Blacksite: New AiTM Phishing Kit Evades URL Scanners via Cloaked.gg
Blacksite is a newly identified adversary-in-the-middle phishing-as-a-service offering sold alongside Cloaked.gg, a cloaking platform that conceals phishing infrastructure from automated security analysis. The kit operates as a reverse-proxy that intercepts authentication tokens, session cookies, and 2FA codes in real time, enabling full account takeover even against MFA-protected accounts. Cloaked.gg blocks traffic from AWS, Google Cloud, and Azure networks while serving AI-generated decoy pages to suspected scanners, making malicious URLs appear benign during automated analysis. Priced between $600-$1,000 monthly, the service commercializes sophisticated AiTM techniques, lowering technical barriers for attackers. The pairing of credential theft capabilities with anti-detection infrastructure creates a split-view environment where security tools see harmless content while intended victims are routed to live phishing pages targeting consumer, financial, and enterprise identity systems.
AI Analysis
Technical Summary
Blacksite is a newly identified AiTM phishing kit sold as a phishing-as-a-service offering paired with Cloaked.gg, a cloaking platform designed to evade automated security analysis. The kit functions as a reverse-proxy that captures authentication tokens, session cookies, and two-factor authentication codes in real time, facilitating full account takeover even when MFA is enabled. Cloaked.gg enhances evasion by blocking scanner traffic from AWS, Google Cloud, and Azure IP ranges and serving AI-generated decoy pages to make malicious URLs appear benign during automated scans. This combination enables attackers to conduct sophisticated credential theft campaigns with reduced detection risk. The service targets consumer, financial, and enterprise identity systems and is priced between $600 and $1,000 monthly. There are no known exploits in the wild beyond the service's own operation, and no software patch or vendor fix applies.
Potential Impact
The threat enables attackers to bypass multi-factor authentication protections by intercepting authentication tokens, session cookies, and 2FA codes in real time, leading to full account takeover. The cloaking technology reduces detection by automated URL scanners and security tools, increasing the likelihood of successful phishing attacks. This can result in credential theft affecting consumer, financial, and enterprise accounts, potentially causing financial loss, identity theft, and unauthorized access to sensitive systems.
Mitigation Recommendations
No official patches or fixes exist as this is a phishing service rather than a software vulnerability. Defenders should focus on user education to recognize phishing attempts, implement strong anomaly detection for account activity, and consider additional security controls such as hardware-based MFA tokens or phishing-resistant authentication methods. Monitoring for the listed malicious domains and blocking or blacklisting them in network defenses can help reduce exposure. Since the service evades automated scanners, reliance solely on URL scanning is insufficient.
Indicators of Compromise
- domain: allegro-pl.site
- domain: allegro-pl.top
- domain: charliesdemons.com
- domain: cloaked-demo.com
- domain: cloaked.gg
- domain: api.cloaked.gg
- domain: capture.cloaked.gg
- domain: cdn.cloaked.gg
Blacksite: New AiTM Phishing Kit Evades URL Scanners via Cloaked.gg
Description
Blacksite is a newly identified adversary-in-the-middle phishing-as-a-service offering sold alongside Cloaked.gg, a cloaking platform that conceals phishing infrastructure from automated security analysis. The kit operates as a reverse-proxy that intercepts authentication tokens, session cookies, and 2FA codes in real time, enabling full account takeover even against MFA-protected accounts. Cloaked.gg blocks traffic from AWS, Google Cloud, and Azure networks while serving AI-generated decoy pages to suspected scanners, making malicious URLs appear benign during automated analysis. Priced between $600-$1,000 monthly, the service commercializes sophisticated AiTM techniques, lowering technical barriers for attackers. The pairing of credential theft capabilities with anti-detection infrastructure creates a split-view environment where security tools see harmless content while intended victims are routed to live phishing pages targeting consumer, financial, and enterprise identity systems.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Blacksite is a newly identified AiTM phishing kit sold as a phishing-as-a-service offering paired with Cloaked.gg, a cloaking platform designed to evade automated security analysis. The kit functions as a reverse-proxy that captures authentication tokens, session cookies, and two-factor authentication codes in real time, facilitating full account takeover even when MFA is enabled. Cloaked.gg enhances evasion by blocking scanner traffic from AWS, Google Cloud, and Azure IP ranges and serving AI-generated decoy pages to make malicious URLs appear benign during automated scans. This combination enables attackers to conduct sophisticated credential theft campaigns with reduced detection risk. The service targets consumer, financial, and enterprise identity systems and is priced between $600 and $1,000 monthly. There are no known exploits in the wild beyond the service's own operation, and no software patch or vendor fix applies.
Potential Impact
The threat enables attackers to bypass multi-factor authentication protections by intercepting authentication tokens, session cookies, and 2FA codes in real time, leading to full account takeover. The cloaking technology reduces detection by automated URL scanners and security tools, increasing the likelihood of successful phishing attacks. This can result in credential theft affecting consumer, financial, and enterprise accounts, potentially causing financial loss, identity theft, and unauthorized access to sensitive systems.
Mitigation Recommendations
No official patches or fixes exist as this is a phishing service rather than a software vulnerability. Defenders should focus on user education to recognize phishing attempts, implement strong anomaly detection for account activity, and consider additional security controls such as hardware-based MFA tokens or phishing-resistant authentication methods. Monitoring for the listed malicious domains and blocking or blacklisting them in network defenses can help reduce exposure. Since the service evades automated scanners, reliance solely on URL scanning is insufficient.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://abnormal.ai/es/blog/blacksite-aitm-phishing-kit-cloaked-gg"]
- Adversary
- kirapayload
- Pulse Id
- 6a463469f06125cbab68ef8c
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainallegro-pl.site | — | |
domainallegro-pl.top | — | |
domaincharliesdemons.com | — | |
domaincloaked-demo.com | — | |
domaincloaked.gg | — | |
domainapi.cloaked.gg | — | |
domaincapture.cloaked.gg | — | |
domaincdn.cloaked.gg | — |
Threat ID: 6a46382327e9c79719acacde
Added to database: 07/02/2026, 10:06:27 UTC
Last enriched: 07/02/2026, 10:21:24 UTC
Last updated: 07/03/2026, 01:12:30 UTC
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.