Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: bluekit (1 article)Clear

Bluekit phishing service adds browser-in-the-middle to steal logins and sessions

The Bluekit phishing-as-a-service platform has added a browser-in-the-middle technique that streams a real login page's contents to the victim over a WebSocket, capturing not just passwords but session cookies that let attackers bypass multi-factor authentication. Netcraft reports nearly 70 new Bluekit hostnames in the past week. The kit, which markets dozens of templates for services like Outlook, Gmail, GitHub, and crypto wallets and includes an AI assistant built on a safety-stripped open-weight model, layers on heavy evasion: randomized page styling to defeat screenshot detection, frequently rotating obfuscated code, custom CAPTCHAs, browser fingerprinting, and detection of proxies and security crawlers. Operators can watch victims in real time as they log in.

Check
Hunt for the Bluekit signals Netcraft lists, including randomized CSS filters on top-level elements, periodically rotated obfuscated JavaScript, and WebSocket traffic carrying encrypted data on login pages, across email and proxy logs.
Affected
Users of widely targeted services like Outlook, Gmail, GitHub, and crypto wallets; stolen session cookies let attackers replay authenticated sessions and bypass multi-factor authentication entirely.
Fix
Move to phishing-resistant, hardware-backed authentication like passkeys or FIDO2 keys, which resist session-theft phishing, shorten session lifetimes, monitor for anomalous session reuse, and train staff on login-page verification.