Cybercrime is entering a phase of extreme professionalization, and a newly identified phishing kit called Bluekit is the latest proof. Discovered by Varonis Threat Labs in May 2026, Bluekit isn’t just a simple webpage; it is a centralized, modular “operating system” for phishing that handles everything from domain registration to high-speed data theft in one dashboard. +1
Traditionally, attackers had to piece together disparate tools for hosting, domain rotation, and SMS gateways. Bluekit collapses the entire attack chain into a single user-friendly panel, drastically lowering the barrier for entry for low-skill threat actors. +1
Inside the Bluekit Dashboard
The kit offers an unprecedented level of automation, allowing attackers to “set and forget” their infrastructure. Key features found in the operator panel include:
- Automated Logistics: Direct integration for purchasing and registering domains within the dashboard.
- Massive Library: Over 40 high-fidelity templates for major services like Google, Microsoft, iCloud, GitHub, and even crypto wallets like Ledger.
- Real-Time Exfiltration: Stolen credentials and session data are sent directly to the attacker via Telegram bots, allowing for immediate account takeover.
- AI-Powered Campaigns: A built-in AI Assistant—utilizing models like an “abliterated” Llama, GPT-4.1, and Claude—can draft entire phishing emails and lures based on specific victim profiles.
The Real Threat: Session Hijacking as a Feature
The most dangerous aspect of Bluekit is its “Mammoth Details” view, which focuses on Session Hijacking. Unlike older kits that only steal passwords, Bluekit is designed to bypass standard Two-Factor Authentication (2FA). +1
- Proxied Login: The kit acts as a “Man-in-the-Middle,” relaying the victim’s 2FA code to the real service in real-time.
- Token Theft: Once the service generates a Session Token (the “cookie” that keeps you logged in), Bluekit captures it.
- Persistence: The kit stores a live dump of cookies and local storage. The attacker can then inject these into their own browser to “become” the user, bypassing the need for a password or 2FA ever again.
The AI Advantage
Bluekit’s AI Assistant represents a growing trend of “Jailbroken” LLMs in cybercrime. By using models designed to ignore safety filters, attackers can generate structured phishing drafts that avoid the common spelling and grammar mistakes that often give away fraudulent emails. While researchers noted these drafts currently still require some manual cleanup, the automation of the creative side of phishing marks a significant shift in speed and scale. +1
Mitigation: Moving Beyond the Password
Because Bluekit targets session tokens, traditional 2FA (SMS or app-based codes) is no longer a guaranteed defense.
Recommended Protective Measures:
- Deploy Phishing-Resistant MFA: Shift to FIDO2/WebAuthn security keys or Passkeys. These methods are hardware-bound and cannot be intercepted by kits like Bluekit.
- Shorten Session Life: Reduce the duration that session tokens remain valid to minimize the window of opportunity for hijacking.
- Monitor for Token Reuse: Security teams should flag when a session token is suddenly used from an IP address or device fingerprint that differs from the initial login.
- Domain Reputation Filtering: Implement strict filtering to block “newly registered” domains (under 30 days old), as Bluekit relies on spinning up fresh domains to stay ahead of blacklists.
