A new phishing kit called Blacksite is making the rounds on cybercriminal forums, and it’s packing a nasty one-two punch: adversary-in-the-middle attacks combined with built-in evasion against security scanners.
Developed by a threat actor known as kirapayload, Blacksite uses a tool called Cloaked.gg to detect and block automated scanners, sandboxes, and URL detonation tools. When a scanner visits, the site can show a fake benign page, return an error code, or just drop the connection entirely. One option even generates a fake AI-powered business webpage.
The kit itself uses AiTM (adversary-in-the-middle) techniques to defeat MFA. It sets up a reverse proxy that mirrors a real login page — Google, Microsoft, banking portals, crypto wallets — and captures credentials, MFA tokens and cookies in real time. The backend runs in Docker containers with Nginx, making the whole setup easy to redeploy if domains get taken down.
Blacksite also clones visitor fingerprints and uses rotating IPs that match the victim’s location, making it harder for services to flag suspicious logins. Attackers get a dashboard to monitor campaigns and even interact with live victim sessions.
Cloaked.gg blocks traffic from AWS, Google Cloud, Azure, VPNs, proxies, Tor, and known TLS fingerprints. It’s been around since September 2025, with Blacksite pitched as “an additional service.”
The takeaway: defenders can’t rely solely on automated link scanning anymore. When attackers control what tools see, detection needs to account for message context, identity, and post-click behavior.
