A sophisticated phishing tool called BlackForce has emerged as a serious threat to organizations worldwide.
First observed in August 2025, this professional-grade kit allows criminals to steal login information and bypass multi-factor authentication using advanced Man-in-the-Browser techniques.
The tool is actively being sold on Telegram forums for between 200 to 300 euros, making it accessible to a wide range of threat actors.
BlackForce has already been used to target major brands including Disney, Netflix, DHL, and UPS, demonstrating its effectiveness in real-world attacks.
The phishing kit represents a significant evolution in credential theft capabilities. What makes BlackForce particularly dangerous is its ability to perform Man-in-the-Browser attacks, which allow attackers to intercept and manipulate communications between victims and legitimate websites in real time.
This technique enables criminals to capture one-time authentication codes that victims receive through SMS, email, or authenticator apps, effectively rendering multi-factor authentication useless.
At least five distinct versions of BlackForce have been documented, suggesting the attackers are continuously improving their tool.
Zscaler security analysts identified and analyzed the BlackForce phishing kit after discovering suspicious patterns in phishing campaigns.
.webp "New BlackForce Phishing Kit Lets Attackers Steal Credentials Using MitB Attacks and Bypass MFA 3")
The researchers found that the malicious domains used JavaScript files with cache-busting hashes to force browsers to download the latest malicious code.
Notably, over 99 percent of the malicious JavaScript consists of legitimate React and React Router code, giving the tool a legitimate appearance that helps it evade initial detection.
Advanced MitB Attack Mechanism
The core strength of BlackForce lies in its sophisticated multi-stage attack chain. When a victim clicks a phishing link, they encounter a legitimate-looking login page that appears authentic to the naked eye.
.webp "New BlackForce Phishing Kit Lets Attackers Steal Credentials Using MitB Attacks and Bypass MFA 4")
Once they enter their credentials, the attacker immediately receives a real-time alert through a command-and-control panel and gains access to a Telegram channel with the stolen information.
.webp "New BlackForce Phishing Kit Lets Attackers Steal Credentials Using MitB Attacks and Bypass MFA 5")
The attacker then uses the credentials to log into the real service, triggering the MFA authentication prompt.
Here, BlackForce demonstrates its technical prowess by deploying a fake MFA page directly into the victim’s browser.
.webp "New BlackForce Phishing Kit Lets Attackers Steal Credentials Using MitB Attacks and Bypass MFA 6")
The victim unknowingly enters their authentication code into this fraudulent page, which is instantly captured by the attacker and used to complete the account takeover.
Newer versions of BlackForce use session storage to maintain state across page reloads, making attacks more resilient.
The tool also implements robust anti-analysis filters that block security researchers and automated scanners using User-Agent parsing and ISP blocklists.
Organizations should implement zero-trust security architectures to minimize the damage from such sophisticated attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
