GoKawiilThe Bluekit phishing-as-a-service platform continues to evolve with nearly 70 new hostnames identified over the past week, and by adding browser-in-the-middle (BitM) capabilities for improved data theft.
First documented in April by Varonis researchers, Bluekit provides an AI assistant that supports multiple large language models (Llama, GPT-4.1, Claude, Gemini, and DeepSeek) for drafting phishing emails.
At the time, the phishing kit offered “customers” 40 distinct templates targeting popular online services such as Outlook, Hotmail, Gmail, Yahoo, ProtonMail, iCloud, GitHub, and Ledger.
A new report from digital risk protection company Netcraft warns that Bluekit has switched from adversary-in-the-middle to a BitM mechanism that uses the open-source JavaScript library ‘rrweb’ to serialize the page’s DOM and stream it over a WebSocket connection to the victim.
In a BitM attack, the victim interacts with a browser session controlled by the attacker, which loads the legitimate login page and relays requests and responses between the victim and the target service.
Netcraft notes that rrweb itself is a legitimate project widely used for session replay and analytics, and its presence in a web environment should not be interpreted as an indicator of compromise without a larger context.
Images, fonts, and CSS are fetched through the phishing infrastructure, while the victim’s inputs are forwarded back to the attacker’s browser.
The researchers state that rrweb was chosen for its excellent visual fidelity, real-time interactivity, and bandwidth efficiency.
However, some latency still exists, so any keyboard input and mouse click delays on the login pages should be considered as red flags.
Authentication completes in the attacker's browser, granting them a valid session token and unlimited access to the victim’s account.
... continue reading