Researchers discover new all-in-one ‘Bluekit’ phishing kit capable of bypassing enterprise 2FA protocols and impersonating 40+ global brands

Researchers have discovered a complex new phishing kit
Bluekit offers phishing in a software-as-a-service package
An entire campaign can be centralized and automated and assisted by AI

Bluekit is a new phishing kit uncovered by Varonis Threat Labs researchers who reviewed the kit first-hand to explore its capabilities.

The phishing kit has a wide range of dangerous features, including the ability to impersonate over 40 well-known brands, geolocation emulation and an AI assistant to guide you through an attack.

Bluekit is highly professionalized and offers attackers a sophisticated all-in-one dashboard to launch a phishing campaign.

The article continues below

Bluekit streamlines cybercrime

Instead of assembling each component for a phishing attack from different vendors, Bluekit acts like a software-as-a-service platform with a dashboard that centralizes and automates phishing workflows, significantly reducing the barrier to entry for potentially devastating phishing attacks.

Bluekit handles domain registration, website hosting and data exfiltration in a single panel and offers emulation of popular global platforms including iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara and Ledger. Offering such a wide range of targets allows attackers to quickly pivot between targets, run recognizable but localized campaigns, and even launch attacks simultaneously.

A screenshot from the Bluekit dashboard showing examples of the spoofed login pages. (Image credit: Varonis)

The platform also integrates the Telegram messaging app to offer real-time alerts on successful exfiltration.

Varonis also explored the platform’s AI assistant, which they say could potentially be jailbroken variants of Llama, GPT-4.1, Sonnet 4, Gemini and DeepSeek. In the test, the AI agent was able to draft “skeleton” phishing emails that required little modification to create convincing localized lures. Typically, an official AI model will reject any attempt to craft a phishing email, but using jailbroken versions removes these barriers.

A screenshot from the Bluekit dashboard showing the variants of jailbroken AI models available for use by the integrated AI assistant.

A screenshot from the Bluekit dashboard showing the variants of jailbroken AI models available for use by the integrated AI assistant. (Image credit: Varonis)

To harvest credentials, Bluekit is capable of hijacking sessions and extracting cookies, enabling the attacker to bypass multi-factor authentication (MFA) protocols by using the stolen active browser session to impersonate the authenticated user. The platform also allows the attacker to see a live feed of the target’s screen after they log in and navigate to the fake page.

In order for the automated attack to avoid detection, Bluekit also includes features that allow it to cloak itself to avoid bot detection tools and can prevent analytics checks by preventing site access to headless user agents, headless resolutions, bad fingerprints, proxies, and virtual private networks (VPNs). Device access can also be filtered to desktop or mobile only.

For some platforms, a login from an unusual location may trigger a warning to the user with steps to secure their account. To prevent these messages, Bluekit’s location emulation capabilities can make the login appear to be from a normal location.

During their testing, the researchers noticed that Bluekit is being actively updated with new features that are rapidly expanding its capabilities and making the kit an increasingly potent tool for attackers. “The feature set continues to evolve as we track it, and if that pace continues with wider adoption, Bluekit is likely to appear in future campaigns,” the researchers said.

A screenshot of the Bluekit dashboard showing the centralized panel an attacker would see when starting or monitoring a campaign.

A screenshot of the Bluekit dashboard showing the centralized panel an attacker would see when starting or monitoring a campaign. (Image credit: Varonis)

As artificial intelligence lowers the barrier to entry for cybercrime, so do all-in-one attack platforms like Bluekit.

To better withstand these evolving threats, enterprises should use FIDO2 or hardware keys for authentication, which often verify a user using biometric authentication via a recognized device in a pre-authenticated environment, making them much more resilient to location-spoofed login attempts. Employee training is also one of the most effective ways to prevent phishing attacks. By regularly simulating phishing emails, employees become much more alert and able to recognize suspicious emails.