Researchers discover dangerous new phishing kit “Bluekit”

A robotic hand using a key with the word — (Image credit: Image: generated with Google Gemini)

Researchers discovered a new complex phishing kit
Bluekit offers phishing in a software-as-a-service package
An entire campaign can be centralized and automated, and aided by AI

Bluekit is a new phishing kit discovered by researchers at Varonis Threat Labs, who examined it first-hand to explore its capabilities.

The phishing kit has a wide range of dangerous features, including the ability to imitate more than 40 well-known brands, geolocation emulation, and an AI assistant to guide you through an attack.

Bluekit is highly professionalized and provides attackers with a sophisticated all-in-one dashboard to launch a phishing campaign.

Article continues below

Bluekit streamlines cybercrime

Rather than bundling together each component for a phishing attack from different vendors, Bluekit acts similarly to a software-as-a-service platform, with a dashboard that centralizes and automates phishing workflows, significantly lowering the barrier to entry for potentially devastating phishing attacks.

Bluekit manages domain registration, site hosting and data exfiltration on a single panel and offers emulation of popular global platforms including iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara and Ledger. Offering such a wide range of targets allows attackers to quickly switch between targets, run recognizable but local campaigns, and even launch attacks simultaneously.

A screenshot of the Bluekit dashboard showing examples of spoofed login pages. (Image credit: Varonis)

The platform also integrates the Telegram messaging application to provide real-time alerts in the event of a successful exfiltration.

Varonis also explored the platforms’ AI assistant, which they said could be potentially jailbroken variants of Llama, GPT-4.1, Sonnet 4, Gemini and DeepSeek. In testing, the AI agent was able to craft “skeleton” phishing emails that required little modification in order to create convincing localized lures. Typically, an official AI model would reject any attempt to compose a phishing email, but by using jailbroken versions, these guardrails are removed.

Sign up for the TechRadar Pro newsletter to get all the top news, opinions, features and tips your business needs to succeed!

A screenshot of the Bluekit dashboard showing the jailbroken AI model variants available for use by the built-in AI assistant. (Image credit: Varonis)

In order to harvest credentials, Bluekit is able to hijack sessions and extract cookies, allowing the attacker to bypass multi-factor authentication (MFA) protocols by using the stolen active browser session to impersonate the authenticated user. The platform also allows the attacker to see a live feed of the target’s screen after logging in and browsing the fake page.

To help the automated attack avoid detection, Bluekit also includes features that allow it to cloak itself to avoid bot detection tools and can prevent analytics controls by preventing headless user agents, headless resolutions, misfingerprinting, proxies, and virtual private networks (VPNs) from accessing the site. Access to devices can also be filtered to desktop or mobile only.

For some platforms, logging in from an unusual location may trigger an alert to the user with steps to secure their account. To avoid these notifications, Bluekit’s location emulation capabilities can make the connection appear to be coming from a normal location.

During their testing, the researchers noted that Bluekit was actively updated with new features, rapidly expanding its capabilities and making the kit an increasingly powerful tool for attackers. “The feature set continues to evolve as we track it, and if this pace continues with broader adoption, Bluekit is likely to surface in future campaigns,” the researchers said.

A screenshot of the Bluekit dashboard, showing the centralized panel an attacker would see when launching or monitoring a campaign. (Image credit: Varonis)

As AI lowers the barriers to entry into cybercrime, so do all-in-one attack platforms like Bluekit.

To better resist these evolving threats, businesses should adopt FIDO2 or hardware keys for authentication, which often verify a user using biometric authentication via a recognized device in a pre-verified environment, making them much more resistant to location spoofing login attempts. Employee training is also one of the most effective ways to prevent phishing attacks. By regularly simulating phishing emails, employees become much more vigilant and able to recognize suspicious emails.

Google logo on black background next to the text “Click to follow TechRadar”

Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.

Benedict is a senior security editor at TechRadar Pro, where he specializes in covering the intersection of geopolitics, cyber warfare and enterprise security.

Benedict provides in-depth analysis of state-sponsored threat actors, APT groups, and critical national infrastructure protection, his reports bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds a Masters (Distinction) in Security, Intelligence and Diplomacy from the University of Buckingham Center for Security and Intelligence Studies (BUCSIS), his specialization providing him with a strong academic framework for deconstructing complex international conflicts and intelligence operations, as well as the ability to translate complex security data into actionable insights.