"BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser ( MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit is sold on Telegram forums for anywhere between €200 ($234) and €300 ($351). The kit, according to Zscaler ThreatLabz researchers Gladis Brinda R and Ashwathi Sasi, has been used to impersonate over 11 brands, including Disney, Netflix, DHL, and UPS. It's said to be in active development."
""BlackForce features several evasion techniques with a blocklist that filters out security vendors, web crawlers, and scanners," the company said. "BlackForce remains under active development. Version 3 was widely used until early August, with versions 4 and 5 being released in subsequent months.""
"Phishing pages connected to the kit have been found to use JavaScript files with what has been described as " cache busting" hashes in their names (e.g., "index-[hash].js"), thereby forcing the victim's web browser to download the latest version of the malicious script instead of using a cached version."
Four new phishing kits — BlackForce, GhostFrame, InboxPrime AI, and Spiderman — are capable of facilitating credential theft at scale. BlackForce was first detected in August 2025 and is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA). The kit is sold on Telegram forums for roughly €200–€300 and has been used to impersonate more than 11 brands including Disney, Netflix, DHL, and UPS. The kit employs evasion techniques such as blocklists that filter security vendors and web crawlers, uses cache-busting JavaScript file names, filters bots server-side, sends captured credentials to a Telegram bot and C2 panel via Axios, and leverages MitB methods to display fake MFA prompts to victims.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]