VERY IMPORTANT

The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, including a blocklist for security vendors and web crawlers. The kit features a dual-channel communication architecture, separating the phishing server from a Telegram drop. Its attack chain includes user validation, credential capture, and real-time alerts to attackers. BlackForce employs anti-analysis filters, stateful attack models, and a command-and-control panel for managing phishing sessions. The rapid versioning indicates active development and adaptation to improve resilience and evade detection.