Bluekit is a new phishing kit with AI features, automated domain setup, and tools like spoofing, voice cloning, and 40+ attack templates.

Bluekit is a newly discovered phishing kit still in development that includes advanced features such as an AI assistant and automated domain registration. According to Varonis, it offers over 40 website templates along with tools for spoofing, voice cloning, antibot protection, geolocation tricks, and two-factor authentication bypass support.

“Varonis Threat Labs recently discovered Bluekit, a new phishing kit pitching a broader model. It advertises 40+ website templates, automated domain purchase and registration, 2FA support, spoofing, geolocation emulation, Telegram and browser notifications, antibot cloaking, and add-ons like an AI assistant, voice cloning, and a mail sender.” reads the report published by Varonis.

Bluekit supports multiple phishing templates targeting major services such as iCloud, Apple ID, Gmail, Outlook, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger. It combines email, cloud, crypto, and developer platforms in one kit.

The researchers accessed Bluekit to analyze its internal dashboard, which centralizes phishing operations in a single interface. Operators can create campaigns, register or link domains, manage captured credentials, and send stolen data via Telegram.

The kit also includes a site-builder where users select domains, templates, and target brands. It provides detailed control over phishing pages, including login detection, redirects, anti-analysis checks, spoofing, and device filtering.

Bluekit tracks sessions in real time, storing cookies and login data, and displays post-login activity. Overall, it acts as a full phishing platform rather than a simple credential-stealing tool.

Bluekit includes an AI Assistant panel with multiple model options such as Llama (default), GPT-4.1, Claude Sonnet 4, Gemini, and DeepSeek variants.

The researcher noted that in testing, only the default Llama model was usable, while the others appeared but required extra configuration, suggesting possible use of jailbroken or non-standard setups if activated in practice.

The researchers tested the assistant with a phishing scenario targeting a Microsoft 365 MFA reset for a company executive, including QR-based lures and credential-harvesting pages.

Instead of producing a ready-made phishing campaign, the AI generated only a structured draft. The output relied heavily on placeholders and generic text, requiring manual refinement.

“We expected something closer to a polished phishing copilot: a finished lure, cleaner email copy, and perhaps even a workable QR-driven flow with less manual effort. What we received was much more limited.” continues the report. “The assistant returned a structured campaign draft, and much of it relied on placeholders instead of content that looked ready to use as-is.”

Overall, the AI Assistant acts more as a tool for building campaign outlines rather than delivering fully functional phishing kits.

Bluekit has been monitored over time not just for isolated campaigns, but for how quickly it evolves. Researchers initially aimed to catch it in real-world phishing activity, but its rapid development made the release cycle itself part of the observation. New features and templates were added so frequently that tracking updates became as important as identifying active deployments.

“Compared with similar phishing kits that have already advanced further into automation and operator convenience, Bluekit still appears to be a kit in active development.” concludes the report. “The feature set keeps evolving as we track it, and if that pace continues with broader adoption, Bluekit is likely to surface in future campaigns.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bluekit phishing kit)

An international operation, coordinated between the FBI Atlanta Field Office and Indonesian law enforcement agencies has led to a taken down of a major phishing infrastructure that enabled cybercriminals worldwide to steal credentials and attempt fraud exceeding $20 million.

The crackdown targeted a cybercrime ecosystem built around the “W3LL phishing kit,” a tool designed to replicate legitimate login pages and harvest user credentials at scale. Authorities say the platform allowed attackers to compromise thousands of accounts and carry out widespread financial fraud.

More Than a Phishing Tool

Investigators describe W3LL not as a single piece of malware, but as a fully developed “phishing-as-a-service” operation. For a relatively low cost of around $500, cybercriminals could purchase access to the kit and launch highly convincing phishing campaigns with minimal technical expertise.

The service was supported by an underground marketplace known as W3LLSTORE, where stolen credentials were bought and sold. Between 2019 and 2023, more than 25,000 compromised accounts were traded through the platform.

Even after the marketplace was shut down, the operation continued through private and encrypted channels, allowing it to evolve and remain active.

Also read: New Phishing Kit ‘FishXProxy’ Aims To Be ‘Ultimate Powerful Phishing Kit’

Built for Corporate Account Takeovers

According to research by Group-IB, the W3LL ecosystem was specifically designed to target corporate environments, particularly business email systems such as Microsoft 365.

The toolkit included a range of capabilities beyond simple phishing pages, forming an end-to-end attack chain. These included tools for:

• Sending large-scale phishing emails
• Harvesting and validating email accounts
• Hosting malicious infrastructure
• Managing stolen credentials

Group-IB estimates that around 500 threat actors were actively using W3LL tools, turning the platform into a structured cybercrime network rather than a loose collection of attackers.

Bypassing Multi-Factor Authentication

One of the most dangerous aspects of the W3LL kit was its use of adversary-in-the-middle (AitM) techniques. This allowed attackers to intercept login sessions in real time, capturing not just usernames and passwords but also authentication tokens.

As a result, even accounts protected by multi-factor authentication (MFA) could be compromised, giving attackers persistent access to corporate systems.

Security researchers say this capability made W3LL particularly effective in business email compromise (BEC) attacks—one of the most financially damaging forms of cybercrime today.

Global Scale and Impact

The phishing kit was used in attacks targeting organizations across multiple industries, including finance, healthcare, manufacturing, and IT services.

Data suggests that tens of thousands of corporate accounts were targeted globally, with a significant concentration of victims in the United States, followed by Europe and Australia.

Between 2023 and 2024 alone, the infrastructure was linked to more than 17,000 phishing attempts worldwide.

Arrest and Infrastructure Seizure

As part of the operation, authorities seized domains and infrastructure used to distribute the phishing kit and facilitate credential theft. Indonesian police also detained the suspected developer behind the platform, identified only as “G.L.”

Officials say this marks a significant step in targeting not just users of cybercrime tools, but the developers who enable large-scale attacks.