A clean URL verdict does not always mean a safe destination—especially when attackers are actively shaping what automated analysis can see.
In June 2026, Abnormal researchers identified a new adversary-in-the-middle (AiTM) phishing-as-a-service (PhaaS) offering named Blacksite, advertised on a Russian-speaking cybercrime forum and on Telegram. Blacksite is a reverse-proxy “mirror” kit that intercepts authentication tokens, session cookies, and one-time 2FA codes in real time, enabling full account takeover against MFA-protected logins.
The phishing functionality is comparable to established kits such as Tycoon 2FA. The more important distinction is how the same actor sells Blacksite alongside Cloaked.gg, a cloaking service that conceals the phishing infrastructure from automated analysis systems. Blacksite handles the credential theft and session-hijacking workflow; Cloaked.gg provides the anti-detection layer around it.
That pairing is what makes the operation worth examining. The phishing mechanics may be familiar, but the cloaking layer can serve benign content to automated analysis while routing the intended target to the live phishing page.
The Operator: One Vendor, Two Products
Blacksite and Cloaked.gg are both sold by the threat actor kirapayload. Cloaked.gg is the older of the two, in production use since at least September 2025, while Blacksite followed in June 2026. Its listing names Cloaked.gg as the parent service and describes Blacksite as "an additional service for Cloaked.gg."
The two are advertised in different forum sections, a split that reflects the distinct role each plays. Cloaked.gg sits in servers and hosting ("Anti-bot Cloaking, Ignoring Abuse and DMCA, Anti-Red, Fingerprinting"), while Blacksite is listed under malware ("Bypass 2FA and MFA, Session Hijacking, Live Dashboard, Real Browser Cloning").
Priced at $1,000 per month—discounted to $600 for the first customers—Blacksite is offered with a stated capacity of seven of twenty slots filled. Sales run through Telegram, and a Blacksite write-up was published to Telegraph on June 7, 2026. A verified purchaser's positive review confirms that the service is transacting.
Taken together, these are the markers of a productized offering rather than a one-off tool: a parent service with a paid add-on, introductory pricing, capacity-limited slots, and buyer reviews. That kind of commercialization lowers the skill needed to run AiTM phishing and widens the pool of actors who can, which is reason to treat a cloaking-paired kit as an emerging category rather than an isolated listing.
Blacksite: The AiTM Kit
Per the seller's documentation, Blacksite renders any target site in real time, working as a reverse-proxy "mirror" that relays traffic between the target and the real login. Its advertised capabilities map to a full account-takeover workflow:
Real-time capture of authentication tokens, cookies, and 2FA codes
A live dashboard of target sessions
Visitor fingerprint cloning replayed through rotating, geo-accurate residential IPs
Isolated real-browser instances
Remote browser control
Clipboard capture
What makes this full account takeover rather than ordinary credential theft is the proxy's position in the live session. Because the target authenticates against the real site through Blacksite, the kit captures the authentication tokens, cookies, and one-time 2FA code in real time as they pass through it. The session cookie is the decisive piece. It represents an already authenticated session, which enables the MFA bypass and session hijacking the kit advertises.
The other capabilities support that workflow. Fingerprint cloning, replayed via rotating, geo-accurate IPs, lets the operator's activity blend with the target's normal device and location. Isolated real-browser instances defeat anti-bot checks. And the live dashboard and remote browser control let the operator monitor and intervene in sessions in real time.
What It Mirrors and How It's Built
The seller lists multiple services that can be mirrored, including Google, Microsoft, Facebook, Instagram, banking portals, corporate SSO, and crypto wallets. That range spans consumer, financial, and enterprise identity, and corporate SSO is the detail that matters most for organizations. A kit able to proxy a single sign-on flow is not merely a consumer credential-theft tool but a potential route into corporate environments.
That breadth is matched by how the operation is built. The backend is described as Docker containerized with Nginx reverse-proxy routing—a reproducible, disposable design by nature. Deployments can be torn down and stood back up quickly, leaving the infrastructure more resilient to takedown and faster to redeploy.
Even so, all of this describes a phishing kit. A capable and scalable one, but a kit whose lures and login pages still have to survive contact with the automated systems that scan suspicious URLs. Keeping those systems from ever reaching the real phishing page is what the second product is built to do.
Cloaked.gg: The Anti-Detection Engine
Cloaked.gg is the anti-detection component of the operation, marketed as a "Bot Cloaking and Deceptive Traffic Defense" platform and operated through the dashboard shown in Figure 3.
Separating Security Tools from Targets
The platform’s one-click “Infrastructure Shields” block Amazon AWS, Google Cloud, and Microsoft Azure, along with hosting providers and residential proxies (Figure 4). Those are the same types of networks commonly used by sandboxes, URL-detonation crawlers, and scanners. The blocked-ASN (autonomous system number) list includes AS8075 (Microsoft), AS15169 (Google), and AS16509 (Amazon).
The platform hard-blocks VPN, proxy, Tor, and datacenter traffic and bans visitors by JA3 and JA4 TLS fingerprints across sessions. Among the block actions is a “White Page, show AI-generated legitimate page” option (Figure 5). Suspected scanners receive a benign decoy while real targets are passed to the phishing content. Other actions include silent connection drops and honeypot mode.
In practice, those controls create a split-view environment: traffic classified as automated sees harmless or blocked content, while intended targets can be routed toward the live phishing flow.
What the Operator Sees
The dashboard also provides real-time visitor feeds, risk scoring, and per-domain analytics; one view showed 3,946 requests with 326 bots blocked, and 101 IP addresses auto-blocked “from visitor capture.”
A “Visitor Security Analysis” view records a visitor at 20.102.82[.]167, attributed to AS8075 (Microsoft Corporation), with detection reasons “VPN detected, ASN blocked, no referrer” (Figure 6). The record shows a probe from Microsoft infrastructure being identified and blocked before reaching the phishing content.
A Security Product in Disguise
We assess with high confidence that Cloaked.gg is deliberately designed to resemble a legitimate enterprise anti-bot product. Its site and panel mirror the language of commercial bot-management platforms: account management, billing, a referral program, support, risk scores, JA3/JA4 fingerprinting, and ASN rules.
The disguise carries through to the listing itself. Its standard "only for sites you own" disclaimer is a performative cover that signals lawful use without constraining how the product is actually deployed. Cloaking-as-a-service offerings are also known to advertise through both criminal forums and mainstream marketing channels. In this case, the legitimate-looking presentation appears to serve multiple purposes: evasion, sales, and reputation laundering.
The Detonation Gap
This is where Blacksite and Cloaked.gg matter most for defenders. When automated URL analysis—whether from a security tool, sandbox, or crawler—follows a Blacksite URL, it often arrives from a cloud or data center ASN, without a referrer, and with a recognizable TLS fingerprint. Cloaked.gg identifies that traffic and serves a decoy. To automated analysis, the link appears benign or inaccessible; to the intended target, on a residential IP in a real browser, it can still resolve to the live phishing page.
This is visible in public scan data because Cloaked.gg was in production before Blacksite existed. The September 2025 Allegro lure domains ran behind it and were submitted to urlscan, which was never shown the phishing page. allegro-pl[.]site and allegro-pl[.]top returned a bare "403 Forbidden" (Figure 7), while the related deployment charliesdemons[.]com served a fully built decoy storefront for a fictional donut brand (Figure 8). The scanner saw a block page and a decoy site; a target would instead have been proxied to the genuine Allegro login.
The lesson for defenders sits in how those scan results looked: clean. A benign verdict on a cloaked URL is not evidence the URL is safe. Against infrastructure like this, a clean automated result has to be read as inconclusive rather than reassuring.
Detection Beyond the URL
Blacksite does not change the mechanics of AiTM phishing; it changes the reliability of evasion around it. Pairing a conventional phishing kit with a productized cloaking service turns evasion into something an attacker can buy rather than build.
Because Blacksite is engineered to make its URLs appear benign to automated analysis, defenders should not rely on URL reputation or sandbox detonation alone. The durable response is to stop treating a clean automated verdict as the end of the question and instead put the weight of detection on two things the cloaking does nothing to hide: the message itself, analyzed before a user ever engages, and, if an attacker succeeds in stealing a valid session, the identity and session behavior that follow authentication.
Blacksite is a reminder that security solutions shouldn’t evaluate any single signal in isolation. When attackers can shape what automated tools see, detection has to account for the full context of the attack: the message before engagement, the identity behind the request, and the session behavior that follows.
For additional insight into the attack landscape and analyses of other dark web tools, visit Abnormal Intelligence, our threat intelligence data and research hub.
Indicators of Compromise
Type | Value | Note |
Domain | cloaked[.]gg | Cloaking platform/management |
Domain | app.cloaked[.]gg | Customer panel (auth-gated) |
Domain | api.cloaked[.]gg, cdn.cloaked[.]gg | Backend API / assets |
Domain | capture.cloaked[.]gg | Per-target capture backend |
Domain | allegro-pl[.]site, allegro-pl[.]top | Allegro phishing lures (Sept 2025) |
Domain | charliesdemons[.]com, cloaked-demo[.]com | Cloaked.gg deployments |
Telegram | @CloakedGG, @cloaked_gg | Support and channel |
URL | telegra[.]ph/Cloakedgg-BlackSite-06-07 | Blacksite write-up |
Actor | kirapayload | Underground forum member ID 150066 |
