The BlackForce phishing kit is a recently identified, actively developed phishing toolkit first observed in August 2025. It is engineered to steal user credentials and perform Man-in-the-Browser (MitB) attacks, allowing it to bypass multi-factor authentication mechanisms. The kit impersonates various well-known brands, primarily targeting users of popular streaming services, as evidenced by the phishing domains that mimic Netflix and similar platforms. BlackForce employs sophisticated evasion techniques, including blocklists that prevent security vendors and web crawlers from accessing the phishing pages, thereby reducing detection likelihood. It features a dual-channel communication architecture: one channel hosts the phishing server that interacts with victims, while the other uses Telegram as a drop channel to send stolen data and real-time alerts to attackers. This separation complicates traditional detection methods. The attack chain involves validating users to ensure targets are legitimate, capturing credentials stealthily, and managing phishing sessions through a command-and-control panel that supports stateful attack models and anti-analysis filters. The rapid versioning and continuous updates indicate an active development cycle aimed at improving evasion and resilience against defensive measures. Although no known exploits in the wild have been reported, the kit’s capabilities pose a significant threat to credential security and MFA integrity. The indicators include multiple phishing domains, many with Spanish-language elements, suggesting targeting of Spanish-speaking users or regions. The kit’s use of Telegram for data exfiltration also highlights the need for monitoring such communication channels. Overall, BlackForce represents a sophisticated evolution in phishing toolkits, combining credential theft with advanced evasion and real-time attacker notification.

For European organizations, the BlackForce phishing kit presents a multifaceted threat. Credential theft can lead to unauthorized access to corporate and personal accounts, potentially resulting in data breaches, financial fraud, and identity theft. The ability to bypass MFA significantly increases the risk, as many organizations rely on MFA as a primary defense against account compromise. The use of Man-in-the-Browser attacks means that even encrypted sessions can be intercepted and manipulated, undermining trust in secure communications. The phishing domains mimic popular streaming services, which may be used as initial lures, but the underlying techniques can be adapted to target corporate credentials, especially in sectors with high digital service usage. Real-time alerts to attackers enable rapid exploitation of stolen credentials before victims or defenders can react. The evasion techniques complicate detection by traditional security tools, increasing the likelihood of successful phishing campaigns. This threat could disrupt business operations, damage reputations, and lead to regulatory penalties under GDPR if personal data is compromised. The use of Telegram as a communication channel for attackers also complicates incident response and attribution.

European organizations should implement targeted detection and blocking of the identified phishing domains and monitor for similar domain registrations that mimic popular brands. Deploy advanced email filtering solutions that incorporate URL rewriting and sandboxing to detect phishing attempts. Enhance user awareness training focused on recognizing phishing attempts that impersonate streaming services and other common lures. Employ endpoint detection and response (EDR) tools capable of identifying Man-in-the-Browser activity and unusual browser behaviors. Monitor network traffic for suspicious Telegram API usage or connections to known malicious Telegram channels, as this is a key component of BlackForce’s data exfiltration. Implement adaptive MFA solutions that include risk-based authentication and device fingerprinting to reduce the effectiveness of MFA bypass techniques. Regularly update and patch browsers and security software to mitigate exploitation of browser vulnerabilities. Establish incident response playbooks specifically for phishing and MitB attacks, including rapid credential reset procedures and forensic analysis of affected systems. Collaborate with threat intelligence sharing groups to stay informed about emerging BlackForce variants and indicators of compromise.