Technical Analysis of the BlackForce Phishing Kit

Dec. 21, 2025, 7:01 p.m.

Description

The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, including a blocklist for security vendors and web crawlers. The kit features a dual-channel communication architecture, separating the phishing server from a Telegram drop. Its attack chain includes user validation, credential capture, and real-time alerts to attackers. BlackForce employs anti-analysis filters, stateful attack models, and a command-and-control panel for managing phishing sessions. The rapid versioning indicates active development and adaptation to improve resilience and evade detection.

External References

https://otx.alienvault.com/pulse/693bd6126b0e51b63c7cd87f
https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit
Tags
phishing
credential theft
mfa bypass
telegram
evasion techniques
2025-12-12
blackforce
mitb

Date

  • Created: Dec. 12, 2025, 8:45 a.m.
  • Published: Dec. 12, 2025, 8:45 a.m.
  • Modified: Dec. 21, 2025, 7:01 p.m.

Attack Patterns

  • BlackForce

Additional Informations

  • obnovintfx.help
  • myflx-sub.com
  • renew-netfix.com
  • cuenta-renueva.com
  • netfliix-uae.com
  • supportnetfiixsavza.com
  • fixmy-nflix.info
  • connectrenew-gateway.com
  • cuenta-renovacion-es.com
  • netfx-actualizar.com
  • faq-help-center.com
  • centro-de-ayuda-help.com
  • telenet-flix.com