A new phishing kit called Blacksite comes bundled with an evasion tool called Cloaked.gg, enabling adversary-in-the-middle attacks while avoiding detection by anti-phishing tools, Abnormal AI reported Thursday.Blacksite and Cloaked.gg were both developed by a threat actor known as kirapayload, who first began advertising Blacksite on cybercriminal forums and Telegram this month, according to Abnormal. Cloaked.gg appeared earlier, in September 2025, with the developer calling Blacksite “an additional service for Cloaked.gg.”The phishing kit uses AiTM methods to defeat multi-factor authentication, using a reverse-proxy “mirror” to impersonate a legitimate site while capturing and relaying the victim’s inputs and service responses in real-time, Abnormal described. The kit supports impersonation of a wide variety of services, including Google, Microsoft, Facebook, Instagram, online banking portals, corporate single sign-on portals and cryptocurrency wallets.When the victim submits their credentials and MFA codes to the phishing sites, Blacksite captures these along with authentication tokens and cookies issued by the service, enabling full account takeover. Abnormal explains that Blacksite uses a Docker-containerized backend with Nginx reverse-proxy routing to relay the contents of legitimate login pages in real-time rather than relying on static spoofed templates. The infrastructure is described as “reproducible” and “disposable,” making phishing sites easier to redeploy if taken down.Blacksite also captures and clones visitor fingerprints and uses rotating IP addresses matching the victim’s geolocation to impersonate the victim when accessing compromised accounts. A dashboard enables attackers to monitor visitors, track campaigns and interact with live victim sessions.Cloaked.gg aims to prevent security tools from detecting Blacksite’s malicious domains by automatically blocking traffic that appears to come from automated scanners or analysis environments. Users can customize blocking rules, including which ASNs to restrict and what the phishing sites should return when a restricted visitor is detected.The tool’s “Infrastructure Shields” option automatically blocks traffic from Amazon AWS, Google Cloud, Microsoft Azure and other services commonly used by scanners, sandboxes and URL detonation tools, Abnormal reported. Cloaked.gg also blocks traffic from VPNs, proxies, Tor, datacenters and visitors with JA3 and JA4 TLS fingerprints.Options for block actions include displaying 403, 404, 429 or 504 errors, redirecting to another site, displaying a CAPTCHA or dropping the connection entirely. One option, called “White Page,” causes the site to display an AI-generated webpage for a seemingly legitimate business.Abnormal concluded that services like Cloaked.gg, used in conjunction with phishing kits like Blacksite, show that defenders should not solely rely on verdicts from automated link scanning tools to determine whether an email or domain is safe.“When attackers can shape what automated tools see, detection has to account for the full context of the attack: the message before engagement, the identity behind the request, and the session behavior that follows,” the researchers wrote.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds