Phishing-as-a-Service (PhaaS) kits lower the barrier to entry, enabling less-skilled attackers to run large-scale, targeted phishing campaigns that impersonate legitimate services and institutions, according to Barracuda Networks.
Phishing kits grow more sophisticated and scalable
Barracuda threat analysts found that in 2025 the most common phishing themes were designed to trick users into clicking links, scanning QR codes, opening attachments, or sharing personal information with attackers.
These techniques remain successful despite years of security controls and user awareness efforts. Attackers are increasingly using AI, new evasion and obfuscation methods, and a growing range of trusted platforms to host and distribute malicious content.
Theme-related innovations observed in 2025 included payment and invoice fraud, vishing, document-based scams, and HR-related lures.
“Phishing kits shifted up another level in 2025 as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale,” said Ashok Sakthivel, Director, Software Engineering at Barracuda.
“The kits feature techniques designed to make it harder users and security teams to detect and prevent fraud. To stay protected, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy,” Sakthivel continued.
The most prevalent techniques used in phishing kits included URL obfuscation, MFA bypass, and CAPTCHA abuse. Attackers also leveraged malicious QR codes and attachments, social engineering, and polymorphic attacks.
New players
In 2025, the number of active PhaaS kits doubled. Established kits such as Tycoon 2FA and Mamba 2FA faced growing competition from newer entrants including Cephas, Whisper 2FA, and GhostFrame, which focus on advanced anti-analysis, MFA bypass, and stealth deployment.
Sneaky 2FA
Sneaky 2FA bypasses 2FA using adversary-in-the-middle (AitM) techniques. It validates stolen credentials through legitimate Microsoft APIs, evades bots and sandboxes, uses browser-in-the-browser fake login windows, and redirects victims to Microsoft-related pages to reduce suspicion.
CoGUI
CoGUI is a phishing kit with advanced evasion and anti-detection capabilities, commonly used by Chinese-speaking threat actors. It employs geofencing, header fencing, and device fingerprinting to evade automated analysis. CoGUI campaigns do not capture MFA credentials and impersonate platforms such as Amazon, PayPal, Rakuten, and Apple.
Cephas
Cephas is an obfuscated phishing kit featuring anti-bot and anti-analysis techniques, with integration into Microsoft APIs. It validates stolen credentials and session tokens during submission to confirm usability and includes unusual page comments that may support fingerprinting evasion or content diversification.
Whisper 2FA
Whisper 2FA is a lightweight phishing kit built for fast deployment and MFA bypass, using AJAX-based exfiltration instead of complex reverse proxies. It features strong anti-analysis obfuscation and supports multiple MFA bypass methods, including push notifications, SMS, voice calls, and app-based codes.
GhostFrame
GhostFrame is a stealth-focused phishing kit that emphasizes obfuscation and URL concealment. It uses a two-stage iframe architecture to hide malicious content, validates visitors before loading pages, rotates random subdomains per visit, and delivers phishing forms via blob-based image streaming to evade detection and static analysis.