The number of phishing kits doubled in 2025, bringing stealth, innovation and the same old themes

In 2025, the number of known phishing-as-a-service (PhaaS) kitsdoubledin number, increasing the pressure on security teams trying to defend against this ever-evolving threat, according to Barracuda’s phishing review of 2025.

Aggressive newcomers such as Whisper 2FA and GhostFrameintroduced inventive and evasive tools and tactics, including a suite of techniques to prevent analysis of their malicious code, while established groups such as Mamba and Tycoon continued to evolve and thrive. Each kit wasbehind millions of attacks.

According to Barracuda’s analysis, the most prevalent tools and techniques used by phishing kits in 2025were:

Multifactor authentication bypass, seen in 48% of attacks.

URL obfuscation techniques,also seen in 48%.

The abuse of CAPTCHA for evasion, whichfeatured in 43% of all attacks.

Polymorphic techniques and the use of malicious QR codes, each seen in 20% of attacks.

Malicious attachments, used in 18% of all attacks.

The abuse of trusted online platforms(seen in 10% of attacks) and the use of generative AI tools such as zero-code development sites (also 10%).

Themain themesused forphishing emailsare remarkably like previous years, although they have evolved with time thanks to the use of generative AI and other tools.

In 2025, one in five (19%) phishing emails related to payment and invoices scams. Digital signature and document review emails accounted for 18% of attacks, with HR-related documents featuring in 15%. Many exploited trusted brand names, mimicking websites and logos with increasing accuracy.

“Phishing kits shifted up another level in 2025as they increased in number and sophistication, bringing advanced, full-service attack platforms to even less-skilled cybercriminals and enabling them to launch powerful attacks at scale,” saidAshok, Sakthivel, Director, Software Engineering at Barracuda. “The kits feature techniques designed to make it harder users and security teams to detect and prevent fraud. To stay protected, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA,continuous monitoring, and to ensure email security sits at the heart of an integrated, end-to-end security strategy.”

Share on

The number of phishing kits doubled in 2025, bringing stealth, innovation and the same old themes

Deepak Sengupta Appointed Chief Technology Officer at Balasore Alloys Limited (Ispat Group)

Dr. Naresh Yallapragada Appointed Chief Technology Officer at Maxivision Super Speciality Eye Hospital

Premalakshmi Ramakrishnan Appointed Managing Director & VP – India & SAARC at NetApp

Naina Bhattacharya Appointed Chief Information Security Officer at Coats

NeXT100 Winner Yogesh Kantak Joins Simplify as Head of Global Capability Centre (GCC) | Digital & Change Pillar Lead

Vishal Khavnekar Appointed Vertical Head – Information System Audit at Aditya Birla Capital

Karishhma Kumar Appointed Chief Information Officer at Škoda Auto Volkswagen India Private Limited

NEXT100 Winner Aindri Kumar Jha Steps Into Director Role at KPMG India

Sunny Mathur Joins Societe Generale (Securities) India as Chief Information Security Officer

PGP Glass Pvt. Ltd. has appointed Santosh Rai as its Global Chief Digital and Information Officer (CDIO).