Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

GhostFrame

GhostFrame is a phishing-as-a-service (PhaaS) phishing kit tracked since September 2025. It is described as a stealth-focused kit that has powered more than a million phishing attacks. GhostFrame emphasizes obfuscation and URL concealment, hiding malicious activity inside iframes loaded from constantly changing subdomains. It uses a two-stage iframe architecture, dynamically generates a unique random subdomain for each victim, and can rotate subdomains during an active session to evade domain-based detection and blocking. The kit validates visitors before loading pages and delivers phishing forms through blob-based image streaming, including hiding sign-in forms inside image-streaming or large-file-handler features to evade static analysis and content scanners. Reported anti-analysis behavior includes disabling right-click, blocking keyboard shortcuts, and interfering with browser developer tools. It can spoof legitimate services by changing page titles and favicons to match impersonated brands, including making fake login screens appear as legitimate Microsoft 365 login pages. The content identifies GhostFrame as part of the broader 2025 rise in sophisticated PhaaS kits used to conduct large-scale phishing campaigns.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Phishing kit used for credential theft at scale (details not expanded in provided text).

Read more
help net securityNews
Jan 8, 2026
Cybercriminals are scaling phishing attacks with ready-made kits

A stealth-oriented phishing kit using advanced obfuscation, URL concealment, and blob-based image streaming to evade detection and static analysis.

Read more
malwarebytes labsNews
Dec 10, 2025
GhostFrame phishing kit fuels widespread attacks against millions

GhostFrame is a sophisticated phishing-as-a-service kit that leverages dynamic iframes and subdomain rotation to evade detection. It enables attackers to spoof legitimate services, hide phishing forms within non-obvious web features, and employs anti-analysis techniques to hinder investigation. Its innovation allows less-skilled cybercriminals to conduct large-scale, evasive phishing campaigns.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.