Zscaler ThreatLabz has discovered a new phishing kit dubbed ‘BlackForce,’ first observed in early August 2025. Researchers say the toolkit has appeared in at least five distinct versions and is actively marketed on Telegram forums for between €200 and €300. BlackForce is designed to steal user credentials and conduct Man-in-the-Browser (MitB) attacks, allowing attackers to capture one-time passwords and dynamically bypass multi-factor authentication (MFA) in real time.
According to researchers, BlackForce is under active development and incorporates multiple evasion techniques, including blocklists that filter out security vendors, web crawlers, and automated scanners. The kit has been used to impersonate more than 11 well-known brands, including Disney, Netflix, DHL, and UPS.
ThreatLabz began investigating after it spotted a pattern across phishing campaigns: suspicious domains consistently referenced JavaScript files with cache-busting hashes in their filenames. This technique forces victims’ browsers to always load the latest malicious code rather than a cached version. Investigators traced this behavior to a single line of HTML that loads the entire phishing platform, revealing the kit’s entry point.
“It is important to note that not all BlackForce phishing campaigns display pages to steal MFA codes, since not all websites use MFA. If the website utilizes MFA, the BlackForce phishing kit’s control panel provides attackers with custom options (based on the target brand) to steal codes that are provided via SMS, card, or app-based authentication,” the researchers said.
Technically, BlackForce employs a dual-channel communication architecture that separates the phishing server from a Telegram-based data drop, ensuring stolen information remains accessible even if the phishing panel is taken down. The attack chain includes a vetting system to qualify targets, after which a live operator takes over to orchestrate the guided compromise.
The operation involves a networking module, which uses the popular HTTP client Axios to manage all attacker communications.
“The authors of BlackForce are actively modifying and improving the phishing kit, as evidenced by the rapid release of multiple versions in a short period. The kit allows threat actors to conduct MitB attacks to bypass MFA, which can lead to a full account takeover,” the report warned.