New “GhostFrame” kit fuels 1M+ ultra‑stealth phishing attacks

Published: 5 December 2025
ghost-frame-phishing
Image by Cybernews.

A new phishing framework called GhostFrame, built around an ultra-stealthy iframe architecture, has been linked to more than one million attacks. But it’s different from most other phishing kits.

According to cybersecurity experts at Barracuda who first spotted GhostFrame and named it as such in September, the new kit uses a simple HTML file that appears harmless.

Plus, all the malicious activity happens inside an iframe, a small window in a web page that can show content from another source. This approach makes the phishing page appear authentic while hiding its real origins and purpose.

ADVERTISEMENT

The iframe design also allows attackers to easily swap phishing content, try new tricks, or target specific regions, all without changing the main web page that distributes the kit.

According to Barracuda researchers, while iframe abuse is common, this is the first time an entire phishing framework has been structured around this particular technique.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

GhostFrame's attack chain unfolds in two stages. The visible outer, primary phishing page doesn’t include any typical phishing markers.

It instead relies on some basic obfuscation to conceal its purpose and uses dynamic code that generates a new subdomain for every visitor.

Then, pointers embedded within the page take targeted users to a secondary phishing page through an iframe. This one actually holds phishing components, buried inside a feature meant for streaming very large files to sidestep static detection tools.

Has my data been leaked?
Check Now

The content of GhostFrame emails switches between topics such as fake business deals and spoofed HR updates. Like other phishing emails, they’re designed to trick recipients into clicking dangerous links or downloading harmful files.

Recent subject lines include: “Secure Contract & Proposal Notification,” “Annual Review Reminder,” “Invoice Attached,” and “Password Reset Request.”

ADVERTISEMENT

The content of GhostFrame emails switches between topics such as fake business deals and spoofed HR updates.

To defend against GhostFrame and similar threats, Barracuda recommends enforcing regular browser updates, avoiding unsolicited links, and deploying email gateways and web filters to spot suspicious iframes.

Users would also do well to restrict iframe embedding on corporate sites and scan for injection risks. Finally, monitoring for unusual redirects or embedded content is highly recommended.

“A multilayered approach is needed to protect emails and employees against GhostFrame and similar stealthy phishing attacks,” said Barracuda.

Unlock exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT