IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Shadowy hidden browser window warning symbols masked figures
#
Firewalls
#
Email Security
#
Breach Prevention

GhostFrame iframe phishing kit powers 1m attacks

Wed, 10th Dec 2025
Author image
By Melvin Hipolito, Editor

A newly identified phishing-as-a-service kit called GhostFrame has driven more than one million phishing attacks in recent months, according to researchers at cybersecurity firm Barracuda.

The kit uses hidden web page components to obscure its malicious functions from security tools. It relies heavily on iframes, which are small windows embedded in web pages that can load content from other sources.

Barracuda's threat analysis team began tracking GhostFrame in September. The researchers describe it as a highly evasive phishing framework that centres on iframe-based evasion.

The company says this is the first time it has seen an entire phishing platform built almost entirely around the iframe technique. The approach marks a shift in how phishing kits conceal their underlying infrastructure.

Deceptive outer layer

GhostFrame presents targets with a simple HTML page that appears benign. The visible page does not carry obvious phishing content.

The real phishing activity takes place inside a concealed iframe within that page. The iframe loads a secondary phishing site that hosts the credential-stealing components.

Barracuda's analysis indicates that the outer HTML file uses dynamic code to generate and manipulate subdomain names. It generates a new subdomain for each target.

This design gives each phishing email or session a unique address. Many security tools rely on known domain patterns and static indicators, so frequent subdomain changes can reduce the chance of detection.

The iframe structure also embeds pointers that route victims to the hidden phishing page. The visible page remains largely free of obvious malicious elements.

Hidden credential theft

The secondary page inside the iframe holds the actual phishing forms. These forms capture usernames, passwords and other credentials.

Attackers hide the credential-capturing forms inside an image-streaming feature intended for very large files. Static scanners often look for hard-coded form fields linked to login pages.

By folding forms into an image-streaming mechanism, GhostFrame makes those fields harder to identify through simple scanning. The technique complicates inspection processes that rely on searching for known phishing markers in the page source.

The flexible iframe architecture also means attackers can alter the phishing content rapidly. They can test new lures or tailor pages for specific regions without changing the main distribution page.

Researchers say attackers can update only the destination of the iframe. This can allow the kit to bypass security systems that focus checks on the outer HTML page while ignoring embedded content.

Aggressive anti-inspection

GhostFrame includes measures that interfere with manual inspection by analysts and incident responders. It restricts normal interaction with the page.

The kit blocks right-click actions with the mouse. It also blocks the F12 key, which users and analysts typically use to open browser developer tools.

The code disables the Enter key and common keyboard shortcuts such as Ctrl or Cmd and Ctrl/Cmd+Shift. These shortcuts often open source views, save pages, or launch diagnostic tools.

These restrictions make it harder for defenders to review the underlying code in a live browser session. The measures also hinder attempts to capture and analyse the phishing page in real time.

Shifting phishing themes

The content of GhostFrame phishing emails uses a mix of familiar social engineering themes. Subjects range from fake business deals to spoofed HR updates.

The emails direct recipients towards dangerous links or files. The use of traditional themes increases the chance that targets recognise the style and engage with the content.

Barracuda says the combination of conventional phishing lures and a stealthy technical framework gives GhostFrame broad reach. The figure of more than one million attacks since September reflects both automated delivery and ongoing kit reuse by multiple threat actors.

The researchers position GhostFrame alongside a wider wave of newer phishing kits that place a strong focus on evasion. These kits often include dynamic infrastructure, obfuscation techniques and anti-analysis controls.

"The discovery of GhostFrame highlights how rapidly and cleverly phishing kits are evolving. GhostFrame is the first example we've seen of a phishing platform based almost entirely around iframes, and the attackers take full advantage of this feature to increase flexibility and evade detection," said Saravanan Mohankumar, manager in the threat analysis team at Barracuda.

Mohankumar said organisations should adjust their defences in response to such tools. "To stay protected, organisations need to move past static defences and adopt multilayered strategies: user training, regular browser updates, security tools to detect suspicious iframes, continuous monitoring, and threat intelligence sharing," said Mohankumar.

Related stories
CrowdStrike gains ISO AI governance boost for Falcon
Integrated Quantum unveils quantum-resilient AI data layer
Check Point unveils AI-ready continuous exposure management
Rocket Software unveils ContentEdge for safer GenAI
GlobalLogic, Elektrobit deepen software-defined car push

Top stories

AI data matching: boosting accuracy & cutting costs
UK bill accelerates shift to offensive cyber security
Komodor bolsters leadership for AI driven SRE growth
Cyderes names Lana Knop Chief Product Officer for AI push
Canada’s AI push hinges on data centres & clean power