Blacksite: New AiTM Phishing Kit Evades URL Scanners via Cloaked.gg
Essential information
- Published
- 02/07/2026 11:50
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- aitm blacksite cloaking credential-theft mfa-bypass phishing-as-a-service reverse-proxy session-hijacking tycoon 2fa url-evasion
- Related entities
- 8 indicators, 8 observables, 1 intrusion sets (apt), 2 malware
Description
Blacksite is a newly identified adversary-in-the-middle phishing-as-a-service offering sold alongside Cloaked.gg, a cloaking platform that conceals phishing infrastructure from automated security analysis. The kit operates as a reverse-proxy that intercepts authentication tokens, session cookies, and 2FA codes in real time, enabling full account takeover even against MFA-protected accounts. Cloaked.gg blocks traffic from AWS, Google Cloud, and Azure networks while serving AI-generated decoy pages to suspected scanners, making malicious URLs appear benign during automated analysis. Priced between $600-$1,000 monthly, the service commercializes sophisticated AiTM techniques, lowering technical barriers for attackers. The pairing of credential theft capabilities with anti-detection infrastructure creates a split-view environment where security tools see harmless content while intended victims are routed to live phishing pages targeting consumer, financial, and enterprise identity systems.