Full Report
A new phishing kit named Bluekit offers more than 40 templates targeting popular services and includes basic AI features for generating campaign drafts. [...]
Analysis Summary
# Tool/Technique: Bluekit
## Overview
Bluekit is a contemporary "Phishing-as-a-Service" (PaaS) platform designed to automate and streamline the entire phishing lifecycle. It distinguishes itself by integrating an AI Assistant to help operators draft social engineering lure content and provides over 40 high-quality templates targeting major tech, cloud, and cryptocurrency services.
## Technical Details
- **Type:** Phishing-as-a-Service (PaaS) / Attack Framework
- **Platform:** Web-based (SaaS model for cybercriminals); targets Windows, macOS, iOS, and Android users via browser-based phishing.
- **Capabilities:** AI-generated lures, real-time session monitoring, anti-analysis/evasion, and multi-service targeting.
- **First Seen:** April 2026 (Reported)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Service]
- **[TA0006 - Credential Access]**
- [T1557 - Adversary-in-the-Middle]
- [T1539 - Steal Web Cookies]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery] (Via browser fingerprinting)
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- [T1102.002 - Web Service: Bidirectional Communication] (Telegram exfiltration)
## Functionality
### Core Capabilities
- **Template Library:** Over 40 templates for services including Gmail, Outlook, iCloud, GitHub, Ledger, and ProtonMail.
- **Unified Dashboard:** Integrated interface for domain registration, phishing page deployment, and campaign management.
- **Real-Time Monitoring:** Live tracking of victim sessions, including the capture of credentials, cookies, and local storage.
- **Data Exfiltration:** Exfiltrates stolen data via private Telegram channels.
### Advanced Features
- **AI Assistant:** Integration with LLMs (Llama, GPT-4, Claude, Gemini, DeepSeek) to generate email drafts and campaign "skeletons."
- **Evasion Suite:** Granular security settings to block VPN/Proxy traffic, headless browsers (automated scanners), and specific user-agent fingerprints.
- **Session Management:** Post-capture monitoring that allows operators to view exactly what the victim sees after login to refine subsequent stages of the attack.
## Indicators of Compromise
- **File Hashes:** N/A (Standard for PaaS; infrastructure-based).
- **File Names:** N/A.
- **Registry Keys:** N/A.
- **Network Indicators:**
- `api[.]telegram[.]org` (Used for data exfiltration).
- Bluekit typically uses various newly registered domains (NRDs) for hosting; look for patterns involving high-entropy or look-alike (typosquatting) domains.
- **Behavioral Indicators:**
- Rapid redirection chains.
- Presence of browser fingerprinting scripts.
- Blocking of common security researcher IP ranges and headless browser signatures.
## Associated Threat Actors
- Currently utilized by various lower-tier to mid-tier cybercriminals looking for an "all-in-one" solution. No specific named APT group has been attributed yet, but it follows the adoption trends of broad-spectrum e-crime actors.
## Detection Methods
- **Signature-based detection:** Identify known HTML structures or unique JavaScript snippets used within Bluekit's 40+ templates.
- **Behavioral detection:** Monitor for unauthorized login attempts accompanied by high-risk flags (e.g., logins from known proxy/VPN exit nodes or non-standard user agents).
- **Network Analysis:** Detect anomalies in outbound traffic to Telegram API from web servers or internal workstations.
## Mitigation Strategies
- **MFA Implementation:** Deploy hardware-based MFA (FIDO2/WebAuthn) to negate the effectiveness of session/cookie theft.
- **Email Filtering:** Use AI-based email security solutions that can detect the "generic" or "skeleton" nature of AI-generated phishing lures.
- **Domain Monitoring:** Implement "Newly Registered Domain" (NRD) blocking/monitoring in corporate DNS/Firewall settings.
- **User Training:** Educate users on the sophistication of modern phishing pages that perfectly replicate legitimate login flows, including GitHub and crypto-wallets.
## Related Tools/Techniques
- **ATHR:** A similar AI-driven platform focusing on automated voice phishing (vishing).
- **EvilProxy / Tycoon:** Other specialized Adversary-in-the-Middle (AiTM) phishing kits.
- **Social Engineering Models:** Using LLMs (GPT-4, Claude) for crafting deceptive content.