Cybertech Europe 2026-IT Industry Official Media Partner
Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Contact us

GhostFrame – a new elusive phishing package behind over a million attacks

GhostFrame – GhostFrame – a new, elusive phishing package behind over a million attacks | IT Industry GhostFrame – GhostFrame – a new, elusive phishing package behind over a million attacks | IT Industry
GhostFrame – a new, elusive phishing package behind over a million attacks – Published by IT-Branschen

A new advanced phishing package has been linked to over a million attacks globally in a short period of time. According to a new report from Barracuda, threat actors are exploiting a sophisticated phishing-as-a-service framework called GhostFrame. The technology is based almost exclusively on so-called iframes, which makes the attacks extremely difficult to detect and very effective against both companies and individuals.

A new technological leap in phishing

GhostFrame has been followed by Barracuda since September 2025 and represents a clear technological leap in modern cybercrime. Unlike traditional phishing kits, which often consist of complete fake login pages, GhostFrame uses a very simple external structure.

The victim is often greeted with a seemingly harmless HTML page. The actual malicious code is instead loaded via a hidden iframe, a small embedded window that retrieves content from another server. This keeps the malicious part of the attack invisible to both the user and many security solutions.

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

This is the first time Barracuda has observed an entire phishing framework based almost exclusively on this technology.

https://blog.barracuda.com/adobe/dynamicmedia/deliver/dm-aid--73f729f4-5b61-41ac-a096-9d716eec4b3d/ts-ghostframe-fig4.jpg?preferwebp=true&quality=95&width=1024

How GhostFrame works in practice

When the user clicks on a link in a phishing email, the external HTML page is loaded first. This page often lacks clear signs of phishing and can easily pass through traditional security filters. The phishing content itself is then retrieved via the iframe from an external server controlled by the attackers.

This makes the visual experience for the user appear legitimate while the actual communication takes place through the attackers' infrastructure. The technology also allows attackers to quickly change content, test new attack methods, and target different regions without having to change the external page.

https://blog.barracuda.com/adobe/dynamicmedia/deliver/dm-aid--eb9e2d07-b9b9-4aa0-abf8-3658732d946f/ts-ghostframe-fig5.jpg?preferwebp=true&quality=95&width=1024

Dynamic subdomains and active protection against scrutiny

GhostFrame also uses dynamically generated subdomains. For each new attack, new addresses are automatically created, making it much more difficult to block the attacks through traditional blacklisting.

The platform also includes active protection against technical analysis. Functions such as right-click, the F12 key and common keyboard shortcuts to show source code and developer tools are blocked. This makes the work of both security analysts and automated analysis tools more difficult.

https://blog.barracuda.com/adobe/dynamicmedia/deliver/dm-aid--7383d614-f7cf-4db0-bbad-d32ff1bef4a8/ts-ghostframe-fig6.jpg?preferwebp=true&quality=95&width=1024

Phishing emails follow classic themes

The emails used with GhostFrame vary, but are often based on classic social engineering themes. They can include alleged business proposals, fake HR mailings, fake invoices, or delivery notifications.

The aim, as always, is to get the recipient to click on a malicious link or download a file that leads to theft of login credentials, the spread of malicious code, or further attacks into corporate networks.

Barracuda warns of rapid spread

Saravanan Mohankumar on Barracudas The threat analysis team describes the development as further evidence of how quickly phishing platforms are becoming increasingly sophisticated.

He means that GhostFrame shows how attackers today build modular systems that can be reused, adapted and scaled up quickly. The phishing-as-a-service model also makes it possible for even less technically savvy actors to carry out very advanced attacks.

This risks leading to a greatly increased volume of high-quality phishing attacks against companies worldwide.

https://blog.barracuda.com/adobe/dynamicmedia/deliver/dm-aid--041a8179-c14f-4c56-acd3-98999b2ed6df/ts-ghostframe-fig7.jpg?preferwebp=true&quality=95&width=1024

Companies must work in multiple layers of security

For organizations, this development means that traditional static protection is no longer enough. Security efforts need to be built in multiple layers where email protection, web security, behavioral analysis and continuous system updates interact.

Equally important is employee training. As phishing attacks become more sophisticated, so does the need for user awareness. Suspicious emails must be identified and reported quickly to minimize damage.

Barracuda also highlights the importance of threat sharing and collaboration between organizations. By quickly disseminating information about new attack patterns, more people can protect themselves before the campaigns become widespread.

A clear threat ahead of 2026

GhostFrame clearly shows how phishing is now evolving towards more dynamic, difficult to analyze and flexible platforms. For Swedish companies that are already facing a sharply increasing threat landscape, this is another reason to prioritize IT security high in 2026.

Attackers are becoming faster, smarter and more organized. This means that the defense side must also raise its technical level, cooperation and preparedness.

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT