MFA Under Siege: The Rise of BlackForce, the Sophisticated “Live” Phishing Kit Targeting 11+ Global Brands
Since early August 2025, Zscaler researchers have been tracking the spread of a new phishing kit known as BlackForce. Within a short period, at least five distinct versions of the tool have been identified. BlackForce combines credential theft with Man-in-the-Browser attacks, enabling real-time bypass of two-factor authentication. The kit is sold on Telegram for €200–300 and is under active development, with frequent updates.
BlackForce is already being used to impersonate more than 11 well-known brands, including Disney, Netflix, DHL, and UPS. Its design places particular emphasis on evading security controls and maintaining attack resilience. Beginning with the fourth release, the developers introduced browser session persistence, making attacks more reliable by preserving victim-entered data even when a page is refreshed.
A defining feature of BlackForce is its split-channel architecture: the phishing server is isolated from the Telegram channel that receives stolen data. This separation ensures continued access to harvested information even if the phishing site itself is taken offline.
The attack chain begins when a victim clicks a malicious link and is redirected to a spoofed webpage. At this stage, IP address and User-Agent filtering is applied to block scanners and security systems. After passing this “vetting” step, the victim is presented with a convincing replica of the legitimate site and enters their credentials. The data is immediately forwarded to the operator, who receives a notification of a “live” session. The second phase then commences: interception of the one-time MFA code.
To defeat multi-factor authentication, the attackers inject a fake verification page designed to capture the MFA token. Once obtained, full account compromise becomes possible. In some cases, the attack concludes with a redirect to the legitimate website to avoid arousing suspicion.
From a technical standpoint, BlackForce makes extensive use of React and React Router, helping disguise malicious components as part of a polished, production-grade site. Later versions also incorporate JavaScript obfuscation, significantly complicating analysis and detection.
The server-side component is managed through a dedicated control panel that offers operators broad capabilities, ranging from session management to filtering by country, network provider, and User-Agent. Version four introduced a “mobile-only” policy, while version five refined filtering logic further and added countermeasures against automated analysis tools.
BlackForce’s development shows no signs of slowing. Rapid iteration, a shift toward hybrid architectures, and the adoption of resilient data storage mechanisms suggest that its creators are actively adapting to defensive measures and seeking to maximize effectiveness. These advancements further complicate phishing detection and underscore the need for organizations to continually reassess their security strategies, including a move toward zero-trust architectures.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
