Bluekit Risk: The AI Phishing Kit That Bypasses MFA
Discover how Bluekit, the new AI phishing kit, leverages Evilginx to bypass MFA on over 40 platforms. Learn what you need to know to protect yourself.
With over 40 phishing templates dedicated to global platforms, the threat posed by Bluekit is gaining significant relevance in the cybersecurity landscape. A threat actor known as petrushka has been selling this Phishing-as-a-Service (PhaaS) platform since April 2026, leveraging artificial intelligence to drastically lower the barrier to entry for multi-factor authentication (MFA) bypass.
The Evolution of the Phishing-as-a-Service Model
PhaaS platforms have transformed the cybercrime economy, allowing even those with limited technical skills to launch sophisticated campaigns. In this context, the emergence of Bluekit marks a significant step towards the integration of advanced tools. As reported by Dark Web Informer, "A threat actor operating under the alias petrushka is selling a phishing-as-a-service (PhaaS) platform called Bluekit." The availability of this kit on the market indicates a further professionalization of the criminal offering.
The substantial novelty lies in the native integration of artificial intelligence. Bluekit does not merely provide falsified login pages, but includes a full control panel for an AI Assistant. This suggests a transition toward a model where language model-driven automation facilitates attack customization, victim interaction management, and real-time adaptation to security countermeasures.
The AI Infrastructure: Language Models in the Service of Crime
The most technically relevant element of Bluekit is its AI architecture. The kit exposes multiple language model options, allowing attackers to select the most suitable engine for their operational needs. The default model is an "abliterated" variant of Llama, meaning a modified version that removes the safety restrictions and ethical filters typically imposed by the original developers.
In addition to the base Llama model, the AI panel provides access to GPT-4.1, Claude Sonnet 4, Gemini, and DeepSeek variants. It is likely that this multiplicity of options serves to optimize the cost and latency of interactions: lighter models for managing routine communications with the victim, and advanced models for bypassing stricter security controls or generating high-quality deceptive text. The presence of a dedicated interface suggests that AI is not a mere accessory, but the operational core for fraud generation and adaptation.
MFA Bypass via Adversary-in-the-Middle and Evilginx
The ability to bypass multi-factor authentication represents Bluekit's most critical attack vector. The kit implements Adversary-in-the-Middle (AiTM) techniques based on Evilginx, a well-known tool for proxying authentication sessions. When the victim enters their credentials and MFA token on the spoofed phishing page, Evilginx forwards this information in real time to the legitimate server.
The legitimate server returns a valid session cookie, which Evilginx intercepts and transmits to the attacker. Bluekit enriches this scheme with advanced browser and geolocation spoofing capabilities. This means the kit can falsify the browser fingerprint and the perceived geographic location of the attacker, making the hijacked session appear identical to the legitimate one. It is likely that this level of sophistication specifically serves to evade anomaly detection systems based on login context analysis.
Targets and Impact on Global Platforms
Bluekit's versatility is evident in the quantity and quality of its preconfigured targets. The service offers over 40 ready-to-use templates capable of replicating the interfaces of high-profile brands. The targeted platforms range from enterprise and consumer email and cloud services to the retail sector and cryptographic infrastructures.
The list of identified targets includes iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger. The inclusion of services like GitHub and Zoho indicates a strategic focus on development infrastructure and enterprise productivity, where session theft can open access to code repositories or sensitive documentation. At the same time, the presence of Ledger and iCloud suggests a targeted interest in high-value digital wallets and personal archives.
Attack Chain Automation and Infrastructure Management
Bluekit stands out for the level of automation offered in its operational infrastructure. The kit automatically manages domain registration, reducing the operational burden on the attacker and allowing rapid rotation of malicious URLs to avoid reputation filters and blacklists. This "all-in-one" approach drastically lowers the barrier to entry for unskilled cybercriminals.
Operators do not need to manually configure DNS servers, SSL certificates, or network routing rules. The combination of fresh domains, precise technical spoofing, and AI-assisted social engineering creates a highly efficient ecosystem for credential theft and authenticated session interception, accelerating the attack lifecycle.
Limitations in Source Verification and Defensive Considerations
It must be emphasized that some primary sources returned block errors (HTTP 451) or timeouts during the cross-verification process, preventing the analysis of further specific technical details present in those articles. Given the lack of specific patches communicated by vendors to directly mitigate this kit, defense strategies must focus on isolation and segmentation.
It is essential to limit the Internet exposure of devices and authentication services by implementing rigorous controls on the login context. The adoption of FIDO2/WebAuthn-based hardware security keys, which bind authentication to the specific domain and resist proxy-based AiTM attacks, represents a priority measure over temporary OTP codes that can be intercepted in real time.
Frequently Asked Questions
- How does the Bluekit phishing kit work?
- Bluekit is a Phishing-as-a-Service platform that uses Adversary-in-the-Middle (AiTM) techniques based on Evilginx. It intercepts credentials and MFA sessions in real time, supported by an AI interface to automate and customize attacks.
- How does Bluekit bypass MFA?
- The kit bypasses MFA by intercepting the session cookie generated after multi-factor authentication on the legitimate platform. It also uses browser and geolocation spoofing to evade login anomaly checks.
- Which platforms does Bluekit target?
- Bluekit offers over 40 templates targeting major services like iCloud, Gmail, Outlook, GitHub, Zoho, Twitter, and Ledger, covering areas ranging from email to software development, to cryptocurrency management.
The information has been verified against the cited sources and is up to date at the time of publication.
Sources
- https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
- https://www.varonis.com/blog/bluekit
- https://news.backbox.org/2026/04/29/new-ai-powered-bluekit-phishing-kit-targets-major-platforms-with-mfa-bypass-attacks/
- https://www.techradar.com/pro/security/researchers-discover-new-all-in-one-bluekit-phishing-kit-capable-of-bypassing-enterprise-2fa-protocols-and-emulating-40-global-brands
- https://checkphish.bolster.ai/domain/bluekit.cc