GhostFrame
GhostFrame is a phishing kit / Phishing-as-a-Service (PhaaS) offering identified as a new entrant in 2025. It is described as a stealth-focused kit that emphasizes obfuscation and URL concealment to evade detection and static analysis. Reported capabilities include a two-stage iframe architecture to hide malicious content, visitor validation before loading phishing pages, random subdomain rotation on each visit, and delivery of phishing forms via blob-based image streaming. The supporting content places GhostFrame among increasingly sophisticated PhaaS kits used to enable large-scale phishing campaigns. No nation-state attribution, operator identity, or additional aliases/sub-groups are provided in the available content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.