Bluekit Phishing as a Service (PhaaS)

During a proactive dark web monitoring and adversary engagement operation conducted by CloudSek TRIAD, we identified and analyzed an actively operated commercial Phishing-as-a-Service (PhaaS) platform operating under the name BlueKit. Our investigation determined that BlueKit provides a complete phishing infrastructure designed to enable large-scale credential harvesting, session hijacking, and account takeover campaigns targeting financial institutions, cloud providers, cryptocurrency platforms, and major e-commerce services globally.

The platform demonstrates a high level of operational maturity through structured subscription tiers, centralized management dashboards, automated phishing deployment, and integrated anti-detection tooling. BlueKit supports phishing templates for multiple global brands, including banking institutions, Microsoft, Google, Amazon, Apple, GitHub, and cryptocurrency wallets, while also integrating bulk SMS phishing (smishing), real-time Telegram victim notifications, anti-detect browser support, and automated credential post-processing workflows.

A significant finding during our analysis was the platform’s recent migration to a peer-to-peer (P2P) phishing page rendering model, designed to conceal backend phishing infrastructure from browser developer tools and conventional network analysis techniques. This evolution substantially increases resilience against traditional IOC-based detection, phishing-kit fingerprinting, and infrastructure attribution efforts.

Based on our assessment, BlueKit represents a mature, scalable, and commercially optimized cybercriminal ecosystem capable of significantly lowering the technical barrier for low-skilled threat actors while simultaneously increasing operational stealth and persistence. The platform poses a critical threat to enterprise cloud environments, financial institutions, and high-value user accounts globally.

Threat Details

BlueKit operates as a structured cybercriminal SaaS ecosystem with clear indicators of:

• long-term operational planning,
• affiliate enablement,
• infrastructure automation,
• customer support management,
• revenue optimization.

The operators utilize:

• Telegram,
• Jabber/XMPP,
• Session Protocol,
• PGP encryption,
• Tor infrastructure,
• cryptocurrency-only payments.

The platform’s operational structure strongly resembles legitimate SaaS business models, including:

• product versioning,
• changelogs,
• support channels,
• subscription tiers,
• reseller programs,
• automation tooling.

The use of .su infrastructure, Jabber communications, and OPSEC-oriented tooling may suggest links to CIS-aligned cybercrime ecosystems; this attribution is also confirmed by explicit mention of not engaging with CIS based organizations.

Infrastructure Analysis

Clearnet domains: bluekit[.]ws, bluekit[.]cc, bluekit[.]su, bluekit[.]pk

Tor Service: bluekitsmi6sd5mjurh3l7n7oeizbedoe2hw2lsljtb5nbxiul6hzkqd[.]onion.

Complete Database Schema

Full schema extracted from `/_next/static/chunks/111d_ug--1sxq.js`. All 29 tables, columns, enums, and relations were exposed and few of them are :

1. Mammoths (Victim Records) : Primary repository of harvested victim data, including credentials and identifiers.

‍

2.Customers (Operator Accounts): Identifies platform operators and administrators and exposes authentication-related data.

3. sites_settings (Per-Site Configuration): Reveals site configuration, anti-analysis controls, access restrictions, and automation settings.

4. Webauthn_credentials (Stored WebAuthn Credentials): Contains stored WebAuthn credential material associated with victim records.

5. Deposits (Cryptocurrency Payment Records): Links operator accounts to cryptocurrency payment activity and blockchain transactions.

6. Distributors (Reseller Accounts): Highest-value table from an operational perspective. A single record may expose multiple platform-level API credentials, reseller infrastructure settings, and third-party service integrations.

Overall Assessment : The distributors table represents the most critical exposure because it contains platform-level secrets and third-party service credentials. The combination of mammoths and webauthn_credentials provides direct visibility into harvested victim data and authentication artifacts. The deposits table further enables attribution and financial analysis by linking operator accounts to cryptocurrency transactions and wallet derivation paths.

Full Phishing Kit Catalog - 87 Kits with Automation Matrix

Email & Cloud Services (10 Kits)

Social Media Platforms (9 Kits)

Developer Infrastructure (4 Kits)

Password Managers & Authentication (4 Kits)

Cloud & Storage Services (5 Kits)

E-Commerce Platforms (9 Kits)

Banking & Financial Services (17 Kits)

‍

Cryptocurrency Exchanges (11 Kits)

Hardware Wallet Templates (2 Kits)

Brokerage Platforms (4 Kits)

Summary: A total of 87 kits were identified. Only five kits contained active post-authentication automation functionality, with the Amazon Security variant exposing the most extensive workflow automation capabilities.

Platform Capabilities

P2P Rendering Architecture

One of the most significant technical developments identified during the investigation was BlueKit’s migration to a peer-to-peer (P2P) phishing page rendering architecture. Unlike conventional phishing kits that rely on directly exposing backend infrastructure to victims through standard web connections, BlueKit’s implementation obscures the phishing server origin from browser developer tools and conventional traffic inspection techniques. This substantially complicates reverse-IP analysis, infrastructure fingerprinting, server-header identification, and automated URL scanning methodologies commonly used by security teams. The architectural shift demonstrates a deliberate move toward infrastructure abstraction and anti-forensics design, significantly increasing resilience against takedown operations and traditional IOC-driven detection mechanisms.

Anti-Detection & Evasion Capabilities

BlueKit incorporates a mature anti-detection ecosystem designed to maximize phishing campaign survivability and reduce exposure to automated security controls. The platform includes CAPTCHA-bypass integration through CapSolver, phishing cloaking functionality, Safe Browsing monitoring, Cloudflare phishing-check bypassing, and anti-bot filtering mechanisms. These features allow phishing pages to selectively evade automated crawlers, sandbox environments, and reputation-based security platforms while maintaining accessibility for intended victims. The operators actively monitor detection events and continuously refine evasion logic, indicating an adaptive and operationally mature threat model.

Session Hijacking & Account Takeover

The platform provides integrated tooling for large-scale session hijacking and post-authentication account takeover operations. BlueKit captures credentials, authentication tokens, and session cookies through phishing workflows and enables direct import into Octo Browser, an anti-detect browser platform commonly used in fraud operations. This integration allows threat actors to replay authenticated sessions while minimizing browser fingerprint anomalies and geolocation inconsistencies. By leveraging stolen session cookies and browser profiles, operators can bypass portions of MFA workflows and gain persistent access to victim accounts without repeatedly triggering suspicious-login alerts.

Automated Post-Compromise Workflows

BlueKit includes advanced automation capabilities that execute immediately following successful credential capture. Observed workflows include automatic password changes, backup-code generation, passkey enrollment, and victim lockout procedures. In Gmail-targeted phishing operations, the platform reportedly resets compromised account passwords to predefined values and enrolls attacker-controlled authentication mechanisms to establish persistence and hinder victim recovery efforts. These features demonstrate a transition from basic credential theft toward fully automated account compromise and persistence operations.

Bulk Smishing Infrastructure

The platform also integrates a dedicated bulk SMS phishing (smishing) module that enables affiliates to conduct high-volume mobile phishing campaigns without relying on external SMS delivery services. The module supports telecom routing, sender ID spoofing, customizable phishing lures, and batch delivery to hundreds of recipients simultaneously. This capability significantly expands BlueKit’s operational reach beyond traditional email phishing by enabling large-scale mobile targeting, particularly against banking and cryptocurrency users who commonly rely on SMS-based authentication workflows.

AI-Assisted Operational Support

BlueKit demonstrates early adoption of AI-assisted cybercrime tooling through integration with NanoGPT and contextual automation features. These capabilities likely support phishing lure generation, multilingual social engineering content creation, configuration assistance, and campaign troubleshooting. The incorporation of AI tooling into phishing operations reflects a broader industry trend toward scalable, adaptive, and semi-automated social engineering ecosystems capable of rapidly generating convincing phishing content tailored to different targets and regions.

Hardware Wallet Seed Phrase Harvesting

Beyond conventional credential theft, BlueKit includes phishing templates specifically targeting hardware cryptocurrency wallets such as Ledger and Trezor. These templates simulate legitimate firmware-update workflows to deceive victims into disclosing 24-word recovery seed phrases. Unlike standard credential phishing, successful compromise of hardware wallet recovery phrases enables irreversible cryptocurrency theft and complete asset ownership transfer. The inclusion of these templates indicates deliberate targeting of cryptocurrency holders and demonstrates BlueKit’s expansion into higher-value digital asset theft operations.

Platform Capabilities

Commercialized Criminal SaaS Model

BlueKit operates using a structured subscription-based monetization model that closely resembles legitimate Software-as-a-Service (SaaS) platforms. Access to the platform is provided through tiered subscription plans that grant affiliates immediate use of the phishing infrastructure, phishing kits, automation modules, and campaign management features. The platform’s commercial presentation, pricing structure, and onboarding workflow indicate deliberate efforts to professionalize phishing operations and scale adoption among low-to-mid sophistication threat actors.

The subscription model significantly lowers operational barriers by eliminating the need for affiliates to independently manage hosting infrastructure, phishing kit development, DNS provisioning, or backend automation. Instead, BlueKit centralizes these functions into a managed ecosystem that enables rapid deployment of phishing campaigns with minimal technical expertise.

‍

Subscription Tiers

BlueKit currently offers multiple subscription durations designed to accommodate different threat actor profiles, ranging from short-term operators conducting opportunistic campaigns to longer-term affiliates managing persistent phishing operations.There are 7-day,14-day and 30-day Access tiers, no other privileges available except duration on increased prices.

The 14-day plan is actively promoted as the “most popular” option, suggesting that the operators are monitoring customer purchasing behavior and optimizing pricing around conversion and retention metrics. This level of pricing optimization reflects a commercially mature operational model more commonly associated with legitimate SaaS businesses than traditional underground phishing-kit distribution.

Cryptocurrency Payment Infrastructure

BlueKit exclusively accepts cryptocurrency payments, reinforcing both operational anonymity and cross-border monetization flexibility. Supported payment methods include:

• Bitcoin (BTC),
• Litecoin (LTC),
• Tron (TRX),
• Monero (XMR),
• Tether (USDT),
• USD Coin (USDC),
• Ethereum (ETH),
• Solana (SOL).

The inclusion of Monero (XMR) is particularly notable due to its enhanced privacy-preserving capabilities, which are frequently leveraged within cybercriminal ecosystems to reduce blockchain traceability and attribution risks.

Analysis also identified the use of hierarchical deterministic (HD) wallet derivation through unique derivationIndex assignments per operator. This approach enables payment compartmentalization across affiliates and complicates blockchain-based attribution efforts by generating distinct wallet addresses for different transactions and users. The implementation of wallet derivation logic demonstrates a comparatively sophisticated understanding of cryptocurrency operational security practices.

Reseller & Affiliate Enablement

BlueKit expands its reach beyond direct subscriptions by using an affiliate and reseller network. The platform allows third-party buyers to deploy custom domains and brand the phishing infrastructure as their own. This essentially turns BlueKit into a white-label backend for independent phishing operations.

This approach makes the operation highly scalable. By offloading individual campaigns to affiliates while keeping control of the core backend, the main operators secure steady, recurring revenue. Crucially, it also buffers the core team from the risks and exposure of the actual front-line phishing campaigns.

Ultimately, this reseller capability shows that BlueKit is built for the long haul. It is a highly organized, commercial enterprise designed to maximize revenue and retain a steady base of downstream customers.

Phishing Kit Ecosystem

Analysis of BlueKit identified several advanced capabilities that significantly elevate the platform beyond conventional phishing-kit operations. The platform incorporates automated post-compromise workflows capable of executing password resets, passkey enrollment, backup-code generation, and persistent account takeover procedures immediately following successful credential capture. These capabilities reduce victim recovery opportunities while enabling attackers to rapidly establish long-term access to compromised accounts.

A particularly concerning finding involves BlueKit’s Google Ads phishing workflow, which appears designed to automatically add attacker-controlled accounts as advertising administrators. This functionality could enable unauthorized access to advertising infrastructure, financial abuse, malicious ad deployment, and secondary compromise operations through trusted advertising ecosystems.

The platform also demonstrates advanced session hijacking capabilities through integration with anti-detect browser technologies such as Octo Browser. Captured session cookies and browser profiles can be imported directly into anti-fingerprint browser environments, enabling attackers to replay authenticated sessions while minimizing detection from geolocation and device-anomaly controls.

Additionally, BlueKit includes specialized phishing templates targeting Ledger and Trezor hardware cryptocurrency wallets. These templates simulate legitimate firmware-update workflows to harvest 24-word recovery seed phrases, enabling irreversible cryptocurrency theft and full wallet compromise. Unlike traditional credential phishing, successful compromise of hardware wallet seed phrases results in direct ownership transfer of digital assets with limited recovery possibilities.

Collectively, these capabilities demonstrate that BlueKit is designed not only for credential harvesting, but also for automated persistence, financial fraud, session replay, and high-value cryptocurrency theft operations at scale.

High-Risk Capabilities Findings

Analysis of BlueKit identified several advanced capabilities that significantly elevate the platform beyond conventional phishing-kit operations. The platform incorporates automated post-compromise workflows capable of executing password resets, passkey enrollment, backup-code generation, and persistent account takeover procedures immediately following successful credential capture. These capabilities reduce victim recovery opportunities while enabling attackers to rapidly establish long-term access to compromised accounts.

A particularly concerning finding involves BlueKit’s Google Ads phishing workflow, which appears designed to automatically add attacker-controlled accounts as advertising administrators. This functionality could enable unauthorized access to advertising infrastructure, financial abuse, malicious ad deployment, and secondary compromise operations through trusted advertising ecosystems.

The platform also demonstrates advanced session hijacking capabilities through integration with anti-detect browser technologies such as Octo Browser. Captured session cookies and browser profiles can be imported directly into anti-fingerprint browser environments, enabling attackers to replay authenticated sessions while minimizing detection from geolocation and device-anomaly controls.

Additionally, BlueKit includes specialized phishing templates targeting Ledger and Trezor hardware cryptocurrency wallets. These templates simulate legitimate firmware-update workflows to harvest 24-word recovery seed phrases, enabling irreversible cryptocurrency theft and full wallet compromise. Unlike traditional credential phishing, successful compromise of hardware wallet seed phrases results in direct ownership transfer of digital assets with limited recovery possibilities.

Collectively, these capabilities demonstrate that BlueKit is designed not only for credential harvesting, but also for automated persistence, financial fraud, session replay, and high-value cryptocurrency theft operations at scale.

Diamond Model of Intrusion Analysis

Victimology & Targeting

BlueKit targets a broad range of individuals, enterprises, financial institutions, and cryptocurrency users through a globally diversified phishing ecosystem. The platform primarily focuses on high-value services where compromised credentials, session tokens, or account access can be rapidly monetized through fraud, account takeover, financial theft, or secondary compromise operations.

The phishing kits target major cloud and enterprise platforms including Google, Microsoft, Outlook, OneDrive, GitHub, IONOS, and other business-oriented services, indicating a strong focus on enterprise account compromise and business email access. Financial-sector targeting includes multiple banking institutions across the United States, Canada, Europe, and India, suggesting deliberate regional expansion and localization of phishing operations.

BlueKit also heavily targets cryptocurrency users through phishing templates for major exchanges such as Binance, Coinbase, Bybit, KuCoin, OKX, and Gate, alongside hardware wallet phishing workflows targeting Ledger and Trezor devices. This reflects a strategic focus on irreversible financial monetization through digital asset theft.

Social media and communication platforms including Meta/Facebook, Instagram, WhatsApp, Discord, LinkedIn, Reddit, Telegram, TikTok, and X/Twitter are also targeted, likely supporting account hijacking, social engineering propagation, fraud campaigns, and credential reuse attacks.

Regional targeting indicators, including phishing templates for Amazon Japan, and localized European service variants, demonstrate that BlueKit actively adapts campaigns for multilingual and region-specific operations. Overall, the platform’s victimology reflects a globally scalable phishing ecosystem optimized for credential theft, financial fraud, enterprise compromise, and cryptocurrency asset targeting across multiple sectors simultaneously.

Geographic Assessment

BlueKit demonstrates deliberate global targeting with phishing templates localized for multiple geographic regions, industries, and language groups. The platform includes phishing kits targeting organizations and services across North America, Europe, India, and East Asia, indicating a strategic effort to expand beyond English-speaking victim bases into region-specific fraud operations.

Notable regional indicators include phishing templates for Amazon Japan, localized IONOS variants for European markets, and multiple banking institutions across the United States and Canada. This level of localization suggests active adaptation to regional financial institutions, consumer behavior, and authentication workflows to improve phishing success rates.

The platform’s multilingual and geographically diversified targeting model indicates that BlueKit is not conducting isolated campaigns, but instead operating as a scalable international phishing ecosystem capable of supporting affiliates across multiple regions simultaneously. The use of globally accessible cloud infrastructure, cryptocurrency payments, Tor services, and Cloudflare-backed deployment further reinforces its ability to maintain operational reach across jurisdictions while complicating attribution and takedown efforts.

Impact

If BlueKit continues to spread, here is what security teams and organizations actually have to worry about:

• MFA is no longer a safety net.
  Because BlueKit uses an Adversary-in-the-Middle (AitM) setup, it doesn't just steal passwords—it intercepts active session cookies in real time. This means standard multi-factor authentication (like SMS codes, authenticator apps, or push notifications) gets bypassed instantly. Unless an organization has transitioned to physical security keys (like FIDO2), standard MFA won't stop this.
• The technical barrier to entry is gone.
  Attackers no longer need to be skilled developers to run sophisticated infrastructure. BlueKit automates domain registration, handles the proxy setup, and offers ready-to-go templates. This plug-and-play model allows amateur cybercriminals to launch enterprise-grade phishing campaigns with minimal effort, which inevitably drives up the sheer volume of attacks.
• Traditional "phishing red flags" are becoming obsolete.
  By integrating generative AI and voice cloning, BlueKit solves the classic spelling and grammar giveaways of older phishing attempts. Attackers can quickly spin up highly localized, natural-sounding email lures, or even mimic voices for follow-up phone calls. Security training that relies on users spotting typos or awkward phrasing simply won't hold up.
• Its franchise model creates a massive global footprint.
  Because BlueKit is built as a white-label platform, other threat groups can buy it, rebrand it (like the SnagX variant), and resell it to their own networks. The original developers don't have to launch a single campaign to make money; they just maintain the software. This franchising allows the toolkit to scale globally and adapt to local markets much faster than any single threat group could do alone.
• It serves as a primary gateway for ransomware.
  Because the platform focuses heavily on cloud, corporate, and banking logins, the end goal isn't just basic credential harvesting. Hijacking an active enterprise cloud session gives attackers immediate access to internal networks. Once inside, they can bypass perimeter defenses to move laterally, exfiltrate sensitive data, and ultimately deploy ransomware.

Recommendations and Mitigations

• Disable SMS-based multi-factor authentication (MFA) wherever possible and transition to phishing-resistant MFA methods.
• Implement conditional access policies requiring device compliance and trusted-device validation for sensitive account access.
• Enforce strict session-management policies, including session expiration and re-authentication for high-risk activities.
• Conduct regular user awareness training focused on phishing, smishing, fake CAPTCHA lures, and passkey-related social engineering techniques.

‍References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia