Zscaler ThreatLabz identified BlackForce, a commercially marketed phishing kit first seen in August 2025 that steals credentials and performs Man‑in‑the‑Browser attacks to capture one‑time tokens and bypass MFA. The kit employs evasion techniques (user‑agent/ISP blocklists, mobile‑only filtering, and obfuscated client code in later versions), persistent sessionStorage state, and a dual C2/Telegram exfiltration architecture while impersonating brands like Netflix and Disney. #BlackForce #Telegram
Keypoints
- BlackForce is a phishing kit first observed in August 2025, advertised on Telegram and sold for roughly €200–€300.
- The kit enables Man‑in‑the‑Browser attacks to capture MFA codes in real time and bypass multi‑factor authentication for account takeover.
- Operators use a vetting system and active operator-driven sessions to qualify victims, capture credentials, and orchestrate live compromises.
- Anti‑analysis measures include client‑side User‑Agent parsing and comprehensive server‑side blocklists for ISPs, countries, and crawlers; v4 enforces mobile‑only access.
- BlackForce evolved from a fully client‑side, stateless model (v3) to a hybrid, stateful model (v4/v5) using sessionStorage and server‑side relaying to Telegram.
- Zscaler detects this threat as HTML.Phish.BlackForce and documents multiple malicious domains and API key usage tied to exfiltration and campaigns.
MITRE Techniques
- [T1566 ] Phishing – Used to gain initial access by directing victims to attacker‑controlled phishing pages that collect credentials. (‘Phishing used to gain initial access over the victim’s account.’)
- [T1027 ] Obfuscated Files or Information – Client‑side JavaScript is obfuscated in later versions to evade detection and analysis. (‘The file is obfuscated to evade detection and analysis.’)
- [T1557 ] Adversary-in-the-Middle – Implements MitB techniques to inject fake MFA prompts into the victim’s browser and capture one‑time codes. (‘The attacker positions themselves between the victim and the legitimate website.’)
- [T1555 ] Credentials from Password Stores – Collects credentials entered in the phishing page and can extract stored browser credentials as part of the credential‑harvesting flow. (‘Exfiltrate credentials from web browser credential store.’)
- [T1665 ] Hide Infrastructure – Uses a dual‑channel architecture and server‑side relaying to obscure final exfiltration destinations and protect the attacker panel. (‘Hides and evades detection of the attacker panel.’)
- [T1567 ] Exfiltration Over Web Service – Sends stolen credentials and session data via web services, notably relayed to Telegram channels. (‘Exfiltrate credentials via Telegram webservice.’)
- [T1657 ] Financial Theft – Stolen credentials and payment data are used to facilitate monetary theft and account fraud. (‘Exfiltrated credentials can be used to steal monetary resources from the victim.’)
Indicators of Compromise
- [API Key ] X‑RapidAPI key observed in campaign configuration – example: D25d84708e… (X‑RapidAPI header value shown in IOCs).
- [Domain ] Malicious phishing domains impersonating brands – renew-netfix[.]com, telenet-flix[.]com, and other 11 domains observed.
- [Filename Pattern ] Cache‑busting JavaScript filenames used to deliver the platform – example: index-[hash].js and other hashed build filenames.
Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit