Barracuda has published details of a new, evasive and stealthy phishing-as-a-service (PhaaS) kit that hides its malicious content in web page iframes to bypass detection and maximise flexibility. This is the first time Barracuda has seen an entire phishing framework built around the iframe technique. Threat analysts have been tracking the new PhaaS since September 2025 and have named it GhostFrame. Over a million attacks to date are attributed to this kit.
Barracuda’s technical analysis shows that the functionality of GhostFrame is deceptively simple but highly effective.
Unlike most phishing kits, GhostFrame uses a simple HTML file that appears harmless, and all the malicious activity takes place inside an iframe, which is a small window in a web page that can show content from another source. This approach makes the phishing page appear authentic while hiding its real origins and purpose.
Noteworthy features of GhostFrame include:
- An outer harmless-looking HTML file that carries no phishing content to trigger detection and uses dynamic code to generate and manipulate subdomain names so that a new one is generated for each target.
- Within this page, however, there are embedded pointers that take targets to a secondary phishing page through an iframe.
- The iframe page hosts the actual phishing components. Attackers hide the credential-capturing forms inside an image-streaming feature designed for very large files, making it difficult for static scanners that typically search for hard-coded phishing forms, to detect the attack.
- The iframe design allows attackers to easily switch out the phishing content, try new tricks or target specific regions, all without changing the main web page that distributes the kit. By simply updating where the iframe points, the kit can avoid being detected by security tools that only check the outer page.
- Like other new-generation phishing kits, GhostFrame aggressively prevents and disrupts inspection. Among other things, it blocks right-clicking on the mouse, blocks the keyboard’s F12 key (used for developer tools) and the Enter key, and prevents common keyboard shortcuts like Ctrl/Cmd and Ctrl/Cmd+Shift. These shortcuts are usually used by security analysts to view the source code, save the page or open developer tools.
The content of GhostFrame phishing emails switches between traditional topics such as fake business deals and spoofed HR updates. Like other phishing emails, they are designed to trick recipients into clicking dangerous links or downloading harmful files.
“The discovery of GhostFrame highlights how rapidly and cleverly phishing kits are evolving. GhostFrame is the first example we’ve seen of a phishing platform based almost entirely around iframes, and the attackers take full advantage of this feature to increase flexibility and evade detection,” said Saravanan Mohankumar, manager in the threat analysis team at Barracuda. “To stay protected, organizations need to move past static defenses and adopt multilayered strategies: user training, regular browser updates, security tools to detect suspicious iframes, continuous monitoring, and threat intelligence sharing.”
For a detailed technical analysis of GhostFrame, read the blog: https://blog.barracuda.com/2025/12/04/threat-spotlight-ghostframe-phishing-kit
