What Is BlackForce?

BlackForce is a Man-in-the-Browser (MitB) phishing kit first observed in August 2025 that enables real-time credential theft and multi-factor authentication bypass attacks through injected fake MFA prompts during legitimate login flows. The kit is marketed on Telegram forums for between €200 and €300 and has undergone rapid development with at least five distinct versions released within four months, according to Zscaler ThreatLabz's technical analysis published in December 2025.

The platform targets multi-sector credentials including Disney+, Netflix, DHL, UPS, and other consumer and business services. BlackForce represents a significant advancement in automated MFA bypass capabilities, intercepting one-time passwords in real-time without requiring continuous manual operator intervention like earlier phishing approaches.

How does BlackForce work?

BlackForce operates through a coordinated infrastructure combining phishing servers, command-and-control panels, and client-side injection engines that intercept and manipulate browser sessions during authentication flows.

The attack sequence begins when victims navigate to phishing sites impersonating targeted services. These sites may be distributed through phishing emails, malicious advertisements, SMS messages, or compromised websites. When victims reach the fraudulent login page, they encounter an interface that closely mimics the legitimate service's authentication screen.

As victims enter their initial credentials—typically username and password—BlackForce's phishing server captures these credentials while simultaneously initiating a connection to the legitimate service on the backend. This creates a proxy relationship where the victim communicates with the phishing server, which relays information to and from the actual service provider. From the victim's perspective, they are proceeding through a normal login flow.

When the legitimate service's authentication system detects the login attempt and triggers multi-factor authentication, BlackForce intercepts this MFA challenge. Rather than allowing the legitimate MFA prompt to reach the victim directly, the kit injects a fake MFA page directly into the victim's browser session. This injected page appears identical to the service's genuine MFA interface, displaying familiar branding, layout, and instructions.

The victim, believing they are interacting with the legitimate service's MFA system, enters their one-time password from an authenticator app or SMS message into the fake MFA page. BlackForce's command-and-control panel captures this OTP in real-time and immediately relays it to the attacker's backend session with the legitimate service. The attacker's infrastructure submits the valid OTP within its expiration window, completing authentication and gaining access to the victim's account.

After successful authentication, BlackForce typically redirects victims to the legitimate service's actual website, maintaining the illusion that they simply logged in normally. Victims may not immediately realize their account has been compromised, as they successfully accessed the service they intended to reach. This redirection to the legitimate site helps avoid suspicion that might occur if victims encountered error messages or unusual behavior after entering credentials.

BlackForce's technical architecture includes several specialized components that work together to enable these attacks. The phishing server handles initial credential capture and serves the fake login interfaces. A Telegram drop channel provides redundant data exfiltration, forwarding captured credentials to attacker-controlled Telegram accounts. This creates resilience—if the primary phishing infrastructure is detected and taken down, the Telegram channel preserves captured credentials.

The command-and-control panel provides real-time attack management and traffic filtering capabilities. Operators can monitor ongoing attacks, view captured credentials as they arrive, and manage traffic filtering rules that determine which visitors reach active phishing content. According to Zscaler's analysis, later versions (4 and 5) implemented proactive traffic filtering with mobile-only enforcement, restricting access to mobile user agents in an attempt to avoid desktop-based security analysis tools.

The client-side injection engine represents BlackForce's most sophisticated component. This browser-based mechanism manipulates the Document Object Model in real-time, inserting fake MFA prompts seamlessly into the authentication flow. The injection appears indistinguishable from legitimate page content because it uses the same styling, scripts, and visual elements as the real service.

BlackForce has evolved rapidly since its August 2025 emergence. Versions 1 through 3 employed stateless attack models with basic credential harvesting. Versions 4 and 5 introduced stateful architecture with improved traffic filtering and mobile device targeting. This rapid iteration—five versions in four months—suggests active development in response to defensive measures and operator feedback, indicating a commercially viable product with ongoing support.

A cache-busting system ensures victims always load the latest malicious scripts rather than cached versions. By implementing hash-based cache invalidation, BlackForce forces browsers to retrieve updated code with each page load. This capability enables operators to update attack infrastructure rapidly in response to detection without waiting for browser caches to expire naturally.

How does BlackForce differ from other phishing kits?

BlackForce's defining differentiation lies in its automated real-time MFA bypass capability. While platforms like GoPhish excel at credential harvesting, they capture only usernames and passwords without addressing multi-factor authentication. BlackForce's Man-in-the-Browser approach intercepts the entire authentication flow, including time-sensitive one-time passwords, enabling complete account takeover even when targets implement security controls that defeat simpler phishing kits.

Kr3pto achieves similar MFA bypass results but requires manual operator intervention. Human operators must monitor ongoing phishing sessions, intercept 2FA codes as victims enter them, and immediately use those codes to complete authentication on the legitimate service—all within the typical 30 to 60 second OTP expiration window. BlackForce automates this process through its MitB injection engine, eliminating the need for constant human monitoring and enabling single operators to manage multiple simultaneous attacks that would overwhelm manual approaches.

The commercial distribution model positions BlackForce between free open-source tools like GoPhish and expensive service-based offerings. At €200 to €300, BlackForce costs significantly more than free alternatives but remains accessible to moderately funded cybercriminal operations. This pricing suggests a market positioning as a premium tool for serious attackers who require MFA bypass capabilities but cannot afford or access more expensive nation-state-grade tooling.

BlackForce's rapid version iteration distinguishes it from stable platforms that evolve slowly. Releasing five distinct versions within four months indicates active development responding to defensive countermeasures, operator feature requests, or expanding target coverage. Kr3pto has maintained relatively consistent functionality over multi-year operations, while BlackForce's developers appear to prioritize agile improvement and evasion adaptation. This development velocity may reflect competitive pressure in the PhaaS market or anticipation of security vendor detection capabilities.

The multi-sector targeting approach contrasts with specialized platforms focused on specific industries. V3B concentrates exclusively on European banking with deep customization for PhotoTAN and SmartID authentication. BlackForce targets consumer entertainment services like Disney+ and Netflix alongside logistics providers like DHL and UPS, suggesting broader opportunistic credential theft rather than focused financial fraud. This diversity may indicate different monetization strategies—selling credentials on underground markets rather than directly conducting fraud.

Why does BlackForce matter?

BlackForce represents a significant evolution in phishing kit sophistication that lowers the technical barrier for conducting advanced MFA bypass attacks while expanding the scope of services vulnerable to credential theft.

The automation of real-time MFA bypass fundamentally changes the economics and scalability of phishing operations. Prior approaches requiring manual operator intervention create natural scaling constraints—each operator can manage only a limited number of simultaneous phishing sessions because they must actively monitor for MFA prompts and rapidly input intercepted codes. BlackForce eliminates this bottleneck, enabling single operators to conduct numerous concurrent attacks while the kit's automated injection handles the time-critical MFA interception. This scalability amplification increases the potential attack volume threat actors can achieve with given resources.

The platform's €200 to €300 pricing makes sophisticated MFA bypass accessible to a broad range of cybercriminal operations. According to KnowBe4's December 2025 security blog coverage, this price point sits below many organizations' fraud loss thresholds, meaning criminals can generate positive return on investment by compromising relatively few accounts. The commercial availability of this capability through Telegram forums—widely accessible platforms requiring no special underground market access—further democratizes advanced phishing techniques that previously required specialized development skills or connections to elite cybercriminal groups.

BlackForce's targeting of consumer entertainment and logistics services indicates expanding phishing scope beyond traditional financial and enterprise targets. Disney+ and Netflix credentials enable account takeover for subscription service fraud, credential stuffing attacks against other services where victims reuse passwords, and sale of compromised premium accounts on underground markets. DHL and UPS impersonation enables logistics fraud and delivery manipulation. This diversification demonstrates how MFA bypass capabilities make previously low-value targets economically viable for sophisticated attacks.

The kit's rapid version evolution demonstrates the commercial viability and competitive dynamics of the Phishing-as-a-Service market. Zscaler's documentation of five versions within four months suggests active customer base providing feedback, competitive pressure from alternative kits driving feature development, and anticipation of security vendor countermeasures requiring ongoing evasion updates. This commercial software development model applied to cybercrime tools indicates professionalization of the threat landscape where phishing platforms compete on features, reliability, and support rather than just price.

BlackForce's emergence alongside other advanced phishing platforms like GhostFrame (identified September 2025) and EVALUSION (documented November 2025) indicates a broader trend toward sophisticated phishing kit development in late 2025. The Hacker News December 2025 coverage noted that multiple advanced phishing kits employing AI-enhanced lures and MFA bypass techniques emerged nearly simultaneously, suggesting either coordinated development, knowledge sharing among developers, or convergent evolution responding to similar defensive challenges. This clustering of innovation creates particular risk as defenders face multiple novel techniques simultaneously.

What are BlackForce's limitations?

Despite its sophisticated automated MFA bypass capabilities, BlackForce faces several technical and operational constraints that create defensive opportunities and limit effectiveness.

Telegram infrastructure dependency creates single point of failure. BlackForce routes all command-and-control communication and credential exfiltration through Telegram channels and bot APIs. This centralization means that if Telegram implements improved abuse detection and blocks malicious bot accounts, entire BlackForce operations lose credential delivery mechanisms. Law enforcement agencies monitoring Telegram for cybercrime infrastructure can potentially identify and infiltrate BlackForce operator channels, exposing customer bases and enabling coordinated takedowns. The public nature of Telegram distribution—operators market BlackForce through findable Telegram forums—creates visibility that more discrete distribution methods avoid.

Real-time attack requirements create operational windows. While BlackForce automates much of the MFA interception process, successful attacks still require the phishing infrastructure to remain operational and responsive during the entire authentication flow. Network disruptions, server overload, or defensive interference during the critical seconds between credential entry and MFA submission can break the attack chain. Victims may notice unusual delays during login when BlackForce's infrastructure proxies their authentication requests, particularly if backend servers are geographically distant or poorly provisioned. These delays create suspicion opportunities that direct attacks against services avoid.

Browser compatibility constraints limit victim coverage. Man-in-the-Browser injection techniques depend on consistent JavaScript execution environments and DOM manipulation capabilities. Different browsers, browser versions, and security extensions may block or interfere with BlackForce's injection mechanisms. Users with JavaScript disabled for security reasons or employing browser extensions that detect suspicious DOM modifications may encounter broken phishing pages or receive warnings before entering credentials. According to GBHackers' December 2025 coverage, some endpoint security solutions can detect the characteristic DOM manipulation patterns BlackForce employs, creating detection signals even when antivirus signatures don't recognize the specific malware.

Mobile-only filtering reduces desktop targeting. BlackForce versions 4 and 5 implemented mobile user-agent filtering to evade desktop-based security analysis tools. While this helps avoid security researcher examination, it also excludes legitimate desktop users from attacks. Many business services see significant desktop usage for productivity reasons, meaning mobile-only targeting sacrifices potential victims. Security-aware attackers may disable these filters to maximize victim coverage, but doing so re-exposes their infrastructure to analysis.

Cache-busting implementation creates forensic artifacts. While hash-based cache busting ensures victims load the latest malicious scripts, the technique also creates observable patterns in network traffic and browser behavior. Security monitoring tools can detect when pages force cache invalidation more aggressively than typical websites, particularly when combined with other suspicious characteristics like unusual iframe loading or obfuscated JavaScript. The cache-busting mechanism leaves artifacts in browser cache directories and network logs that forensic investigators can examine to understand attack infrastructure and timing.

Version proliferation suggests instability. The rapid release of five versions within four months may indicate not just active development but also fundamental architectural problems requiring frequent fixes. Early version descriptions from Zscaler indicate "stateless" implementations in versions 1-3, suggesting these versions had significant operational limitations that required architectural redesign for versions 4-5. Customers purchasing early versions likely experienced reliability problems, compatibility issues, or detection vulnerabilities that later versions attempted to address. This instability creates risk for operators who may find their BlackForce deployments becoming ineffective as security vendors develop countermeasures faster than updates deploy.

How can organizations defend against BlackForce?

Defending against BlackForce requires implementing controls that address both the phishing distribution phase and the MFA bypass mechanism itself, with emphasis on authentication methods resistant to real-time interception.

Deploy phishing-resistant multi-factor authentication. The most effective defense involves migrating from one-time password-based MFA to authentication methods that resist real-time interception. FIDO2 hardware security keys and WebAuthn platform authenticators provide cryptographic verification that authentication occurs with the legitimate service domain, making phishing-captured tokens unusable even if BlackForce intercepts them. Push notification-based authentication that displays login details and requires user approval on a registered device resists automated interception because attackers cannot generate valid push notifications. Organizations should prioritize these phishing-resistant methods for high-value accounts and services handling sensitive data or financial transactions.

Implement adaptive authentication with risk-based step-up challenges. Authentication systems should evaluate contextual risk factors including device fingerprinting to detect logins from unrecognized devices, impossible travel detection when login locations are inconsistent with recent activity, behavior analysis identifying unusual login time patterns or access sequences, and network reputation scoring for source IP addresses. When BlackForce-mediated logins occur, they typically exhibit anomalies—the attack infrastructure's network characteristics differ from the victim's typical access patterns, geographic locations may be inconsistent, and login timing may reflect the proxy delay introduced by the phishing infrastructure. Flagging these anomalies for additional verification or automatic blocking prevents account takeover even when initial MFA succeeds.

Monitor for Telegram API connections and known malicious channels. Network security systems should implement detection for suspicious Telegram bot API traffic patterns consistent with credential exfiltration. Organizations can maintain threat intelligence feeds of known BlackForce Telegram channels and bot identifiers, blocking network connections to these resources. While this doesn't prevent attacks directly, it can disrupt attacker infrastructure operating within organizational networks and provide detection signals when internal systems exhibit compromise indicators. Security operations centers should treat Telegram API connections from unexpected sources as investigation triggers.

Deploy endpoint detection and response with behavioral analysis. EDR solutions should monitor for browser process anomalies including unusual DOM manipulation that BlackForce's injection engine performs, JavaScript execution patterns consistent with credential capture, and network connections to suspicious domains immediately following authentication attempts. Real-time browser monitoring can detect when pages disable security features, inject unexpected content into authentication flows, or exhibit the sophisticated DOM modifications required for BlackForce's MFA interception. CrowdStrike, Microsoft Defender for Endpoint, and similar platforms can detect these behavioral indicators even without specific BlackForce signatures.

Implement DNS filtering and threat intelligence integration. DNS-layer security should block resolution of domains associated with BlackForce infrastructure based on threat intelligence feeds from Zscaler, other security vendors, and community sources. Because BlackForce operators must register domains for phishing pages, these domains become identifiable through various indicators including recent registration dates, hosting on infrastructure known for phishing, SSL certificate patterns, and WHOIS privacy protection. Cisco Umbrella, Cloudflare Gateway, and similar DNS security platforms can implement these blocks organization-wide, preventing users from reaching BlackForce phishing sites even when they click malicious links.

Conduct user education emphasizing contextual awareness. Security awareness training should teach users to recognize authentication context anomalies that may indicate BlackForce attacks. Users should understand that slight delays during login, unexpected MFA prompts for routine access, or requests to re-enter recently provided credentials may indicate interception. Training should emphasize verifying login URLs carefully before entering credentials, being suspicious of authentication requests received immediately after clicking email or message links, and reporting unusual authentication experiences to security teams rather than simply retrying. While user education alone cannot prevent sophisticated attacks, it creates additional detection opportunities.

Implement session monitoring and anomalous activity detection. Services should monitor authenticated sessions for unusual post-login behavior including rapid data access patterns inconsistent with normal usage, attempts to change account recovery information immediately after login, and privilege escalation requests. When BlackForce successfully compromises accounts, attackers typically move quickly to establish persistent access or extract valuable data before detection occurs. Anomaly detection systems can identify these post-compromise behaviors and trigger automatic session termination, credential invalidation, and security team alerts that limit damage even when initial authentication bypass succeeds.