The **Bluekit** phishing-as-a-service platform is escalating its threat landscape, having recently identified nearly 70 new hostnames and adopting advanced browser-in-the-middle (BitM) techniques for enhanced data theft. First documented in April by **Varonis** researchers, **Bluekit** initially offered an AI assistant supporting various large language models (**Llama**, **GPT-4.1**, **Claude**, **Gemini**, and **DeepSeek**) to craft convincing phishing emails. It provided over 40 templates targeting popular services like **Outlook**, **Hotmail**, **Gmail**, **Yahoo**, **ProtonMail**, **iCloud**, **GitHub**, and **Ledger**.  ### The Shift to Browser-in-the-Middle (BitM) Attacks A new report from digital risk protection company **Netcraft** highlights **Bluekit**'s transition from adversary-in-the-middle to a BitM mechanism. This method leverages the open-source **JavaScript** library **rrweb** to serialize a page's DOM and stream it over a **WebSocket** connection to the victim. In a BitM attack, the victim interacts with a browser session controlled by the attacker. This session loads the legitimate login page and seamlessly relays requests and responses between the victim and the target service. **Netcraft** clarifies that **rrweb** itself is a legitimate project for session replay and analytics, and its presence alone does not constitute an indicator of compromise. Images, fonts, and CSS are fetched via the phishing infrastructure, while the victim’s inputs are forwarded back to the attacker’s controlled browser. **rrweb** was chosen for its excellent visual fidelity, real-time interactivity, and bandwidth efficiency. However, minor latency can still occur, making keyboard input and mouse click delays potential red flags. Crucially, authentication completes within the attacker's browser, granting them a valid session token and unrestricted access to the victim’s account. .jpg) This BitM attack method, known since 2022 and initially devised by researcher **mr.d0x**, has been increasingly adopted for malicious activities. ### Advanced Evasion and Anti-Analysis Techniques Before credential theft, **Bluekit** employs a comprehensive victim qualification system to differentiate real targets from security researchers or crawlers. Its latest anti-analysis features include: * **Randomized CSS filters**: Used to defeat screenshot-based detection. * **Large, obfuscated JavaScript bundle**: Over 1 MB in size and frequently changing. * **Custom CAPTCHA**: Designed to mimic legitimate services like **Cloudflare** or the target brand. * **Browser fingerprinting**: Checks RAM, CPU cores, screen resolution, language, headless browser detection, and anti-fingerprinting extensions. * **WebRTC-based IP mismatch detection**: Identifies users behind proxies or VPNs. **Netcraft** also confirms that the live monitoring system, previously documented by **Varonis**, remains active in **Bluekit**. This allows operators to observe victims in real-time during deceptive login sessions and track their actions post-login. ### Indicators and Defensive Measures While not definitive indicators of compromise, **Netcraft** provides several signals associated with **Bluekit** that security teams should monitor: * CSS filter manipulation on top-level HTML elements with randomized values. * Periodically rotated, obfuscated **JavaScript** bundles. * Presence of browser fingerprint checks. * **WebSocket** connections sending encrypted or binary data on login pages. * **WebRTC** IP mismatch detection on landing pages. Organizations are encouraged to enhance their defenses against sophisticated phishing, business email compromise (**BEC**), and account takeover (**ATO**) attacks. Leveraging behavioral AI can help security teams detect and respond to modern phishing threats, automate investigations, and reduce alert fatigue.