Researchers discover new all-in-one phishing kit ‘Bluekit’ capable of bypassing corporate 2FA protocols and emulating over 40 global brands

Researchers discovered a new complex phishing kit
Bluekit offers phishing in a software-as-a-service package
An entire campaign can be centralized and automated, and aided by AI

Bluekit is a new phishing kit discovered by researchers at Varonis Threat Labs, who examined it first-hand to explore its capabilities.

The phishing kit has a wide range of dangerous features, including the ability to imitate more than 40 well-known brands, geolocation emulation, and an AI assistant to guide you through an attack.

Bluekit is highly professionalized and provides attackers with a sophisticated all-in-one dashboard to launch a phishing campaign.

Article continues below

Bluekit streamlines cybercrime

Rather than bundling together each component for a phishing attack from different vendors, Bluekit acts similarly to a software-as-a-service platform, with a dashboard that centralizes and automates phishing workflows, significantly lowering the barrier to entry for potentially devastating phishing attacks.

Bluekit manages domain registration, site hosting and data exfiltration on a single panel and offers emulation of popular global platforms including iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara and Ledger. Offering such a wide range of targets allows attackers to quickly switch between targets, run recognizable but local campaigns, and even launch attacks simultaneously.

A screenshot of the Bluekit dashboard showing examples of spoofed login pages. (Image credit: Varonis)

The platform also integrates the Telegram messaging application to provide real-time alerts in the event of a successful exfiltration.

Varonis also explored the platforms’ AI assistant, which they said could be potentially jailbroken variants of Llama, GPT-4.1, Sonnet 4, Gemini and DeepSeek. In testing, the AI agent was able to craft “skeleton” phishing emails that required little modification in order to create convincing localized lures. Typically, an official AI model would reject any attempt to compose a phishing email, but by using jailbroken versions, these guardrails are removed.

A screenshot of the Bluekit dashboard showing the jailbroken AI model variants available for use by the built-in AI assistant.

A screenshot of the Bluekit dashboard showing the jailbroken AI model variants available for use by the built-in AI assistant. (Image credit: Varonis)

In order to harvest credentials, Bluekit is able to hijack sessions and extract cookies, allowing the attacker to bypass multi-factor authentication (MFA) protocols by using the stolen active browser session to impersonate the authenticated user. The platform also allows the attacker to see a live feed of the target’s screen after logging in and browsing the fake page.

To help the automated attack avoid detection, Bluekit also includes features that allow it to cloak itself to avoid bot detection tools and can prevent analytics controls by preventing headless user agents, headless resolutions, misfingerprinting, proxies, and virtual private networks (VPNs) from accessing the site. Access to devices can also be filtered to desktop or mobile only.

For some platforms, logging in from an unusual location may trigger an alert to the user with steps to secure their account. To avoid these notifications, Bluekit’s location emulation capabilities can make the connection appear to be coming from a normal location.

During their testing, the researchers noted that Bluekit was actively updated with new features, rapidly expanding its capabilities and making the kit an increasingly powerful tool for attackers. “The feature set continues to evolve as we track it, and if this pace continues with broader adoption, Bluekit is likely to surface in future campaigns,” the researchers said.

A screenshot of the Bluekit dashboard, showing the centralized panel an attacker would see when launching or monitoring a campaign.

A screenshot of the Bluekit dashboard, showing the centralized panel an attacker would see when launching or monitoring a campaign. (Image credit: Varonis)

As AI lowers the barriers to entry into cybercrime, so do all-in-one attack platforms like Bluekit.

To better resist these evolving threats, businesses should adopt FIDO2 or hardware keys for authentication, which often verify a user using biometric authentication via a recognized device in a pre-verified environment, making them much more resistant to location spoofing login attempts. Employee training is also one of the most effective ways to prevent phishing attacks. By regularly simulating phishing emails, employees become much more vigilant and able to recognize suspicious emails.