Cybersecurity researchers at Zscaler ThreatLabz have uncovered a new phishing kit, dubbed BlackForce, that enables attackers to steal credentials and bypass Multi-Factor Authentication (MFA) using advanced Man-in-the-Browser (MitB) techniques.
First detected in August 2025, BlackForce is actively sold on Telegram forums for approximately €200–€300 and has been used to impersonate over 11 well-known brands, including Disney, Netflix, DHL, and UPS. The kit is in active development, with five versions observed to date.
Attack Flow and Technical Overview
BlackForce campaigns begin with victims clicking phishing links that lead to highly convincing spoofed login pages. Before serving content, the kit performs a series of server-side checks, blocking traffic from security vendors, scanners, and automated bots. Newer versions expand this filtering to include ISP, country, and user-agent checks, limiting exposure to intended targets and complicating live analysis.
Once credentials are submitted, BlackForce activates its Man-in-the-Browser module, injecting a fraudulent MFA prompt directly into the victim’s browser session. Any one-time passcodes entered into the fake page are captured in real time and immediately reused to authenticate against the legitimate service, effectively bypassing MFA protections. Victims are then redirected to the real website, effectively masking the signs of compromise.
BlackForce operates using a hybrid client-server architecture. Stolen data is first sent to a backend server before being relayed to a Telegram bot, obscuring the attacker’s infrastructure. The kit relies on modular JavaScript components and the Axios HTTP client to manage data exfiltration and session control.
Implications and Mitigation
The phishing kit aligns with multiple MITRE ATT&CK techniques, including T1566 (Phishing), T1557 (Adversary-in-the-Middle), and T1567 (Exfiltration Over Web Service).
Zscaler’s observations of BlackForce’s continual upgrades and evolving evasion measures highlight an industrialized Phishing-as-a-Service (PhaaS) ecosystem, one that lowers barriers for attackers and increases the scale of credential theft campaigns.
Organizations are advised to adopt Zero Trust architectures, enforce endpoint security measures, and educate users about suspicious links and MFA prompts to mitigate the risk of real-time MitB attacks.
The Big Picture
“The authors of BlackForce are actively modifying and improving the phishing kit, as evidenced by the rapid release of multiple versions in a short period,” says Zscaler.
BlackForce illustrates the growing sophistication and accessibility of phishing-as-a-service platforms. Organizations should treat threats as a serious operational risk, prioritizing Zero Trust implementations, robust endpoint protections, and ongoing user awareness programs.
The combination of real-time Man-in-the-Browser attacks, evasion techniques, and commercial availability underscores that credential theft campaigns are becoming more industrialized, making proactive defenses essential to reduce exposure.
