Bluekit phishing kit bundles AI-assisted lures with 40+ brand templates
Researchers at Varonis Threat Labs identified Bluekit, a phishing-as-a-service kit that packages domain registration, phishing page deployment, campaign management, credential handling, and real-time victim session monitoring into a single dashboard. The platform ships with more than 40 templates impersonating major brands and services including Apple, Gmail, Outlook, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger, and it supports Telegram-based exfiltration of stolen data. Investigators said the kit is under active development and is designed to lower the barrier for less experienced cybercriminals.
Bluekit also advertises an AI Assistant that can help generate phishing campaign drafts and lists multiple model options, including Llama, GPT-4.1, Claude, Gemini, and DeepSeek. Testing found the feature remains immature: only the default Llama option worked without added configuration, and its output relied on placeholders rather than producing polished, ready-to-launch lures. Even so, researchers said Bluekit includes advanced evasion and attack features such as VPN and proxy blocking, headless-browser detection, fingerprint and device filtering, geolocation tricks, spoofing, voice cloning, antibot cloaking, and claimed support for bypassing two-factor authentication, raising concern that continued development could accelerate adoption in phishing campaigns.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Varonis warns Bluekit could broaden phishing adoption
Researchers assessed Bluekit as more than a basic credential theft kit but still immature compared with more automated phishing platforms, warning that its frequent updates and expanding feature set could increase adoption by lower-tier cybercriminals and support future phishing campaigns.
Researchers document Bluekit's 40+ templates and AI assistant
Analysis found Bluekit offers more than 40 phishing templates targeting major brands and services and includes an AI Assistant panel listing models such as Llama, GPT-4.1, Claude, Gemini, and DeepSeek. Testing showed the AI feature was still immature, producing draft phishing content with placeholders rather than polished campaigns.
Varonis identifies the Bluekit phishing platform in active development
Varonis Threat Labs identified Bluekit as an actively developed phishing kit that combines domain registration, phishing page setup, anti-analysis controls, campaign management, and real-time victim session monitoring in a centralized dashboard.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Bluekit Phishing Kit Automates Domains, 2FA Lures, and Session Hijacking in One Panel
cybersecuritynews.com
Open sourceBluekit phishing kit enables automated phishing with 40+ templates and AI tools - Security Affairs
securityaffairs.com
Open sourceNew Bluekit phishing service includes an AI assistant, 40 templates
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


