Varonis Threat Labs has discovered a new phishing-as-a-service kit called Bluekit that is making it much easier for cyberattackers to bypass security, even when users have extra protections turned on. This kit is basically like a one-stop shop for hackers, offering over 40 fake website templates that mimic big names like iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger.
In the past, a hacker had to switch between different services to set up a scam. Bluekit changes all that by offering everything on a single dashboard where threat actors can buy domains, set up fake login pages, and track their victims in real-time.
Bypassing the MFA
The most dangerous part of Bluekit is that it handles security codes using a method called Adversary-in-the-Middle (AiTM). According to Varonis’ experts, when a victim enters their details on a fake Bluekit page, the kit doesn’t just grab the password; it also steals session cookies and local storage data. This is a huge problem because it facilitates an MFA (multi-factor authentication) bypass.
Those stolen cookies act like authenticated session tokens, which prove to a server that a user has already completed the login and identity verification process. By replaying these tokens, hackers can gain unauthorised access to an account without ever needing to interact with the victim’s multi-factor authentication prompt. The kit even keeps a live view of the target’s browser and sends all stolen data directly to the hacker via Telegram.
“Operators can buy or connect domains from the same interface used to manage phishing pages and captured logs, rather than splitting that work across separate services. That setup flow also extends into site creation itself. In the view we reviewed, operators could pick a domain, choose a mode, and select from a broad list of target brands and services, including consumer email providers and developer-facing platforms,” researchers explained.
AI Without the Guardrails
Researchers noted that Bluekit also comes with its own AI assistant called Abliterated Llama, even though it lists famous models like GPT-4. For your information, abiliterated is a specific type of AI with safety filters stripped away, so while the actual Llama won’t comply, the abliterated version won’t refuse to help with a cyberattack.
Varonis threat researcher Daniel Kelley pointed out in the blog post shared with Hackread.com that while hackers used to try to jailbreak standard AI to help them, Bluekit shows a shift “toward open-weight models without safety guardrails, which is more consistent than working around prompt-level filters.”
Right now, the AI assistant mostly builds the campaign framework, often leaving placeholders for the hacker to fill in later. However, the developer is moving fast. New features like voice cloning, geolocation emulation, and antibot cloaking are being added constantly. With the kit evolving this quickly, researchers expect to see Bluekit appearing in many more cyberattacks soon.
