Threat Spotlight: Introducing GhostFrame, a new super stealthy phishing kit

A deceptively simple kit that’s already launched a million attacks

Takeaways

• Barracuda threat analysts first spotted GhostFrame in September
• Phishing code is hidden in an iframe in a harmless-looking HTML page
• The kit allows for easy content and location switches to help evade detection
• A new subdomain is used for every victim

In September 2025, Barracuda’s threat analysts identified a series of phishing attacks featuring tools and techniques that did not correspond to any known Phishing-as-a-Service (PhaaS) kit. By December the team had identified over a million attacks using this new kit, which it has named GhostFrame in recognition of its novel and stealthy approach.

A new approach

Unlike most phishing kits, GhostFrame uses a simple HTML file that appears harmless, and all the malicious activity takes place inside an iframe, which is a small window in a web page that can show content from another source. This approach makes the phishing page appear authentic while hiding its real origins and purpose.

The iframe design also allows attackers to easily switch out the phishing content, try new tricks or target specific regions, all without changing the main web page that distributes the kit.

Further, by simply updating where the iframe points, the kit can avoid being detected by security tools that only check the outer page.

While the abuse of iframes is not unusual in phishing, this is the first time Barracuda has seen an entire phishing framework built around this technique.

Two-staged attack tactic

The outer, primary phishing page — the harmless-looking HTML file — that is shown to users does not include any typical phishing elements. Instead, it features some basic obfuscation to conceal its purpose and uses dynamic code to generate and manipulate subdomain names so that a new one is generated for each target.

Within this page, however, there are embedded pointers that take targets to a secondary phishing page through an iframe.

This secondary page hosts the actual phishing components. Even here, the attackers have hidden the credential-capturing forms inside an image-streaming feature designed for very large files (binary large objects), making it difficult for static scanners, which typically search for hard-coded phishing forms, to detect the attack.

This article details how this two-step method works in practice and why it is so effective at tricking people.

The phishing email

The content of GhostFrame emails switches between topics such as fake business deals and spoofed HR updates. Like other phishing emails, they are designed to trick recipients into clicking dangerous links or downloading harmful files.

Recent subject lines include: “Secure Contract & Proposal Notification,” “Annual Review Reminder,” “Invoice Attached,” and “Password Reset Request.”

Technical analysis

Variants

The kit’s source code exists in two different forms (variants), which are being used concurrently.

One version is obfuscated, making the code difficult to read and analyze, while the other is non-obfuscated and easily understood by humans. The non-obfuscated version, which was seen more often in earlier attacks, contains comments explaining the functionalities of the code. 

Anti-analysis and anti-debugging

The phishing kit includes a script that obstructs any attempt at inspection. Among other things, it prevents right-clicking the mouse, blocks the keyboard’s F12 key (used for developer tools), and prevents common keyboard shortcuts like Ctrl/Cmd and Ctrl/Cmd+Shift.

These shortcuts are usually used by security analysts to view the source code, save the page or open developer tools.

The script also blocks the Enter key, making it hard for users or analysts to inspect or save the web page.

By targeting both mouse clicks and main context menu access, the phishing kit ensures there is no way to get to the context menu.

Random subdomains to deliver the malicious iframe

The phishing kit generates a different, random subdomain each time someone visits the site.

For example: 7T8vA0c7QdtIIfWXRdq1Uv1JtJedwDUs[.]spectrel-a[.]biz.

These web addresses (URLs) include a hash and various parameters, which usually act as session tokens.

When a target first lands on the site, the malicious iframe remains hidden. It only appears after the loader script checks the subdomain or receives certain signals. Once activated, the loader listens for instructions from the iframe, which can then alter how the browser behaves.

The loader itself doesn’t display any phishing content. Its job is to set up the iframe, manage the browser environment and respond to messages from the iframe. By hosting the phishing page on constantly changing subdomains, attackers make it much harder for security systems to detect and block the threat.

Dynamic subdomain validation

Before displaying the phishing content, the kit verifies the subdomain against a code generated from a built-in key to ensure it’s on the intended site.

This helps the kit distinguish between genuine attacker infrastructure and temporary redirector domains. If the subdomain passes this test, users see a loading animation. If not, they are redirected to a harmless website.

Special features of the GhostFrame phishing kit

The GhostFrame kit includes several advanced capabilities that make it more effective and difficult to spot:

• Communication between the iframe and the parent page: The fake content inside the iframe uses the ‘window.postMessage’ method to tell the loader page to make changes. This can include:
  • Changing the parent page’s title to mimic trusted services, such as “Sign in to your account.”
  • Swapping the website’s favicon to make the page look more authentic.
  • Redirecting the top-level browser window to another domain if instructed.
  • Rotating subdomains during a session to help the attack avoid detection.
• Hard-coded fallback iframe: If the JavaScript fails or is blocked, the kit includes a backup iframe at the bottom of the page. This ensures the phishing attempt can still work, giving attackers a reliable way to continue their scam.

• Blob URI image-based login screens: The kit can display exact copies of login pages, such as those for Microsoft 365 or Google, as images inside the iframe rather than regular HTML. These images are loaded using a blob URI, which lets them appear directly from the browser’s memory. Attackers use a double-buffering technique to switch images quickly, making the fake login page look even more convincing as users interact with it.

How to defend against this threat

A multilayered approach is needed to protect emails and employees against GhostFrame and similar stealthy phishing attacks. The following steps will help:

• Enforce regular browser updates for all users.

• Train employees to avoid clicking links in unsolicited emails, to check URLs carefully before entering credentials, and to report suspicious pages that look “embedded” into other content or seem to be partially loaded.

• Deploy email security gateways and web filters that detect suspicious iframes used in HTML emails or landing pages.
• From a technical perspective, ensure you have controls on your website that restrict the ability of programs to load or embed iframes. This will prevent clickjacking and unauthorized frames. You should also regularly scan your web applications for vulnerabilities that allow iframe injection.
• Monitor for unusual redirects or embedded content in web traffic.

How Barracuda Email Protection can help your organization

Barracuda Email Protection offers a comprehensive suite of features designed to defend against advanced email threats. Further information is available here.