A recently discovered phishing kit provides miscreants with a broad range of capabilities, including an AI assistant and automated domain registration, Varonis reports.
Dubbed Bluekit, it has been advertised as offering over 40 website templates, support for two-factor authentication, geolocation emulation, antibot cloaking, notifications, spoofing capabilities, voice cloning, and a mail sender.
According to Varonis, the phishing kit contains templates for email and cloud services, developer platforms, cryptocurrency services, and retail and social media platforms, such as Apple ID, iCloud, GitHub, Gmail, Hotmail, Ledger, ProtonMail, Outlook, Zara, and Zoho.
Varonis says it gained access to Bluekit’s control panel, which revealed access to a dashboard covering domain creation and setup, logs, delivery, and campaign support. The phishing kit uses Telegram as the default exfiltration channel.
“Operators can buy or connect domains from the same interface used to manage phishing pages and captured logs, rather than splitting that work across separate services,” Varonis notes.
The dashboard allows users to select a domain, choose a targeted brand or service, select a mode, and control the site’s behavior regarding login detection, redirects, anti-analysis checks, spoofing, device filters, and proxy settings.
In addition to supporting session state tracking, Bluekit stores cookies and local storage dumps and provides a live view of logged-in session data, as it handles more than just credential grab.
The kit’s AI Assistant has its own panel and exposes multiple model options, likely accessible through jailbroken or permissive instances. When tested, the assistant delivered a structured campaign draft with placeholders rather than ready-to-use content.
According to Varonis, Bluekit’s developer is releasing feature and template updates at a rapid pace, but the phishing kit has not yet been used in a live campaign.
“Compared with similar phishing kits that have already advanced further into automation and operator convenience, Bluekit still appears to be a kit in active development. The feature set keeps evolving as we track it, and if that pace continues with broader adoption, Bluekit is likely to surface in future campaigns,” Varonis says.
Related: Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks
Related: Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials
Related: Internet Infrastructure TLD .arpa Abused in Phishing Attacks
Related: Over 100 Organizations Targeted in ShinyHunters Phishing Campaign
