Technical Analysis of the BlackForce Phishing Kit
Essential information
- Published
- 12/12/2025 08:45
- Modified
- 21/12/2025 19:01
- Tags
- 2025-12-12 blackforce credential-theft evasion techniques mfa bypass mitb phishing telegram
- Related entities
- 1 malware, 13 others
Description
The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, including a blocklist for security vendors and web crawlers. The kit features a dual-channel communication architecture, separating the phishing server from a Telegram drop. Its attack chain includes user validation, credential capture, and real-time alerts to attackers. BlackForce employs anti-analysis filters, stateful attack models, and a command-and-control panel for managing phishing sessions. The rapid versioning indicates active development and adaptation to improve resilience and evade detection.