4 Min Read 
A new phishing kit called Bluekit has turned session hijacking into a point-and-click operation. Discovered by Varonis Threat Labs, the platform combines 40 fake website templates with adversary-in-the-middle techniques that steal session cookies to bypass multi-factor authentication entirely.
The kit targets major platforms including Gmail, Outlook, iCloud, GitHub and Ledger through realistic phishing pages that capture more than just passwords. When victims enter credentials, Bluekit steals session cookies and local storage data that act as authenticated tokens proving to servers that users have already passed identity verification. This cookie replay attack allows threat actors to access accounts without triggering MFA prompts.
What makes Bluekit dangerous is its integration. Traditional phishing operations required attackers to piece together different services including credential harvesting from one vendor, domain rotation from another, SMS gateways from a third. Bluekit consolidates domain registration, page creation, campaign management and data exfiltration into a single dashboard. Stolen data flows directly to operators via Telegram channels.
The AI Assistant Is More Promise Than Delivery
Bluekit’s AI Assistant supports multiple models including Llama, GPT-4.1, Claude, Gemini and DeepSeek, likely jailbroken versions that remove safety guardrails around phishing content generation. But Varonis researchers found the AI features underwhelming in practice.
Daniel Kelley from Varonis tested the AI assistant with a detailed executive phishing scenario targeting a CISO with Microsoft 365 MFA re-verification lures. The output was structured but relied heavily on placeholders instead of ready-to-use content. “We expected something closer to a polished phishing copilot,” Kelley noted. “What we received was much more limited.”
The AI component appears to be in early development, generating campaign scaffolding rather than finished lures. This contradicts vendor claims that the tool fully automates phishing content creation, a reminder that threat actor marketing should be treated with the same scepticism as any other vendor pitch.
The Kit Is Under Active Development
Bluekit is evolving rapidly according to multiple research teams. The platform is adding features including voice cloning, geolocation emulation and antibot cloaking on a regular release cycle. BleepingComputer and TechRadar both noted the kit appears to be under active development with frequent updates.
Importantly, researchers have not yet observed Bluekit being used in live attacks. The platform appears to still be in a pre-deployment phase which gives defenders time to prepare. But given the rapid development pace and the proven demand for all-in-one phishing platforms, wider adoption is likely inevitable.
The timing aligns with broader trends in AI-assisted cybercrime. According to KnowBe4’s Phishing Threat Trends Report published in April 2026, 86% of phishing campaigns now involve some form of AI, up from 80% in 2024. IBM X-Force research shows AI can generate convincing phishing emails in 5 minutes compared to 16 hours for human operators.
Session Cookies Make MFA Irrelevant
The session hijacking component is what makes Bluekit genuinely concerning. Traditional phishing kits steal credentials but still leave attackers facing MFA challenges when they try to access accounts. Bluekit’s adversary-in-the-middle approach solves that problem by stealing the proof of authentication rather than the credentials themselves.
Session cookies contain authentication state that browsers present to web servers as evidence that a user has already logged in successfully. By replaying stolen cookies, attackers inherit the victim’s authenticated session without needing to complete login flows or respond to MFA challenges. From the server’s perspective, the attacker appears to be the legitimate user continuing an existing session.
This attack method renders SMS-based MFA, authenticator apps and push notifications ineffective. Only hardware security keys with WebAuthn support provide meaningful protection against session hijacking attacks since they cryptographically bind authentication to specific domains.
What Businesses Should Do Before Bluekit Goes Live
Deploy hardware security keys with FIDO2/WebAuthn support for high-risk accounts. These keys verify users through biometric authentication on recognised devices in pre-verified environments making them resistant to location-spoofed login attempts and session hijacking attacks.
Review your organisation’s email security posture. Bluekit’s 40 templates target the platforms most businesses use daily, if your users regularly receive emails about Outlook, Gmail or GitHub account issues, they need specific training on how to verify authentication requests independently of email links.
Consider implementing additional session security controls. Short session timeouts, IP address validation and device fingerprinting can limit the window of opportunity for session replay attacks even when cookies are successfully stolen.
References
- Meet Bluekit – The AI-Powered All-in-One Phishing Kit
- New AI-Powered Bluekit Phishing Kit Targets Major Platforms
- New Bluekit Phishing Service Includes AI Assistant
- Researchers Discover New All-in-One Bluekit Phishing Kit
This post is also available in:
Svenska
Related News
North Korean Hackers Hijacked Axios Package for 100 Million Users
North Korean state hackers compromised the Axios npm package on 31 March 2026, inserting a cross-platform remote access trojan into one of JavaScript's most widely…
April 22, 2026 
