[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feaADZXqogRlhuglBkFgjMPhFrDL6LuG0F7HH5MbkWIs":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"2cad5292-66da-4c62-b998-cb01b67cc98b","Bluekit Phishing Kit Uses Browser-in-the-Middle Attacks to Evade Detection","bluekit-phishing-kit-uses-browser-in-the-middle-attacks-to-evade-detection-a4eb6c","A new phishing-as-a-service (PHaaS) platform called Bluekit is letting cybercriminals steal user accounts using a tricky method. While…","A new phishing-as-a-service platform called Bluekit is actively stealing user accounts using a sophisticated Browser-in-the-Middle (BitM) technique. This method allows attackers to load real login pages within their controlled browser, capturing user credentials without triggering typical security alerts. The platform employs a layered evasion architecture with over 20 bot checks to distinguish human victims from automated scanners before executing the BitM attack.","Bluekit phishing kit uses Browser-in-the-Middle attacks to evade detection.","Security Phishing ScamBluekit Phishing Kit Uses Browser-in-the-Middle Attacks to Evade DetectionbyDeeba AhmedJune 29, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A new phishing-as-a-service (PHaaS) platform called Bluekit is letting cybercriminals steal user accounts using a tricky method. While Varonis Threat Labs first spotted and reported the platform earlier this year, it appeared to be in development at that time. New data shows it is now fully active on a large scale. Cybersecurity firm Netcraft has reported this sudden rise, discovering around 70 active website names using the system in just one week. How the Scam Works Typical scams usually trick people by copying a website page or passing internet data back and forth. Bluekit changes this approach by using an attack method called Browser-in-the-Middle (BitM). According to Netcraft researchers, the system loads the real login page, like a Microsoft login, inside a browser that the hackers control. An open-source software tool called rrweb then “records and streams live DOM interactions” to the victim over a WebSocket connection, researchers explained. Further investigation revealed that the victim sees a real, working page instead of a simple picture or video stream. When the target types their details or clicks on buttons, those actions go right into the hacker’s browser. The victim thinks they are logging in normally, but they are actually opening their account inside the hacker’s computer. Passing the Security Tests Before showing the fake login page, the system runs a series of tests to block security tools. Netcraft’s research, shared exclusively with Hackread.com, highlighted that Bluekit uses a “layered evasion architecture designed to prevent automated detection” from safety systems. “Bluekit operates in two distinct phases: a pre-engagement evasion phase designed to distinguish human victims from automated scanners, and a delivery phase in which the BitM technique is executed,” the blog post reads. Credit: Netcraft The attack sequence shows that when a victim loads the scam link, the system runs more than 20 bot checks. It looks at computer details like RAM, screen size, and browser language. Using WebRTC technology, it connects to a STUN server to check a user’s web settings. Now, the hackers can see if a visitor is using a proxy or a VPN to hide their identity, and if it is a real person, a fake safety check page or CAPTCHA appears that often copies big names like Cloudflare to trick the user. Why This Tool Differs Hackers love this new setup because it helps them bypass extra security steps. With older tools like Evilginx, stealing an active session and moving it to a new computer could trigger a safety alarm due to a mismatch in browser details. With Bluekit, the session starts on the hacker’s machine from the very beginning. This means the browser details never change, making it much harder for security systems to spot the trick. Researchers noted that the tool creates a very smooth experience for the victim with no bad quality issues, though a slight lag in mouse clicks might be the only giveaway. Since this platform is now fully live, users must remain cautious even when a login page looks completely genuine. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BluekitCyber AttackCyber CrimeCybersecurityFraudNetcraftPhishingPhishing KitScam Leave a Reply Cancel reply View Comments (0) Related Posts Malware Security Researchers Leverage ChatGPT to Expose Notorious macOS Malware Dubbed HVNC, the malware is being sold on a Russian hacker and cybercrime forum for $60,000. byHabiba Rashid Security Android Technology Millions of Android Devices Vulnerable to DRAMMER Attack DRAMMER, a dangerous threat to Android Devices — Google has awarded the researchers $4000 for identifying the bug… byOwais Sultan Security Leaks Instant Checkmate, TruthFinder Data Breach: 20M Accounts Leaked Instant Checkmate and TruthFinder are two subscription-based services allowing users to carry out background checks on people. byDeeba Ahmed Read More Security Artificial Intelligence Cisco Finds DeepSeek R1 Highly Vulnerable to Harmful Prompts DeepSeek R1, a cost-efficient AI model, achieves impressive reasoning but fails all safety tests in a new study… byDeeba Ahmed","https:\u002F\u002Fhackread.com\u002Fbluekit-phishing-uses-browser-in-the-middle-attacks\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fbluekit-phishing-uses-browser-in-the-middle-attacks.jpg","2026-06-29T09:42:12+00:00","2026-06-29T10:00:14.728304+00:00",8,[18,21,24,26,28,31],{"name":19,"type":20},"Bluekit","product",{"name":22,"type":23},"Browser-in-the-Middle","technology",{"name":25,"type":23},"rrweb",{"name":27,"type":23},"WebRTC",{"name":29,"type":30},"Microsoft","vendor",{"name":32,"type":30},"Cloudflare","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":33,"icon":35,"name":36,"slug":37},null,"Threat Intelligence","threat-intelligence",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":50},{"id":33,"icon":35,"name":36,"slug":37},[]]