logo

Bluekit phishing kit adopts browser-in-the-middle for login theft

ID: 25c44dcb-aba5-52b7-a0f2-a6deb2302b98

STIX ID: report--25c44dcb-aba5-52b7-a0f2-a6deb2302b98

Feed Name: Bleeping Computer

Threat Score
70/100

Date Published: 2026-06-25

Date Updated: 2026-06-25

Author: Bill Toulas

...
...

Bluekit, a phishing-as-a-service platform, has expanded its infrastructure and added browser-in-the-middle (BitM) capabilities using the rrweb library to stream DOM and relay legitimate login sessions to attackers, enabling credential theft and account takeover. The service includes AI-assisted phishing email generation, numerous templates and hostnames, live victim monitoring, and multiple anti-analysis measures (randomized CSS filters, obfuscated rotating JavaScript bundles, CAPTCHAs, browser fingerprinting, WebRTC IP mismatch checks); Netcraft and Varonis research provide detection signals though many are contextual rather than definitive IoCs.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.