Technical Deep Dive: The Adversary-in-the-Middle Attack Chain
The operational framework of Blacksite relies on a highly structured containerized architecture using Docker backends and Nginx reverse proxies. Rather than attempting to spoof complex corporate login pages, the system acts as an interactive proxy that sits directly between the victim and the legitimate service provider. This mechanism executes a highly organized step-by-step attack sequence that proceeds as follows:
Step 1: Initial Access Delivery
Attackers distribute malicious URLs through standard vectors, including spear-phishing emails, tailored SMS messages, and QR codes. These links point to infrastructure controlled by the attacker, which is dynamically routed using the framework backend.
Step 2: Traffic Segmentation and Evasion
Before a visitor is allowed to interact with the phishing framework, the traffic is routed through Cloaked.gg, a sophisticated bot evasion and cloaking platform developed by the same author. This stage determines whether the connection is a real target or an automated security crawler.
Step 3: Real-Time Mirroring and MFA Interception
If the visitor is validated as a legitimate human target, the Nginx reverse proxy mirrors the target website in real-time. When the user inputs their username and password, the data is captured. When the legitimate server issues an MFA challenge (such as a time-based one-time password or push challenge), the proxy forwards the prompt to the victim. Once completed, the victim is successfully authenticated to the real service, while the proxy intercepts the resulting session cookies and OAuth tokens.
Step 4: Session Hijacking and Persistent Access
The stolen authentication tokens are instantly uploaded to an attacker dashboard. To bypass location-based alerts or anomalous access controls, the attacker clones the victim's exact browser fingerprint and replays the session using a geographically matched residential proxy matching the victim's physical area.
[Target Clicks Link] -> [Evasion Check (Cloaked.gg)]
|
+----------------------+----------------------+
| (Automated Crawler) | (Real Victim)
v v
[Serve Safe Decoy Page] [Mirror Login via Nginx Proxy]
(e.g., Charliesdemons.com) |
v
[Intercept Credentials & MFA]
|
v
[Extract Stolen Session Cookies]
|
v
[Replay Session via Resident Proxy]