities, enabling attackers to automate the production of phishing emails. The kit’s email generator features an entire email composer—including subject lines—designed to help you break through the spam filter. Among other things, it features a real-time spam diagnostic module. This module scans each email you produce for typical spam-filter red flags and provides recommendations for fixing those issues to improve deliverability.
The marketing strategy for InboxPrime AI includes a subscription model advertised on a Telegram channel with over 1,300 members, priced at $1,000. Buyers of this malware-as-a-service (MaaS) solution are granted a perpetual license and complete access to the source code. This significantly reduces the barrier for entry into the phishing world, allowing newer, less skilled attackers to get in on the game.
The Rise of AI in Phishing
InboxPrime AI is a prime example of the intersection of artificial intelligence with phishing methods. According to Abnormal’s researchers Callie Baron and Piotr Wojtyla, “It is designed to mimic real human emailing behavior and even leverages Gmail’s web interface to evade traditional filtering mechanisms.” This malicious design goes beyond the automation of phishing email generation and it increases the chance for successful security bypass.
The kit’s sender identity randomization and spoofing features enable attackers to customize the sender’s display names for every Gmail session. This tactic makes it more likely that victims will click on malicious links or divulge sensitive information. InboxPrime AI takes a well-rounded approach that gives today’s cybercriminals the power to launch campaigns with almost perfect deliverability. That’s because their interface is very sleek and professional, just like real email marketing software.
“InboxPrime AI blends artificial intelligence with operational evasion techniques and promises cybercriminals near-perfect deliverability, automated campaign generation, and a polished, professional interface that mirrors legitimate email marketing software.” – Abnormal researchers Callie Baron and Piotr Wojtyla
Enhanced Techniques in Phishing Kits
The other new phishing kits use extensive techniques that significantly raise them to a new level of professional development. BlackForce, for example, the Telegram BOT, so far, has been used to impersonate more than 11 major brands — from Disney, Netflix, to DHL and UPS. This impersonation is key for developing trust with prospective victims, increasing their likelihood of falling for the scams.
More recently, Spiderman has been used against customers of multiple European banks as well as online financial services providers. This is quite a deadly menace. Specifically, it copies out login pages for almost every financial institution in Germany, Austria, Switzerland and Belgium. Varonis researcher Daniel Kelley describes Spiderman as “a full-stack phishing framework that replicates dozens of European banking login pages, and even some government portals.”
The kit’s coolest feature is the ability to log each session with a unique ID. This functionality makes it easier for attackers to preserve consistency all throughout the phishing workflow once they’ve collected credentials.
“After capturing credentials, Spiderman logs each session with a unique identifier so the attacker can maintain continuity through the entire phishing workflow.” – Varonis researcher Daniel Kelley
The Threat of GhostFrame and Salty-Tycoon Hybrid
Since its discovery in September 2025, GhostFrame continues to circulate and gain traction within the cybersecurity community at large. It employs Man-in-the-Browser (MitB) tactics to render a malicious MFA spoof page in the victim’s browser session. This approach tricks users into entering extra credentials under the guise of legitimacy.
Enter the new hybrid Salty-Tycoon. This makes it difficult to produce detection rules for it as we’ve done for previous phishing kits with our detection rules. This development corresponds tightly to a major decrease in Salty 2FA operations starting in late October 2025. This drop is a testament to the fact that attackers are adapting their tactics in order to more successfully evade security solutions.
“This overlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to slip past early detection.” – ANY.RUN
The implications of these advancements are significant. They are being distributed at an unprecedented rate. Consequently, the rate of attacks will greatly increase, further overwhelming the cybersecurity defenders that are already in a force protection.