Threat Spotlight: The number of phishing kits doubled in 2025, bringing stealth, innovation and the same old themes

SYDNEY, Australia – 13 January 2026 – In 2025, the number of known phishing-as-a-service (PhaaS) kits doubled in number, increasing the pressure on security teams trying to defend against this ever-evolving threat, according to Barracuda’s phishing review of 2025. Aggressive newcomers such as Whisper 2FA and GhostFrame introduced inventive and evasive tools and tactics, including a suite of techniques to prevent analysis of their malicious code, while established groups such as Mamba and Tycoon continued to evolve and thrive. Each kit was behind millions […]

Security Awareness | Threat Intelligence

Posted: Thursday, Jan 15

KBI.Media
$
Threat Spotlight: The number of phishing kits doubled in 2025, bringing stealth, innovation and the same old themes

Threat Spotlight: The number of phishing kits doubled in 2025, bringing stealth, innovation and the same old themes

SYDNEY, Australia – 13 January 2026 – In 2025, the number of known phishing-as-a-service (PhaaS) kits doubled in number, increasing the pressure on security teams trying to defend against this ever-evolving threat, according to Barracuda’s phishing review of 2025.

Aggressive newcomers such as Whisper 2FA and GhostFrame introduced inventive and evasive tools and tactics, including a suite of techniques to prevent analysis of their malicious code, while established groups such as Mamba and Tycoon continued to evolve and thrive. Each kit was behind millions of attacks.

According to Barracuda’s analysis, the most prevalent tools and techniques used by phishing kits in 2025 were:

Multifactor authentication bypass, seen in 48% of attacks.
URL obfuscation techniques, also seen in 48%.
The abuse of CAPTCHA for evasion, which featured in 43% of all attacks.
Polymorphic techniques and the use of malicious QR codes, each seen in around 20% of attacks.
Malicious attachments, used in 18% of all attacks.
The abuse of trusted online platforms (seen in 10% of attacks) and the use of generative AI tools such as zero-code development sites (also 10%).

The main themes used for phishing emails are remarkably like previous years, although they have evolved with time thanks to the use of generative AI and other tools.

In 2025, one in five (19%) phishing emails related to payment and invoices scams. Digital signature and document review emails accounted for 18% of attacks, with HR-related documents featuring in 13%. Many exploited trusted brand names, mimicking websites and logos with increasing accuracy.

“Phishing kits shifted up another level in 2025 as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale,” said Ashok, Sakthivel, Director, Software Engineering at Barracuda. “The kits feature techniques designed to make it harder users and security teams to detect and prevent fraud. To stay protected, organisations need to move past static defences and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy.”

For a more information on the evolution of phishing kits in 2025, read the blog: Threat Spotlight: How phishing kits evolved in 2025 | Barracuda Networks Blog.