December 10, 2025 By Pieter Arntz
GhostFrame is a new phishing-as-a-service (PhaaS) kit, tracked since September 2025, that has already powered more than a million phishing attacks.
Threat analysts spotted a series of phishing attacks featuring tools and techniques they hadn’t seen before. A few months later, they had linked over a million attempts to this same kit, which they named GhostFrame for its stealthy use of iframes. The kit hides its malicious activity inside iframes loaded from constantly changing subdomains.
An iframe is a small browser window embedded inside a web page, allowing content to load from another site without sending you away–like an embedded YouTube video or a Google Map. That embedded bit is usually an iframe and is normally harmless.
