Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

Bluekit

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.001DomainsEvidence1

Bluekit is a newly discovered phishing kit still in development that includes advanced features such as an AI assistant and automated domain registration.

Initial Access

2 techniques
T1566PhishingEvidence7

A new phishing-as-a-service (PHaaS) platform called Bluekit is letting cybercriminals steal user accounts using a tricky method.

T1566.003Spearphishing via ServiceEvidence2

The researchers tested the assistant with a phishing scenario targeting a Microsoft 365 MFA reset for a company executive, including QR-based lures and credential-harvesting pages.

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence1

Bluekit subjects every visitor to layered anti-analysis checks, including... obfuscated JavaScript bundles exceeding 1MB that are periodically rotated...

T1036MasqueradingEvidence1

The kit advertises over 40 website templates... spoofing, geolocation emulation, Telegram notifications, antibot cloaking...

T1497Virtualization/Sandbox EvasionEvidence6

Before showing the fake login page, the system runs a series of tests to block security tools... Bluekit operates in two distinct phases: a pre-engagement evasion phase designed to distinguish human victims from automated scanners.

T1497.001System ChecksEvidence2

It looks at computer details like RAM, screen size, and browser language.

Credential Access

4 techniques
T1056Input CaptureEvidence2

The research team examined the operator dashboard, the site-creation flow, post-capture panels... Their analysis revealed that the kit handles far more than a basic credential grab...

T1111Multi-Factor Authentication InterceptionEvidence2

Traditional MFA, including SMS codes, authenticator apps, and push approvals, provides no protection against Bluekit’s architecture. Since the victim completes the entire login flow, including MFA verification, inside the attacker’s browser, the attacker inherits a fully authenticated session from the start.

T1539Steal Web Session CookieEvidence6

Hackers love this new setup because it helps them bypass extra security steps. With older tools like Evilginx, stealing an active session and moving it to a new computer could trigger a safety alarm due to a mismatch in browser details.

T1557Adversary-in-the-MiddleEvidence4

Bluekit changes this approach by using an attack method called Browser-in-the-Middle (BitM).

Discovery

2 techniques
T1497Virtualization/Sandbox EvasionEvidence6

Before showing the fake login page, the system runs a series of tests to block security tools... Bluekit operates in two distinct phases: a pre-engagement evasion phase designed to distinguish human victims from automated scanners.

T1497.001System ChecksEvidence2

It looks at computer details like RAM, screen size, and browser language.

Collection

2 techniques
T1056Input CaptureEvidence2

The research team examined the operator dashboard, the site-creation flow, post-capture panels... Their analysis revealed that the kit handles far more than a basic credential grab...

T1557Adversary-in-the-MiddleEvidence4

Bluekit changes this approach by using an attack method called Browser-in-the-Middle (BitM).

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

An open-source software tool called rrweb then “records and streams live DOM interactions” to the victim over a WebSocket connection.

T1090ProxyEvidence1

Using WebRTC technology, it connects to a STUN server to check a user’s web settings. Now, the hackers can see if a visitor is using a proxy or a VPN to hide their identity.

Exfiltration

2 techniques
T1048Exfiltration Over Alternative ProtocolEvidence1

Stolen data is exfiltrated via Telegram, on private channels accessible by the operators.

T1567Exfiltration Over Web ServiceEvidence1

The Telegram integration is set as the default exfiltration channel, meaning stolen credentials and session tokens are sent directly to an attacker-controlled chat in real time.

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.