New AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks

Summary

Varonis Threat Labs discovered Bluekit, a new phishing-as-a-service tool offering 40+ fake website templates for major platforms (iCloud, Gmail, Outlook, etc.) with a unified dashboard for domain management, phishing page creation, and victim tracking. The kit's primary threat vector is an Adversary-in-the-Middle (AiTM) technique that steals session cookies and local storage data to bypass MFA protections entirely. Bluekit also integrates an unrestricted AI assistant (Abliterated Llama) for campaign automation and is rapidly adding features like voice cloning and geolocation emulation.

Full text

Security Cyber Crime Phishing ScamNew AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks Bluekit Phishing Kit is a new PhaaS tool that targets major platforms, using AiTM techniques to steal session data and bypass MFA protections. byDeeba AhmedApril 29, 20262 minute read Varonis Threat Labs has discovered a new phishing-as-a-service kit called Bluekit that is making it much easier for cyberattackers to bypass security, even when users have extra protections turned on. This kit is basically like a one-stop shop for hackers, offering over 40 fake website templates that mimic big names like iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger. In the past, a hacker had to switch between different services to set up a scam. Bluekit changes all that by offering everything on a single dashboard where threat actors can buy domains, set up fake login pages, and track their victims in real-time. Bypassing the MFA The most dangerous part of Bluekit is that it handles security codes using a method called Adversary-in-the-Middle (AiTM). According to Varonis’ experts, when a victim enters their details on a fake Bluekit page, the kit doesn’t just grab the password; it also steals session cookies and local storage data. This is a huge problem because it facilitates an MFA (multi-factor authentication) bypass. Those stolen cookies act like authenticated session tokens, which prove to a server that a user has already completed the login and identity verification process. By replaying these tokens, hackers can gain unauthorised access to an account without ever needing to interact with the victim’s multi-factor authentication prompt. The kit even keeps a live view of the target’s browser and sends all stolen data directly to the hacker via Telegram. “Operators can buy or connect domains from the same interface used to manage phishing pages and captured logs, rather than splitting that work across separate services. That setup flow also extends into site creation itself. In the view we reviewed, operators could pick a domain, choose a mode, and select from a broad list of target brands and services, including consumer email providers and developer-facing platforms,” researchers explained. Some templates supported by Bluekit (source: Varonis) AI Without the Guardrails Researchers noted that Bluekit also comes with its own AI assistant called Abliterated Llama, even though it lists famous models like GPT-4. For your information, abiliterated is a specific type of AI with safety filters stripped away, so while the actual Llama won’t comply, the abliterated version won’t refuse to help with a cyberattack. Bluekit dashboard (source: Varonis) Varonis threat researcher Daniel Kelley pointed out in the blog post shared with Hackread.com that while hackers used to try to jailbreak standard AI to help them, Bluekit shows a shift “toward open-weight models without safety guardrails, which is more consistent than working around prompt-level filters.” Right now, the AI assistant mostly builds the campaign framework, often leaving placeholders for the hacker to fill in later. However, the developer is moving fast. New features like voice cloning, geolocation emulation, and antibot cloaking are being added constantly. With the kit evolving this quickly, researchers expect to see Bluekit appearing in many more cyberattacks soon. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BluekitCyber CrimeCybersecurityFraudPhishingPhishing KitScam Leave a Reply Cancel reply View Comments (0) Related Posts Read More Malware Security Newly Sold Albiriox Android Malware Targets Banks and Crypto Holders Cleafy analysis reveals Albiriox, a new Android Malware-as-a-Service (MaaS) RAT that targets over 400 global banking and crypto apps. Learn how ODF fraud enables full device takeover. byDeeba Ahmed Hacking News Leaks Privacy Security HBO hackers upload Games of Thrones episodes & other data on their site On 31st July, it was reported that HBO (Home Box Office) suffered a massive data breach in which… byCarolina Read More Security Cyber Attacks Data Breaches News AMD Data Breach: IntelBroker Claims Theft of Employee and Product Info Advanced Micro Devices, Inc. (AMD) has apparently been breached by IntelBroker, a notorious hacker from the Breach Forums --- AMD has not yet confirmed the breach. byWaqas Security Phishing Scam Scams and Fraud Google to ban cryptocurrency and ICO ads from June 2018 Google will ban all advertisements promoting cryptocurrencies and Initial Coin Offering (ICO) from June 2018. This means after the social… byWaqas

Indicators of Compromise

• malware — Bluekit
• malware — Abliterated Llama

Entities