A newly observed Phishing-as-a-Service platform named Bluekit consolidates domain registration, campaign management, credential harvesting, and an AI-assisted content generator into a single dashboard. Analyzed by Varonis researchers, the kit targets over 40 services including Gmail, Outlook, GitHub, iCloud, Ledger, and ProtonMail, and exfiltrates captured credentials via Telegram. No confirmed live campaigns have been observed yet, but the platform’s development cadence and feature depth signal imminent operational deployment.
Bluekit Phishing Kit: Technical Details
Bluekit is a full-stack PhaaS platform that consolidates the entire phishing attack lifecycle into one web dashboard. Rather than stitching together separate tools for domain management, page hosting, and credential collection, operators run everything from a single interface — automated domain registration, phishing page configuration, real-time victim monitoring, and data exfiltration.
The platform ships with more than 40 branded phishing page templates covering:
- Email and cloud services: Gmail, Outlook, Hotmail, Yahoo, ProtonMail, iCloud, Apple ID
- Developer platforms: GitHub, Twitter
- Financial and crypto services: Ledger, Zoho
- Retail: Zara
Beyond credential capture, Bluekit collects cookies and full local storage dumps, enabling session hijacking on accounts protected by two-factor authentication. Stolen data is exfiltrated to operator-controlled private Telegram channels — a method that sidesteps traditional email-based exfiltration detection and provides real-time operator notification.
According to SecurityWeek’s reporting, the dashboard provides a “live view of logged-in session data,” giving attackers immediate visibility into captured sessions as victims authenticate.
Anti-Analysis and Evasion
Bluekit’s anti-bot layer blocks traffic from known VPN exit nodes and proxy services, and filters headless browsers by inspecting user-agent strings. This reduces noise from automated security scanners and improves the quality of collected credentials by preventing security researchers from cleanly analyzing hosted pages.
Additional evasion capabilities include:
- Geolocation emulation — serve region-specific pages to evade geo-reputation checks
- Spoofed metadata — defeat URL-reputation scanning services
- Voice cloning — listed as a dashboard feature; capability scope not yet confirmed
- Antibot cloaking — actively documented in the kit’s feature list
The AI Assistant
Bluekit ships an experimental AI assistant panel that exposes multiple model endpoints. The interface lists Llama, GPT-4.1, Claude, Gemini, and DeepSeek as available backends. These appear to be accessed through jailbroken or permissive third-party API endpoints rather than official integrations.
In testing, the assistant generated a structured campaign draft that Varonis described as containing “a useful structure, but still depended on generic link fields, placeholder QR blocks, and copy that would need cleanup before use.” The feature lowers the writing barrier for operators who lack the social-engineering experience to craft convincing lures independently — accelerating onboarding for less-skilled threat actors.
Exploitation and Threat Landscape
Bluekit has not appeared in a confirmed live campaign as of publication. However, the platform is under active development with frequent updates, which suggests operators are preparing for deployment rather than still building the tooling.
The PhaaS model commoditizes phishing in the same way Ransomware-as-a-Service commoditized ransomware: technical barriers drop, operational scale increases, and attack quality decouples from attacker skill. Any operator willing to pay subscription fees can deploy enterprise-quality lures without building the underlying infrastructure.
The Telegram exfiltration model is operationally significant. Unlike credential panels hosted on web infrastructure that can be taken down by providers, Telegram channels persist until accounts are suspended — and threat actors rotate accounts faster than platform moderation can respond.
Relevant MITRE ATT&CK techniques for Bluekit-style campaigns:
| Technique | ID | |—|—| | Phishing: Spearphishing Link | T1566.002 | | Use Alternate Authentication Material: Web Session Cookie | T1550.004 | | Steal Web Session Cookie | T1539 | | Web Service (Telegram for C2/exfil) | T1102 |
Who Is Affected
Bluekit targets end-users of any of the 40+ services in its template library. Organizations that rely on Microsoft 365, Google Workspace, GitHub, and cryptocurrency platforms face credential theft and session hijacking risk. The inclusion of cookie and session token theft means MFA alone does not fully mitigate this threat — an attacker with a valid session token can bypass authentication entirely.
Security teams at organizations with employees who use any of the above platforms should treat Bluekit as active pre-deployment infrastructure, not a theoretical future risk.
What You Should Do Right Now
- Deploy phishing-resistant MFA. FIDO2/WebAuthn hardware keys (YubiKey, Titan Key) are not susceptible to session token replay attacks. Prioritize migration away from TOTP and SMS-based 2FA for high-value accounts.
- Enable time-of-click URL analysis. Email security gateways with URL rewriting can catch phishing pages that appear clean at delivery but activate later. Ensure your gateway detonates links at click time, not just at delivery.
- Block Telegram API access on unmanaged endpoints. If your organization does not use Telegram for business purposes, alert on or block outbound connections to
api.telegram.orgfrom endpoints without a documented business justification.
- Configure browser-based credential managers to domain-bind. Password managers that only autofill credentials on registered domains will refuse to fill on lookalike phishing pages — removing one failure mode entirely.
- Tune proxy and email gateway rules for PhaaS evasion patterns. Bluekit uses antibot cloaking to block scanner traffic. URLs that cannot be scanned should be treated as higher-risk, not lower-risk.
- Subscribe to threat intelligence feeds for emerging Bluekit IOCs. No confirmed malicious infrastructure has been published yet. Monitor feeds for Bluekit-attributed domains and Telegram exfiltration endpoints as the kit enters active use.
Detection and Verification
No confirmed Bluekit domains or hashes are available at this time. Prepare detections for the exfiltration channel and session theft patterns now:
// Detect browser process POSTs to Telegram API from non-Telegram apps
DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org/bot"
| where RemoteUrl contains "sendMessage"
| where InitiatingProcessName !in~ ("telegram.exe", "Telegram.exe")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessName
index=proxy dest_host="api.telegram.org" http_method=POST
| where NOT (app="telegram")
| stats count by src_ip, dest_host, http_user_agent, uri_path
| where count > 5
Monitor for bulk POST requests to api.telegram.org/bot*/sendMessage from browser processes or endpoints with no documented Telegram business use. A single endpoint making repeated API calls in a short window after a user visited an unfamiliar site is a strong indicator.
Conclusion
Bluekit’s arrival marks another step in the automation of phishing campaigns — full-lifecycle tooling with AI-assisted lure generation, session theft, and Telegram exfiltration at a point where no known live campaigns exist, but the infrastructure is clearly operational-ready. Security teams have a window to harden MFA, tune email gateways, and prepare SIEM detections before Bluekit operators launch their first campaigns.
For any query contact us at contact@cipherssecurity.com
