Cybercriminals have a new weapon. Varonis Threat Labs uncovered Bluekit, a phishing platform that bundles everything an attacker needs into a single control panel. Operators pick domains, deploy fake login pages, and siphon data—all without leaving the dashboard. This setup marks a shift. Past campaigns pieced together tools from scattered underground sellers. Bluekit handles it alone.
And it’s aggressive. The kit spoofs over 40 brands. Think iCloud. Apple ID. Gmail. Outlook. Hotmail. Yahoo. ProtonMail. GitHub. Twitter. Zoho. Zara. Ledger. Each template mimics the real thing, logos and all. Attackers select a target service during site creation, then tweak settings for redirects, anti-bot checks, and device filters. Varonis researchers reviewed it firsthand, noting how operators connect domains right there, skipping separate services. Varonis blog.
MFA? No problem. Bluekit runs adversary-in-the-middle tricks. Victims enter credentials on the fake page. The kit proxies the login to the legitimate site, grabs session cookies once authenticated, and dumps them. Attackers replay those cookies for access, dodging two-factor prompts entirely. Local storage goes too. Live session views let operators watch victims post-login, spotting further opportunities. Telegram channels pipe alerts and exfiltrated data in real time. BleepingComputer.
AI makes it deadlier. An assistant drafts campaign emails. Models include abliterated Llama by default, plus GPT-4.1, Claude Sonnet 4, Gemini, DeepSeek. Guardrails stripped—jailbroken variants ensure no refusals. Outputs stay basic, though. Placeholders fill skeletons. “The draft included a useful structure, but it still depended on generic link fields, placeholder QR blocks, and copy that would need cleanup before use,” Varonis noted. Still, it speeds low-skill operators. Daniel Kelley, senior researcher at Varonis, highlighted the pivot: hackers once jailbroke standard AI; now they grab open-weight models sans filters for reliable results. Hackread.
Evasion baked in. Cloaking blocks bots, headless browsers, VPNs, proxies. Geolocation spoofing masks logins as local, killing alerts. Device filters limit to desktop or mobile. Post-capture, repeated cookie dumps keep sessions fresh. Add-ons like voice cloning expand tricks. A threat actor named petrushka pushes it on underground forums, tying to Telegram ops and Monero payments. Rapid changelogs show constant tweaks—new templates, features. “The feature set keeps evolving as we track it, and if that pace continues with broader adoption, Bluekit is likely to surface in future campaigns,” Varonis warned.
This isn’t isolated. Bluekit fits a pattern. Fragmented kits demanded tech savvy. Now PhaaS platforms automate the grind, pulling in novices. Enterprises feel it first—stolen GitHub creds lead to code repos; email hijacks spark BEC scams. MFA fatigue rises as prompts fail against cookie theft. Simulations must match these flows: session hijacks, not just credential grabs.
Defenses lag. Push for FIDO2 keys, passkeys, biometrics in trusted setups. Shorten sessions. Monitor anomalous logins, even from ‘normal’ spots. Train on AiTM lures—urgent verifies, security updates. Block Telegram data flows where possible. But scale matters. One dashboard means volume. Varonis calls it an all-in-one for lower-tier crooks managing full lifecycles. BleepingComputer echoes: active development signals wider use soon.
Petrushka’s promo hit forums weeks back. No public IOCs yet—domains rotate, infrastructure hides. Watch for Evilginx echoes in traffic, sudden template surges targeting dev platforms. X buzz confirms the hype. Dark Web Informer flagged petrushka’s pitch: 40+ templates, AiTM core, voice tools. Dark Web Informer on X. Cybersecurity accounts reposted Varonis findings yesterday, tying to real campaigns.
Bluekit lowers bars. Anyone subscribes, launches. Enterprises: audit MFA reliance now. Cookies betray. Sessions expire fast. AI drafts hit inboxes tomorrow. Evolution accelerates. Ignore at peril.


WebProNews is an iEntry Publication