Nearly 70 new hostnames have appeared on Bluekit's infrastructure in the past week, a rapid expansion that coincides with the phishing-as-a-service platform adding browser-in-the-middle capability to capture live logins, researchers report.
Bluekit's switch to browser-in-the-middle (BitM)
Digital risk protection company Netcraft warns that Bluekit has moved from an adversary-in-the-middle model to a browser-in-the-middle (BitM) technique that lets operators complete authentication themselves. In a BitM attack, the victim interacts with a browser session controlled by the attacker; that session loads the legitimate login page and relays requests and responses between the victim and the target service. When authentication completes in the attacker's browser, the attacker obtains a valid session token and can access the account without needing the user's raw credentials.
rrweb: a legitimate library repurposed for session replay
Netcraft says Bluekit implements BitM by using the open-source JavaScript library rrweb to serialize the page's Document Object Model (DOM) and stream it over a WebSocket connection to the victim. Images, fonts, and CSS are fetched through the phishing infrastructure while the victim's inputs are forwarded back to the attacker's browser. Researchers note rrweb itself is a legitimate project widely used for session replay and analytics and emphasize its presence alone should not be read as definitive proof of compromise. Still, Netcraft highlights rrweb's appeal to operators because of "excellent visual fidelity, real-time interactivity, and bandwidth efficiency."
Comprehensive victim qualification and anti-analysis inside Bluekit
Varonis researchers first documented Bluekit in April and reported that the platform offers an AI assistant for crafting phishing emails, supporting Llama, GPT-4.1, Claude, Gemini, and DeepSeek. At that time, Bluekit advertised 40 templates targeting Outlook, Hotmail, Gmail, Yahoo, ProtonMail, iCloud, GitHub, and Ledger. Netcraft's newer findings show the platform has added several anti-analysis measures to ensure only real targets reach the BitM stage. Those measures include:
- Randomized CSS filters designed to defeat screenshot-based detection.
- A large (>1 MB), frequently changing obfuscated JavaScript bundle.
- A custom CAPTCHA that may imitate Cloudflare or the target brand.
- Browser fingerprinting checks for RAM, CPU cores, screen resolution, language, headless-browser indicators, and anti-fingerprinting extensions.
- WebRTC-based IP mismatch detection to identify users behind proxies or VPNs.
Before attempting credential theft, Bluekit's "victim qualification" system attempts to filter out researchers and security crawlers so the live, interactive BitM stages play out only for real users.
Signals Netcraft lists — not definitive IOCs, but useful
Netcraft provides a set of signals associated with Bluekit deployments and cautions these are not ironclad indicators of compromise. The signals include CSS filter manipulation on top-level HTML elements with randomized values, presence of an obfuscated JavaScript bundle that is rotated frequently, browser-fingerprint checks, WebSocket connections that send encrypted or binary data on login pages, and WebRTC IP mismatch detection on the landing page. Netcraft also notes a live monitoring capability — previously documented by Varonis — is still present, with a 5-second update interval allowing operators to watch victims during deceptive login sessions and to track actions after login.
What this means for security teams, enterprises, and end users
- Security teams: The combination of BitM and sophisticated anti-analysis increases the need to watch for behavioral and connection-level signals such as unexpected WebSocket binary streams on login pages, rotated obfuscated bundles, or WebRTC IP mismatches. Netcraft's signal list gives concrete technical checks defenders can add to detection rules and incident triage workflows.
- Enterprises and procurement leaders: The Bluekit evolution underscores the value of testing defensive controls. The Picus whitepaper referenced in the reporting notes that breach and attack simulation helps validate SIEM and EDR rules so threats "stop slipping by detection." Organizations should consider simulation and red-team tests that exercise interactive phishing scenarios and session-capture techniques.
- End users: Netcraft flags practical red flags everyone can watch for — any noticeable latency or delays in keyboard input and mouse clicks on a login page, or an unexpected, brand-looking CAPTCHA, should raise suspicion. Because Bluekit can complete authentication in an attacker's browser and gain unlimited access via a session token, spotting the interaction quirks early matters.
Netcraft also recalls that the BitM method itself is not novel: it was devised in 2022 by researcher mr.d0x and later observed in malicious activity. Bluekit's rapid hostname growth, multi-model AI drafting assistant, and layered anti-analysis controls materially lower the cost and increase the fidelity of mass phishing operations. With operators able to monitor victims in near-real time and capture valid session tokens, defenders face a technical challenge: detect the subtle connection and rendering signals Netcraft lists before a live session hands control to an attacker.
Read the original report: https://www.bleepingcomputer.com/news/security/bluekit-phishing-kit-adopts-browser-in-the-middle-for-login-theft/
