Technical Analysis of the BlackForce Phishing Kit www.zscaler.com/blogs/sec…
Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300.
In this blog post, ThreatLabz examines the BlackForce phishing kit, including its evolution, evasion techniques, and architecture. The analysis examines versions 3, 4, and 5 of BlackForce, followed by a comparison highlighting the key differences and advancements across these versions.
