New 'Bluekit' Phishing Platform Integrates AI Assistant and Automated Infrastructure
A newly discovered phishing toolkit called Bluekit integrates an AI assistant and automated domain management to streamline the execution of sophisticated credential and session-hijacking campaigns.

A sophisticated new phishing toolkit, dubbed "Bluekit," has been identified by researchers at Varonis. The kit distinguishes itself by integrating an AI assistant and automated domain management directly into its control panel, streamlining the end-to-end process of launching credential-harvesting campaigns SecurityWeek.
Bluekit provides operators with a comprehensive suite of tools, including over 40 website templates targeting major services such as Apple ID, iCloud, GitHub, Gmail, Hotmail, Ledger, ProtonMail, Outlook, Zara, and Zoho. Beyond simple credential theft, the kit is designed to capture session cookies and local storage dumps, allowing attackers to bypass multi-factor authentication (MFA) by hijacking active sessions. The platform also features advanced evasion techniques, including geolocation emulation, antibot cloaking, and device filtering to prevent security researchers and automated scanners from detecting the malicious pages SecurityWeek.
The integration of an AI assistant is a notable evolution in the phishing-as-a-service market. The assistant, which provides access to multiple model options—likely leveraging jailbroken or permissive instances—can generate structured campaign drafts for attackers. While current testing shows the AI provides templates with placeholders rather than fully polished content, its presence indicates a shift toward lowering the barrier to entry for creating convincing phishing lures SecurityWeek.
The kit’s control panel is designed for operational efficiency, allowing users to register and manage domains, configure phishing pages, and monitor exfiltration logs from a single interface. By centralizing these tasks, Bluekit eliminates the need for attackers to switch between disparate services. Captured data, including session information, is exfiltrated primarily through Telegram, providing attackers with a real-time view of their victims' activity SecurityWeek.
Although Varonis researchers gained access to the Bluekit control panel and have observed its rapid development, the kit has not yet been deployed in a live, large-scale campaign. The developers are frequently pushing updates to both features and templates, suggesting that the tool is being actively refined for broader distribution. Varonis warns that as the kit matures and gains adoption, it is likely to become a significant threat in future phishing operations SecurityWeek.
The emergence of Bluekit highlights a broader trend in the cybercrime ecosystem: the professionalization and automation of phishing infrastructure. As threat actors increasingly adopt "all-in-one" platforms that incorporate AI-driven content generation and automated domain provisioning, the speed and scale at which phishing campaigns can be launched continue to rise. Security teams should monitor for the specific indicators and techniques associated with this kit as it transitions from development to active use SecurityWeek.