New Bluekit phishing service includes an AI assistant, 40 templates

A new phishing kit named Bluekit offers more than 40 templates targeting popular services and includes basic AI features for generating campaign drafts.

Available templates can be used to target email accounts (Outlook, Hotmail, Gmail, Yahoo, ProtonMail), cloud services (iCloud), developer platforms (GitHub), and cryptocurrency services (Ledger).

What makes the kit stand out is the presence of an AI Assistant panel that supports multiple models, including Llama, GPT-4.1, Claude, Gemini, and DeepSeek, which helps cybercriminals draft phishing emails.

This reinforces the broader trend of cybercrime platforms integrating AI to streamline and scale their operations. Abnormal Security recently reported about ATHR, a voice phishing platform that leverages AI agents to conduct social engineering attacks.

Cybersecurity company Varonis analyzed a limited version of Bluekit’s AI Assistant panel and notes that the generated outputs featured placeholder content, suggesting a feature in an early, experimental stage.

“The [generated] draft included a useful structure, but it still depended on generic link fields, placeholder QR blocks, and copy that would need cleanup before use,” Varonis says.

“Bluekit’s AI Assistant looked more like a way to generate a campaign skeleton than a finished phishing flow.”

Apart from the AI aspect, BlueKit integrates domain purchase/registration, phishing page setup, and campaign management into a single panel.

Varonis reviewed templates for iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger, featuring realistic designs and logos.

Operators can select domains, templates, and modes in a unified interface, configure the phishing page behavior, such as redirects, anti-analysis mechanisms, and login process handling, and monitor victim sessions in real-time.

Based on the options in the dashboard, users have granular control over the behavior of the phishing pages and can block VPN or proxy traffic, headless user agents, or set fingerprint-based filters.

Stolen data is exfiltrated via Telegram, on private channels accessible by the operators.

The post-capture session monitoring includes cookies, local storage, and live session state, showing what the victim was served after login, helping operators refine their attacks for maximum effectiveness.

Varonis comments that Bluekit is yet another example of an “all-in-one” phishing platform, giving lower-tier cybercriminals fully fledged tools to manage the entire phishing attack lifecycle.

However, the kit currently appears to be under active development, receiving frequent updates and evolving quickly, making it a good candidate for growing adoption.