A newly identified phishing-as-a-service (PhaaS) kit, tracked since September 2025, has been linked to more than one million phishing attacks. The kit, referred to by researchers as GhostFrame, represents a notable shift in phishing infrastructure by building an entire attack framework around the use of web page iframes to evade detection.

Unlike conventional phishing kits, GhostFrame relies on a minimal outer HTML file that appears benign and contains no direct phishing content. The malicious activity is executed entirely within an embedded iframe, allowing the phishing page to appear legitimate while obscuring its true function and source.

Technical analysis shows that the outer HTML file dynamically generates unique subdomains for each target, reducing the likelihood of detection through reputation-based controls. Embedded pointers within this file direct victims to a secondary phishing page loaded through the iframe. This iframe hosts the credential-harvesting components, which are concealed within an image-streaming mechanism typically associated with large files, making them difficult for static scanners to identify.

The iframe-based structure also enables attackers to modify phishing content, target specific regions, or deploy new techniques without altering the main distribution page. By changing only the iframe destination, the kit can bypass security tools that inspect only the outer page.

GhostFrame further incorporates inspection-evasion techniques that interfere with analysis, including disabling right-click functionality, blocking developer tools access via keyboard shortcuts, and preventing common commands used to view source code or inspect page elements.

Phishing campaigns linked to this kit use familiar social engineering themes such as fake business communications and spoofed human resources messages, designed to prompt recipients to click malicious links or download harmful files.

The emergence of iframe-centric phishing frameworks highlights the increasing sophistication of phishing infrastructure and the continued evolution of evasion techniques aimed at bypassing traditional detection methods.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!