A new advanced phishing package has been linked to over a million attacks globally in a short period of time. According to a new report from Barracuda, threat actors are exploiting a sophisticated phishing-as-a-service framework called GhostFrame. The technology is based almost exclusively on so-called iframes, which makes the attacks extremely difficult to detect and very effective against both companies and individuals.
A new technological leap in phishing
GhostFrame has been followed by Barracuda since September 2025 and represents a clear technological leap in modern cybercrime. Unlike traditional phishing kits, which often consist of complete fake login pages, GhostFrame uses a very simple external structure.
The victim is often greeted with a seemingly harmless HTML page. The actual malicious code is instead loaded via a hidden iframe, a small embedded window that retrieves content from another server. This keeps the malicious part of the attack invisible to both the user and many security solutions.
It is the first the time Barracuda observes an entire phishing framework that is almost exclusively based on this technique.
How GhostFrame works in practice
When the user clicks on a link in a phishing email, the external HTML page is loaded first. This page often lacks clear signs of phishing and can easily pass through traditional security filters. The phishing content itself is then retrieved via the iframe from an external server controlled by the attackers.
This makes the visual experience for the user appear legitimate while the actual communication takes place through the attackers' infrastructure. The technology also allows attackers to quickly change content, test new attack methods, and target different regions without having to change the external page.
Dynamic subdomains and active protection against scrutiny
GhostFrame also uses dynamically generated subdomains. For each new attack, new addresses are created automatically, making it significantly more difficult to block the attacks through traditional blacklisting.
The platform also includes active protection against technical analysis. Functions such as right-click, the F12 key and common keyboard shortcuts to show source code and developer tools are blocked. This makes the work of both security analysts and automated analysis tools more difficult.
Phishing emails follow classic themes
The emails used with GhostFrame vary, but are often based on classic social engineering themes. They can include alleged business proposals, fake HR mailings, fake invoices, or delivery notifications.
The aim, as always, is to get the recipient to click on a malicious link or download a file that leads to the theft of login details, the spread of malware or further attacks into corporate networks.
Barracuda warns of rapid spread
Saravanan Mohankumar on Barracudas The threat analysis team describes the development as further evidence of how quickly phishing platforms are becoming increasingly sophisticated.
He means that GhostFrame shows how attackers today build modular systems that can be reused, adapted and scaled up quickly. The phishing-as-a-service model also makes it possible for even less technically savvy actors to carry out very advanced attacks.
This risks leading to a greatly increased volume of high-quality phishing attacks against business worldwide.
Companies must work in multiple layers of security
For organizations, this development means that traditional static protection is no longer enough. Security efforts need to be built in multiple layers where email protection, web security, behavioral analysis and continuous system updates interact.
Equally important is employee training. As phishing attacks become more sophisticated, so does the need for user awareness. Suspicious emails must be identified and reported quickly to minimize damage.
Barracuda also highlights the importance of threat sharing and cooperation between organizations. By quickly disseminating information about new attack patterns, more people can protect themselves before the campaigns become widespread.
A clear threat ahead of 2026
GhostFrame clearly shows how phishing is now evolving towards more dynamic, difficult to analyze and flexible platforms. For Swedish companies that are already facing a sharply increasing threat landscape, this is another reason to prioritize IT security high in 2026.
Attackers are becoming faster, smarter and more organized. This means that the defense side must also raise its technical level, cooperation and preparedness.
Swedish
Danish
Norwegian
Finnish
English
German
Dutch