A new phishing-as-a-service (PhaaS) kit that rolls domain registration, credential harvesting, session hijacking, antibot cloaking, and an AI assistant into a single operator dashboard, marking a significant evolution in how threat actors build and deploy phishing campaigns.
Bluekit is not just another phishing page generator. It represents a structural shift in how phishing kits are packaged and sold. Historically, phishing operators sourced components from separate vendors: a credential-harvesting page from one seller, a domain rotator from another, and an SMS gateway from a third.
Bluekit collapses this fragmented supply chain into a unified panel. The kit advertises over 40 brand-impersonation templates, automated domain purchase and registration, 2FA bypass support, spoofing, geolocation emulation, Telegram and browser notifications, and antibot cloaking, all accessible from a single interface.
Varonis researchers obtained hands-on access to Bluekit’s operator dashboard, giving them a rare inside look at the full kit, from site creation flows and post-capture logs to the AI Assistant panel.
The discovery puts Bluekit firmly in the category of all-in-one PhaaS platforms, a market segment that has exploded over the past year according to Barracuda Networks, the number of known phishing kits doubled during 2025, with 90% of high-volume campaigns relying on PhaaS infrastructure.
Bluekit Phishing Kit Uses AI
Bluekit ships with templates covering a wide range of high-value services. The breadth of these templates signals that Bluekit is designed to support both opportunistic credential harvesting and targeted, sector-specific campaigns.
The operator panel is where Bluekit’s “all-in-one” promise is put to the test. The dashboard covers site creation, domain setup, captured credential logs, delivery tooling, and campaign support with Telegram wired in as the default exfiltration channel for stolen data.
Operators can purchase or connect domains from the same interface used to manage phishing pages and logs, eliminating the need to switch across external services.
The site-creation flow is notably streamlined: operators select a target domain, choose an attack mode, and pick from the full template library in a single configuration screen.
Once a page goes live, Bluekit exposes granular controls over site behavior, including login-detection actions, redirect handling, anti-analysis checks, spoofing options, and device-type filters, all from within the same panel.
Beyond initial credential capture, Bluekit tracks session state in real time. The “Mammoth Details” view stores repeated dumps of cookies and local storage and maintains a live view of what the target sees post-login, indicating that the kit is designed for full session hijacking, not just a simple username-and-password grab.
Operators can also configure proxy detection filters and block traffic originating from VPNs, headless browsers, and known security researcher IP ranges, capabilities that actively degrade defenders’ ability to analyze live campaigns.
The most attention-grabbing feature in Bluekit is its built-in AI Assistant. The panel exposes multiple model options, including an abliterated (safety-filter-removed) version of Meta’s Llama as the default, alongside GPT-4.1, Claude Sonnet 4, Google Gemini, and DeepSeek variants.
The presence of commercial models like GPT-4.1 and Claude Sonnet 4 is especially notable; if those models are usable in practice, they are likely being accessed through jailbroken or otherwise permissive API instances, since standard configurations would block or refuse this type of output.
In practice, Varonis researchers found the AI Assistant to be more of a campaign skeleton generator than a polished phishing copilot. When tested with a detailed executive phishing brief, a Microsoft 365 MFA re-verification lure targeting a CISO, complete with a branded QR code and a credential-harvesting landing page, the assistant returned a structured draft that still relied heavily on generic placeholders, unconfigured QR blocks, and copy requiring significant cleanup.
The tool lowers the language barrier and accelerates initial drafting, particularly for non-native English speakers or less experienced operators. Still, it does not yet produce ready-to-deploy campaign content autonomously.
The broader PhaaS ecosystem is increasingly competitive, with Barracuda recording nearly 10 million attacks from the Mamba 2FA kit alone in late 2025, alongside active newcomers such as Cephas, Whisper 2FA, and GhostFrame.
Compared with more mature kits that have already pushed further into automation, Bluekit still shows signs of active development, but that pace is what makes it dangerous. Varonis researchers noted a rapid feature-release cadence, with new templates and capabilities shipping frequently enough that tracking updates became as important as waiting for live campaign deployment.
The combination of centralized automation, session-hijacking capability, MFA bypass, active AI integration, and aggressive anti-analysis filtering positions Bluekit as a kit with significant potential, particularly if adoption accelerates and the AI component matures.
Defensive Recommendations
Organizations can reduce exposure to Bluekit-style campaigns by adopting the following controls:
- Deploy phishing-resistant MFA (FIDO2/hardware keys) rather than SMS or TOTP-based 2FA, which Bluekit explicitly targets
- Implement real-time session monitoring to detect abnormal post-login cookie reuse and session token theft
- Enable browser fingerprinting and behavioral analytics at the identity provider level to flag anomalous login sessions
- Train users on QR code phishing lures, since Bluekit’s AI component is specifically designed to draft QR-driven MFA bypass attacks
- Monitor Telegram-based exfiltration indicators, as Telegram is Bluekit’s default channel for shipping stolen credentials.
FAQs
Q1: What is Bluekit?
Bluekit is an AI-powered, all-in-one phishing-as-a-service kit discovered by Varonis Threat Labs that combines 40+ brand templates, automated domain registration, session hijacking, and an AI assistant into a single operator dashboard.
Q2: Which brands does Bluekit impersonate?
Bluekit targets Gmail, Outlook, iCloud, Apple ID, GitHub, Yahoo, ProtonMail, Hotmail, Twitter, Zoho, Zara, and Ledger, among others.
Q3: How does Bluekit’s AI assistant work?
It integrates multiple large language models, including an uncensored Llama variant, GPT-4.1, Claude Sonnet 4, Gemini, and DeepSeek, to help attackers draft phishing campaign outlines. However, the output currently requires manual refinement before deployment.
Q4: How can organizations defend against Bluekit?
Deploying FIDO2 phishing-resistant MFA, monitoring for abnormal session reuse, blocking Telegram-based data exfiltration, and training users on QR-based lures are the most effective first-line defenses.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
