Date: 12/15/2025
Severity: Critical
Summary
BlackForce is an actively evolving phishing kit first observed in August 2025, designed to conduct advanced Man-in-the-Browser (MitB) attacks that enable real-time bypass of multi-factor authentication (MFA). It has been used to impersonate over 11 major brands, including Disney, Netflix, DHL, and UPS. The kit incorporates multiple evasion techniques, such as blocklisting security vendors, web crawlers, and scanners, to avoid detection. BlackForce has undergone rapid version updates, with version 3 prevalent until early August and versions 4 and 5 released shortly thereafter. Its dual-channel communication architecture separates the phishing server from a Telegram-based data drop, ensuring stolen credentials persist even if the phishing infrastructure is disrupted.
Indicators of Compromise (IOC) List
URLs/Domains | renew-netfix.com telenet-flix.com cuenta-renovacion-es.com cuenta-renueva.com netfx-actualizar.com fixmy-nflix.info supportnetfiixsavza.com obnovintfx.help netfliix-uae.com myflx-sub.com connectrenew-gateway.com faq-help-center.com centro-de-ayuda-help.com |
API Keys | D25d84708emsh93f7fcec521ebbdp19097cjsn8c5c6927d768 209e6fc4bmsh3b5a51c4cceb480p151d44jsn4ceb15f1dfd2 950d778f8cmsh139147d5e35931fp1c9b90jsn7711b2ed7d7c |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "supportnetfiixsavza.com" or siteurl like "supportnetfiixsavza.com" or url like "supportnetfiixsavza.com" or domainname like "fixmy-nflix.info" or siteurl like "fixmy-nflix.info" or url like "fixmy-nflix.info" or domainname like "myflx-sub.com" or siteurl like "myflx-sub.com" or url like "myflx-sub.com" or domainname like "obnovintfx.help" or siteurl like "obnovintfx.help" or url like "obnovintfx.help" or domainname like "faq-help-center.com" or siteurl like "faq-help-center.com" or url like "faq-help-center.com" or domainname like "centro-de-ayuda-help.com" or siteurl like "centro-de-ayuda-help.com" or url like "centro-de-ayuda-help.com" or domainname like "renew-netfix.com" or siteurl like "renew-netfix.com" or url like "renew-netfix.com" or domainname like "netfx-actualizar.com" or siteurl like "netfx-actualizar.com" or url like "netfx-actualizar.com" or domainname like "connectrenew-gateway.com" or siteurl like "connectrenew-gateway.com" or url like "connectrenew-gateway.com" or domainname like "telenet-flix.com" or siteurl like "telenet-flix.com" or url like "telenet-flix.com" or domainname like "cuenta-renovacion-es.com" or siteurl like "cuenta-renovacion-es.com" or url like "cuenta-renovacion-es.com" or domainname like "cuenta-renueva.com" or siteurl like "cuenta-renueva.com" or url like "cuenta-renueva.com" or domainname like "netfliix-uae.com" or siteurl like "netfliix-uae.com" or url like "netfliix-uae.com" |
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit#introduction