The phishing-as-a-service platform known as Bluekit has significantly evolved its attack capabilities, incorporating browser-in-the-middle (BitM) techniques designed to steal active login sessions rather than just credentials. According to researchers at Netcraft and Varonis, the platform now uses real-time session relaying to intercept authentication flows and capture valid tokens directly from legitimate services.
Bluekit originally emerged as a phishing toolkit offering AI-assisted email generation and prebuilt templates targeting major platforms such as Gmail, Outlook, iCloud, GitHub, and others. In its latest iteration, the kit has shifted from adversary-in-the-middle tactics to a more advanced BitM approach using the open-source JavaScript library rrweb to mirror and stream live browser sessions between victim and attacker infrastructure.
In this model, victims interact with what appears to be a normal login page, while their browser session is secretly proxied through attacker-controlled systems. Inputs and page interactions are relayed in real time, allowing the attacker’s own browser to complete authentication on legitimate services. This results in the theft of valid session tokens, enabling full account takeover without requiring stolen passwords to be reused.
Researchers note that Bluekit also includes extensive anti-analysis and victim filtering mechanisms. These include browser fingerprinting, CAPTCHA imitation, WebRTC-based proxy detection, randomized CSS obfuscation, and large rotating JavaScript payloads designed to evade automated detection and security researchers. The platform also monitors victims in near real time, enabling operators to observe user behavior during the phishing session.
Security analysts warn that the adoption of BitM techniques marks a shift toward more interactive and stealthy phishing ecosystems, where attackers effectively “live inside” the victim’s browser session. This reduces reliance on traditional credential theft and increases the difficulty of detection, as authentication is completed within legitimate services using the victim’s own session context.
