A potent new phishing kit named BlackForce has surfaced, posing a significant threat to organizations globally by enabling attackers to steal credentials through advanced Man-in-the-Browser (MitB) attacks and bypass multi-factor authentication (MFA). First detected in August 2025, this sophisticated tool is being peddled on Telegram forums for €200-€300, making it accessible to a broad spectrum of cybercriminals. Its effectiveness is already evident, with notable brands like Disney, Netflix, DHL, and UPS having been targeted.
The BlackForce phishing kit represents a considerable advancement in credential theft capabilities. Its primary danger lies in its ability to execute Man-in-the-Browser attacks. This technique allows malicious actors to intercept and manipulate real-time communications between a victim and legitimate websites. Crucially, this enables them to capture one-time authentication codes delivered via SMS, email, or authenticator applications, effectively negating the protection offered by MFA.
BlackForce Phishing Kit Employs Advanced MitB Techniques
Security analysts at Zscaler identified and analyzed the BlackForce phishing kit after observing suspicious patterns in ongoing phishing campaigns. At least five distinct versions of the BlackForce tool have been documented, indicating continuous development and improvement by its creators. This signals an evolving threat landscape where sophisticated attack methodologies become increasingly accessible.
The malicious domains associated with BlackForce utilize JavaScript files with cache-busting hashes. These hashes are designed to compel browsers into downloading the latest malicious code. Notably, a significant portion of this JavaScript—over 99 percent—consists of legitimate React and React Router code. This integration of authentic code helps the phishing kit evade initial detection by appearing legitimate.
Advanced MitB Attack Mechanism Unpacked
The core strength of BlackForce lies in its sophisticated, multi-stage attack chain. When a victim accesses a phishing link, they are presented with a login page designed to look authentic. Once the victim enters their login credentials, the attacker is immediately alerted via a command-and-control panel and receives the stolen information through a dedicated Telegram channel.
Following the initial credential theft, the attacker then uses this information to log into the legitimate service. This action triggers the MFA authentication prompt. At this critical juncture, BlackForce deploys its advanced capability by injecting a fake MFA page directly into the victim’s browser. The victim, unaware, inputs their authentication code into this fraudulent page.
The attacker instantly captures this authentication code and uses it to complete the account takeover process. Newer iterations of BlackForce incorporate session storage mechanisms to maintain continuity across page reloads, making the attacks more resilient to disruption. Furthermore, the tool includes robust anti-analysis filters that can block attempts by security researchers and automated scanners through User-Agent parsing and ISP blocklists.
Organizations are advised to implement zero-trust security architectures to mitigate the potential damage from such sophisticated and evolving threats. The widespread availability and advanced capabilities of the BlackForce phishing kit underscore the persistent and growing challenges in cybersecurity defense against credential theft and account takeovers.