Threat Overview

In the latest intelligence released by AlienVault on 12 December 2025, the cybersecurity community is warned about the BlackForce phishing kit. First observed in August 2025, this kit has undergone rapid evolution, with multiple versions now in circulation. Its primary goal is to steal credentials and bypass multi‑factor authentication (MFA) through sophisticated Man‑in‑the‑Browser (MiB) attacks. The kit impersonates a wide range of legitimate brands, leveraging social engineering and advanced evasion techniques to remain undetected by both human users and automated security tools.

Technical Characteristics

BlackForce employs a dual‑channel communication architecture. The front‑end phishing server is decoupled from a Telegram‑based drop channel, which allows attackers to receive real‑time alerts when a victim’s credentials are captured. This separation complicates detection because the phishing site can be hosted on a seemingly benign domain while the command‑and‑control (C2) traffic is routed through a popular messaging platform.

The kit’s code base includes anti‑analysis filters that detect sandbox environments, virtual machines, and debugging tools. When such environments are detected, the kit either stalls or exits to avoid analysis. Additionally, BlackForce uses a stateful attack model that adapts its payload based on the victim’s device, operating system, and browser configuration. This dynamic tailoring increases the likelihood of a successful MiB attack and credential theft.

BlackForce’s command‑and‑control panel provides attackers with granular control over phishing sessions. Operators can initiate new campaigns, monitor live traffic, and even trigger automated password‑reset requests on compromised accounts. The kit’s rapid versioning—over 20 distinct releases within a few months—demonstrates active development and a clear intent to stay ahead of defensive measures.

Actor Profile

While the report does not disclose a definitive attribution, the sophistication of BlackForce suggests a well‑resourced threat actor, possibly state‑backed or a financially motivated cybercriminal group. The use of Telegram for command and control, combined with a focus on bypassing MFA, points to actors with a strong understanding of modern identity protection mechanisms.

Impact Assessment

BlackForce’s ability to bypass MFA means that organizations relying solely on standard two‑factor methods are at significant risk. Successful MiB attacks can grant attackers full access to victim browsers, allowing them to capture session cookies, intercept API calls, and exfiltrate sensitive data. In enterprise environments, compromised credentials can lead to lateral movement, data exfiltration, and even ransomware deployment.

Detection and Mitigation Recommendations

• Deploy Browser‑Based Protection: Implement solutions that detect MiB activity, such as browser isolation or endpoint detection and response (EDR) tools that monitor anomalous script execution.
• Enforce Strong MFA: Move beyond SMS or email codes to hardware tokens or authenticator apps. Consider adaptive MFA that requires additional verification for high‑risk actions.
• Implement Web Filtering and Phishing Protection: Use URL reputation services and real‑time phishing detection to block known malicious domains. Regularly update blocklists to include newly discovered phishing sites.
• Monitor for Telegram‑Based C2 Traffic: Inspect outbound traffic for unusual patterns to messaging platforms, especially if the traffic originates from internal hosts that should not be communicating with external messaging services.
• Educate Users: Conduct ongoing phishing awareness training, focusing on brand impersonation and the risks of clicking on unfamiliar links.
• Conduct Red Team Exercises: Simulate MiB attacks to test the effectiveness of your defenses and user resilience.
• Leverage Threat Intelligence Feeds: Subscribe to feeds that provide indicators of compromise (IOCs) related to BlackForce, including domain names, IP addresses, and file hashes.

Conclusion

BlackForce represents a significant evolution in phishing technology, combining sophisticated evasion, dynamic payloads, and a robust command‑and‑control framework. Its rapid versioning and focus on bypassing MFA underscore the need for layered defenses and continuous monitoring. By adopting the recommendations outlined above, security analysts can reduce the risk posed by this threat and protect their organizations against credential theft and advanced MiB attacks.

For further details, refer to the AlienVault pulse at https://otx.alienvault.com/pulse/693bd6126b0e51b63c7cd87f and the Zscaler blog post at https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit.