Bluekit adds – A phishing-as-a-service platform first documented in April is moving from adversary-in-the-middle to browser-in-the-middle, using the open-source rrweb library to serialize a login page’s DOM and stream it to victims—while authentication completes on the attac
For victims, the trap looks like a normal login page—until the moment it isn’t.
Bluekit, a phishing-as-a-service platform first documented in April by Varonis researchers, has been quietly upgrading the way it steals logins. Over the past week. researchers identified nearly 70 new hostnames connected to the operation. and now Netcraft says Bluekit has added browser-in-the-middle (BitM) capabilities designed to improve data theft.
Bluekit’s setup is built to scale. It uses an AI assistant that supports multiple large language models—Llama. GPT-4.1. Claude. Gemini. and DeepSeek—to draft phishing emails. At the time of the April documentation. the kit offered “customers” 40 distinct templates targeting popular online services including Outlook. Hotmail. Gmail. Yahoo. ProtonMail. iCloud. GitHub. and Ledger.
The newest shift is where defenders should pay close attention. Netcraft warns that Bluekit has switched from adversary-in-the-middle to a BitM mechanism. Instead of simply intercepting a session. it uses the open-source JavaScript library ‘rrweb’ to serialize the page’s DOM and stream it over a WebSocket connection to the victim.
In a BitM attack, the victim interacts with a browser session controlled by the attacker. The legitimate login page loads for the victim. and requests and responses are relayed between the victim and the target service. While the victim interacts. the phishing infrastructure fetches images. fonts. and CSS. and forwards the victim’s inputs back to the attacker’s browser.
Netcraft points out that rrweb is a legitimate project widely used for session replay and analytics. Its presence alone shouldn’t be treated as compromise without a larger context. But Bluekit’s adoption of it is deliberate. The researchers say rrweb was chosen for its excellent visual fidelity, real-time interactivity, and bandwidth efficiency.
There are still telltales. Netcraft says some latency exists, so any keyboard input and mouse click delays on login pages should be treated as red flags.
The endgame is what makes the technique dangerous. Netcraft reports that authentication completes in the attacker’s browser, granting the attacker a valid session token and unlimited access to the victim’s account.
What Bluekit does next looks like a system designed to filter out scrutiny. Before stealing credentials, the platform uses a comprehensive victim qualification system to distinguish real targets from researchers or security crawlers. Netcraft also lists anti-analysis systems in the latest Bluekit. including randomized CSS filters to defeat screenshot-based detection; a large (greater than 1 MB). frequently changing obfuscated JavaScript bundle; and a custom CAPTCHA that may imitate Cloudflare or the target brand.
Bluekit’s defenses don’t stop at what it displays. The kit uses browser fingerprinting that checks RAM, CPU cores, screen resolution, language, headless browser detection, and anti-fingerprinting extensions. It also performs WebRTC-based IP mismatch detection to identify users behind proxies or VPNs.
The platform keeps momentum even after a victim is pulled in. Netcraft reports that the live monitoring system Varonis previously documented is still available in BlueKit. That system updates on a 5-second interval. letting operators monitor victims as they are entrapped in deceptive login sessions and track their actions after login.
Netcraft stresses that its report provides indicators and signals associated with Bluekit but do not constitute indicators of compromise by themselves. The listed items include CSS filter manipulation on top-level HTML elements with randomized values. an obfuscated JavaScript bundle rotated periodically. browser fingerprint checks. a WebSocket connection sending encrypted or binary data on login pages. and WebRTC IP mismatch detection on the landing page.
Bluekit’s BitM technique isn’t brand-new—Netcraft notes that the BitM attack method has been known since 2022. devised by researcher mr.d0x and later adopted for malicious activity. But what’s changed here is how directly the platform ties that approach to a realistic login experience. streaming the page structure via rrweb and completing authentication on the attacker’s side.
For security teams trying to keep up, the practical problem is simple: a login page can look right while still handing over the keys. And once a session token is issued to the attacker’s browser, the damage moves fast.
Bluekit phishing-as-a-service browser-in-the-middle BitM rrweb login theft WebSocket authentication session token Netcraft Varonis AI phishing emails BEC ATO account takeover