Threat Spotlight: How phishing kits evolved in 2025

The top phishing themes, teams and tactics of the last 12 months

Takeaways

• The number of known phishing kits doubled during 2025
• Newcomers are sophisticated, evasive and stealthy
• MFA bypass, URL obfuscation and CAPTCHA abuse seen in half of all attacks
• Traditional phishing scams and kits thrive due to constant innovation — there were 10 million Mamba 2FA attacks in late 2025

In 2025, 90% of high-volume phishing campaigns leveraged Phishing-as-a-Service (PhaaS) kits. These kits have transformed the phishing landscape, enabling even less-skilled cybercriminals to access advanced tools and automation and launch large-scale, targeted phishing campaigns, often impersonating legitimate services and institutions.

This article provides an overview of phishing kit activity and evolution during 2025. It is a companion piece to the 2026 phishing predictions published in December 2025. 

Top PhaaS attack themes

The most common phishing themes seen by Barracuda threat analysts during 2025 were worryingly familiar. They included fake payment, financial, legal, digital signature and HR-related messages — all designed to trick users into clicking on a link, scanning a QR code or opening an attachment and sharing personal information with attackers.

These are tried-and-tested approaches that have been around for years, spoofing trusted brands like Microsoft, DocuSign, SharePoint and more. They continue to succeed despite growing user awareness and ever-improving security measures.

This success is due to continuous innovation in the underlying tools and tactics, making the emails more authentic and convincing. Attackers are leveraging AI, new security bypass and obfuscation techniques and abusing a broader range of trusted platforms to host and distribute content. 

The theme-related innovations seen during 2025 include:

Payment and invoice scams

• Attackers used generative AI to produce highly convincing “overdue invoice” emails and payment requests that closely matched the tone, style and branding of the legitimate service they were impersonating.
• QR codes were embedded in the invoices to push victims from secure desktop environments to less‑protected mobile devices, increasing the chances of a successful attack.

Voicemail scams (‘vishing’)

• Emails included links to “secure voicemail” portals that harvested credentials.
• Attackers also used generative AI to generate multiple variations of phishing emails and scripts, helping the emails to bypass detection and increase believability.
• Trusted email addresses were spoofed to make the attacks look legitimate, and the emails even copied the familiar design and patterns used by well‑known services that handle voicemail notifications.

Financial and legal document scams

• Attackers used social engineering tricks along with generative AI to eliminate any obvious errors that might tip off victims. By making the messages feel more personal and constantly adapting their patterns, they made it much harder for victims to distinguish the malicious emails from real ones.
• Attackers used spear phishing techniques to carefully research each organization, gaining insights into its key executives and closely impersonating them. In some instances, they hijacked or used compromised accounts to deceive employees into approving fraudulent transfers.

Signature and document review scams

• Attackers impersonated a growing number of trusted platforms with high-quality branding and "urgent” demands to review and sign.
• Embedding malicious QR codes in authentic-looking signature requests moved the attack to mobile devices outside the corporate security perimeter.

HR-related scams (benefits, payroll, employee handbook)

• Attacks were aligned with tax deadlines and payroll cycles to exploit urgency.
• QR codes were embedded in "policy updates" to bypass email filters.

Popular techniques used in phishing in 2025

The techniques used by phishing kits during 2025 were varied and inventive. They included:

• Obfuscations to hide URLs from detection and inspection, seen in 48% of attacks. Attackers also added open redirects and human verification steps, making phishing URLs appear authentic and harder to block.
• Attacks bypassing multifactor authentication (MFA), for example by stealing session cookies (also seen in 48% of attacks).
• Attacks that leveraged CAPTCHA for added authenticity and to hide suspicious destinations (43%).
• Malicious QR codes (seen in 19%). Attackers began splitting QR codes into multiple images or nesting malicious codes within or around legitimate ones to evade detection by email security tools.
• ‘Polymorphic’ attacks that varied the email header, body and destination to confuse or delay detection (20%).
• Malicious attachments (18%).
• The abuse of trusted, legitimate online platforms, such as those used for collaboration or design (10%).
• Attacks leveraging generative AI, for example, the use of no-code platforms, AI-generated CAPTCHAs, comments and code (10%).
• The use of ‘Blob URIs’, a type of web address used to store data locally in memory making attacks hard to detect using traditional measures (2%).
• The use of ‘ClickFix’ social engineering techniques, where a user is tricked into manually executing a malicious command (1%).

Phishing kits doubled in number as newcomers moved in

Barracuda’s threat analysts recorded a doubling in the number of PhaaS kits in active use during 2025, with persistent and adaptable incumbents such as Tycoon 2FA and Mamba 2FA facing competition from aggressive newcomers such as Cephas, Whisper 2FA and GhostFrame. The team reported regularly on some of the most prevalent phishing kits throughout the year.

The new phishing kits are sophisticated and share a focus on advanced anti-analysis measures, MFA bypass and stealth deployment.

Below are five notable new players and their key characteristics:

Sneaky 2FA

Sneaky 2FA is an advanced phishing kit leveraging adversary-in-the-middle (AitM) techniques to bypass two-factor authentication.

Distinctive features:

• Microsoft API interaction: The kit engages directly with legitimate Microsoft APIs to validate captured credentials and session tokens, ensuring successful account takeovers.
• Anti-bot/anti-analysis features: It includes evasion techniques designed to block automated tools and sandbox environments.
• BitB (browser-in-the-browser) functionality: The kit generates fake browser windows that perfectly mimic legitimate login pop-ups, hiding the true malicious URL from victims.
• Redirection: It also redirects victims to a Microsoft-related Wikipedia page after credential capture to maintain authenticity and reduce suspicion, including in cases where any form of analysis, automation or sandbox activity is detected.

CoGUI

A sophisticated kit designed with advanced evasion and anti-detection capabilities, commonly used by Chinese-speaking threat actors.

Distinctive features:

• Evasion techniques: Implements geofencing (limiting access by location), header fencing (filtering email headers), and fingerprinting (capturing device characteristics) to avoid detection by automated systems.
• Doesn’t capture MFA: Unlike many modern phishing kits, the CoGUI campaigns seen to date do not feature MFA credential harvesting.
• Similarities to Darcula: Shares traits with the Darcula phishing kit, including infrastructure overlap and targeting patterns.
• Target impersonation: Frequently impersonates major platforms such as Amazon, PayPal, Rakuten and Apple.

Cephas

Cephas is a heavily obfuscated phishing kit with advanced anti-bot and anti-analysis techniques and strong Microsoft API integration.

Distinctive features:

• Microsoft API integration: Ensures captured credentials and session tokens are valid and immediately usable.
• Code obfuscation: Uses dense, highly obfuscated JavaScript.
• Thematic page anomalies: Includes unusual comments on pages (e.g., “wine tasting on Riverside Avenue,” “Spectral Quasar”), possibly as fingerprinting evasion or content diversification techniques.

Whisper 2FA

Whisper 2FA is a lightweight, stealth-focused phishing kit optimized for simplicity, speed and MFA bypass.

Distinctive features:

• Streamlined exfiltration: Uses AJAX-based credential and MFA token theft, avoiding heavy reverse proxies and reducing deployment complexity.
• Aggressive anti-analysis: The code uses Base64 + XOR obfuscation, reinforced by multiple obfuscation layers, anti‑debugging traps and script‑level inspection blocks.
• MFA bypass capability: Includes a Base64-encoded list of MFA methods (push notifications, SMS, voice calls, app codes) to handle various authentication scenarios.

GhostFrame

First seen by Barracuda in September 2025, GhostFrame is an inventive, evasive and super-stealthy kit that prioritizes code obfuscation and URL concealment.

Distinctive features:

• iframe abuse: A two-stage attack tactic with a harmless-looking outer HTML file pointing to embedded iframes that hide the phishing content.
• Anti-analysis measures: Employs techniques similar to other advanced kits to evade automated detection.
• Dynamic subdomain creation and validation: The phishing kit generates a different, random subdomain each time someone visits the site and runs verification checks before displaying the phishing content.
• The use of blob (Binary Large Object) image streaming for the actual phishing forms to evade static link inspection.

Conclusion

2025 witnessed an explosion in the number of phishing kits. Newcomers are developing and scaling rapidly and creating a varied and crowded threat landscape that brings new challenges for defenders.

However, as we move into 2026, it’s important to remember that traditional kits also remain extremely dangerous. In late 2025, Barracuda analysts detected a surge in activity by the well-known Mamba 2FA phishing kit — accounting for close to 10 million attacks. 

The established kits are neither down nor out. There’s just more for security teams to understand and defend against.

Protection against evolving techniques

A successful phishing attack can have far-reaching consequences for victims, from the loss of credentials and sensitive data to ransomware, extortion, operational downtime, productivity loss and damaged reputations.

Traditional approaches are no longer enough to keep this rapidly evolving and increasingly advanced threat at bay. Organizations need an AI-powered integrated security platform such as BarracudaONE with 24/7 oversight.

This should be coupled with a resilient security culture, regularly updated cybersecurity awareness training for employees, a strong focus on authentication and access and software updates and other essential cybersecurity basics.