Researchers Discover New All-in-One 'Bluekit' Phishing Kit Capable of Bypassing Enterprise 2FA Protocols and Emulating Over 40 Global Brands

Researchers have discovered a complex new phishing kit
Bluekit offers phishing in a software-as-a-service package
An entire campaign can be centralized and automated, and assisted by AI

Bluekit is a new phishing kit discovered by researchers at Varonis Threat Labs, who reviewed the kit first-hand to explore its capabilities.

The phishing kit has a wide range of dangerous capabilities, including the ability to imitate more than 40 well-known brands, geolocation emulation, and an artificial intelligence assistant that will guide you through an attack.

Bluekit is highly professionalized and offers attackers a sophisticated all-in-one panel to launch a phishing campaign.

Article continues below.

Bluekit streamlines cybercrime

Instead of congregating each component for a phishing attack from different vendors, Bluekit acts similar to a software-as-a-service platform, with a dashboard that centralizes and automates phishing workflows, significantly lowering the barrier to entry to potentially devastating phishing attacks.

Bluekit handles domain registration, site hosting, and data filtering in a single panel and offers emulation of popular global platforms including iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger. Offering such a wide range of targets allows attackers to quickly switch between targets, execute recognizable but local campaigns, and even execute attacks simultaneously.

A screenshot of the Bluekit dashboard showing examples of spoofed login pages.

A screenshot of the Bluekit dashboard showing examples of spoofed login pages. (Image credit: Varonis)

The platform also integrates the Telegram messaging app to offer real-time alerts about a successful exfiltration.

Varonis also explored the platforms’ AI assistant, which they say could be potentially released variants of Llama, GPT-4.1, Sonnet 4, Gemini and DeepSeek. In testing, the AI agent was able to compose “skeletal” phishing emails that required little modification to create convincing localized lures. Normally, an official AI model would reject any attempt to compose a phishing email, but using jailbroken versions removes these barriers.

A screenshot of the Bluekit dashboard showing the jailbroken AI model variants available for use by the built-in AI assistant.

A screenshot of the Bluekit dashboard showing the jailbroken AI model variants available for use by the built-in AI assistant. (Image credit: Varonis)

To harvest credentials, Bluekit is able to hijack sessions and extract cookies, allowing the attacker to bypass multi-factor authentication (MFA) protocols by using the stolen active browser session to impersonate the authenticated user. The platform also allows the attacker to view a live stream of the target’s screen after logging in and browsing the fake page.

For the automated attack to avoid detection, Bluekit also includes features that allow it to cloak itself to avoid bot detection tools and can avoid analytics checks by preventing headless user agents, headless resolutions, bad fingerprints, proxy servers, and virtual private networks (VPNs) from accessing the site. Device access can also be filtered to desktop or mobile devices only.

For some platforms, a login from an unusual location may trigger an alert to the user with steps to protect their account. To avoid these notifications, Bluekit’s location emulation capabilities can make the login appear to be happening from a normal location.

During their testing, researchers noted that Bluekit is actively being updated with new features, rapidly expanding its capabilities and making the kit an increasingly powerful tool for attackers. “The feature set continues to evolve as we track it, and if that pace continues with broader adoption, Bluekit will likely appear in future campaigns,” the researchers said.

A screenshot of the Bluekit dashboard, showing the centralized dashboard an attacker would see when starting or monitoring a campaign.

A screenshot of the Bluekit dashboard, showing the centralized dashboard an attacker would see when starting or monitoring a campaign. (Image credit: Varonis)

As AI is lowering the barrier to entry for cybercrime, so are all-in-one attack platforms like Bluekit.

To better resist these evolving threats, enterprises should adopt FIDO2 or hardware keys for authentication, which often verify a user using biometric authentication through a recognized device in a previously verified environment, making them much more resistant to spoofed location login attempts. Employee training is also one of the most effective ways to prevent phishing attacks. By periodically simulating phishing emails, employees become much more attentive and able to recognize suspicious emails.