Threat Research

Anatomy of a modern phishing kit

We detonated over 40,000 credential-phishing pages last quarter. Under the hood most of them are the same handful of kits — here is how they are built, and the five tells that give them away.

Jun 30, 2026 3 min read

Phishing pages look infinitely varied from the outside: every brand, every language, every layout. From the inside they are remarkably repetitive. When we cluster the credential-phishing pages our sandbox detonated last quarter by their markup, scripts and backend behaviour, more than 70% collapse into a handful of commercial kits that are bought, rebranded and redeployed thousands of times.

That repetition is good news for defenders. You do not need to recognise every fake login page ever built — you need to recognise the kits.

The kit economy

A modern phishing kit is a product. It ships as a zip archive with an installer, a config file, an admin panel and, increasingly, a licence check that phones home to the seller. Kits are sold on Telegram channels and darknet forums for anywhere between $50 and $2,000 depending on what they bundle:

  • Templates — pixel-accurate clones of bank, webmail and SSO login flows, refreshed when the real brand redesigns.
  • Anti-analysis — bot detection, user-agent filtering, geofencing and one-time links designed to show scanners a harmless page.
  • Delivery — the exfil layer that ships captured credentials to a Telegram bot, an email drop or the kit's own panel.
  • MFA relays — the newer kits proxy the real site in real time, capturing session cookies after the victim completes 2FA.

The five tells

Because kits are mass-produced, they leak structure. These are the signals that surface again and again in our detonations:

  1. Recycled asset paths. Template authors rarely rename their folders. Seeing /admin/panel/config.php or /assets/kit/css/ on a "bank" domain is a near-certain conviction.
  2. Off-brand hosting. The page pretends to be a global brand but resolves to a residential IP, a bulletproof host, or a freshly registered domain a few days old.
  3. Client-side geofencing. Legitimate login pages do not check your timezone in JavaScript and bail to a blank page if you look like a crawler.
  4. Exfil endpoints on a different origin. The form posts credentials to a domain that has nothing to do with the page you are looking at — often a Telegram API URL.
  5. Cloned markup with dead links. Kits copy the real page's HTML, but the footer links, language switchers and "forgot password" flows either 404 or point back at the genuine site.
A phishing kit only has to fool a person for thirty seconds. It has to fool an automated scanner forever — and that asymmetry is exactly where detonation wins.

What this means for scanning

Static reputation checks catch the domains that are already known. Kits are built to rotate faster than blocklists update, which is why Voretix detonates every submitted URL in a live sandbox: we follow the redirect chain, execute the JavaScript, watch where the form actually posts, and fingerprint the kit behind the brand paint job.

When a scan report flags "known kit structure" in the findings, this clustering is what fired. The domain may be an hour old, but the kit behind it usually is not.

Frequently asked questions

What is a phishing kit?

A packaged, commercial phishing product: brand-cloned login templates, an admin panel, anti-bot cloaking and a credential exfiltration layer, sold for $50 to $2,000 and deployed thousands of times.

How can a phishing kit be detected when the domain is brand new?

By structure, not reputation. Kits reuse folder layouts, markup and exfiltration patterns across deployments, so a sandbox that fingerprints the page recognises the kit even when the domain is an hour old.

What is an MFA relay or adversary-in-the-middle kit?

A kit that proxies the real login site in real time, letting the victim complete two-factor authentication and then stealing the resulting session cookie — bypassing the second factor entirely.

Got a suspicious link in your inbox?
Detonate it in the Voretix sandbox instead of your browser — free, 100 scans a month.
Scan a URL

Keep reading

All posts