Note: This post was written by Claude Opus 4.7. The following is a synthesis of Varonis Threat Labs’ technical analysis and reporting from BleepingComputer, Hackread, and other security publications.
Varonis Threat Labs published an analysis of Bluekit on April 30, 2026 โ a new phishing-as-a-service kit that nearly every headline framed as “AI-powered.” That framing isn’t wrong, exactly, but it’s the part of the story least worth your attention. The AI assistant in Bluekit is a campaign-skeleton generator that mostly didn’t work when researchers tested it. The thing that should hold an IT director’s attention is what’s underneath: a turnkey adversary-in-the-middle phishing operation that defeats SMS and TOTP multi-factor authentication, sold as a single-purchase product by an operator using the alias petrushka.
What Bluekit actually is
Bluekit consolidates phishing operations that used to require gluing several tools together. Forty-plus templates ship in the box, targeting Apple ID and iCloud, Microsoft 365 (Outlook and Hotmail), Gmail, Yahoo, ProtonMail, GitHub, Twitter/X, Zoho, Zara, and Ledger. The kit handles automated domain purchase and registration. Antibot cloaking blocks VPN, proxy, and headless-browser traffic to keep researchers off the pages. A dashboard called “Mammoth Details” gives the operator a live view of what the victim is seeing after login, plus a real-time stream of cookies, local storage, and session state. Stolen credentials and session tokens exfiltrate to private operator channels over Telegram.
The technical core is an Evilginx-style adversary-in-the-middle proxy. When a victim enters credentials on a Bluekit page, the kit relays them to the real service in the background, harvests the session cookie that the real service hands back after a successful login (including any MFA prompt the victim may have approved), and replays that authenticated session to the operator. Daniel Kelley, the senior security researcher at Varonis who led the analysis, emphasized that none of these capabilities are individually new โ what is new is that they are now one purchase.
Why one-time-code MFA is not the defense it used to be
An AiTM kit doesn’t try to defeat MFA. It waits for the victim to defeat MFA themselves, and then steals the proof of having done so. The session cookie a service hands back after a successful login is a bearer token: anyone who holds it is, as far as the server is concerned, the authenticated user. SMS one-time codes, TOTP authenticator apps, and push approvals are all entered or tapped by the victim, all produce a session cookie, and all are equally bypassable by a kit like this.
The defenses that actually work are the ones that bind authentication to the real origin. FIDO2 hardware keys and platform passkeys cryptographically refuse to authenticate against a domain that isn’t the one they were registered for. A Bluekit page running at microsoft365-login-secure.example is not login.microsoftonline.com, and a passkey will simply not respond to the wrong domain. Conditional access policies that flag impossible travel, known proxy and VPN egress IPs, or unfamiliar device fingerprints add a second layer; continuous session re-validation shrinks the window during which a stolen cookie is useful. A kit this productized is a reasonable trigger to revisit which of those controls are actually deployed against which login surfaces.
The AI assistant is a campaign skeleton, not a phishing factory
Bluekit’s AI Assistant pane lists multiple model options โ GPT-4.1, Claude Sonnet 4, Gemini, DeepSeek, and an “abliterated” Llama default. Varonis tested it. The commercial model options were configured in the UI but appeared inaccessible in practice. The only model that actually responded was the abliterated Llama. When researchers fed it a detailed phishing scenario, the output was a structured campaign draft with placeholder content and generic link fields โ useful as a starting point, not as a finished phishing flow.
That matches a broader pattern in 2026: the AI features bolted onto criminal kits are usually less impressive than the marketing, partly because the API providers have made jailbreaks expensive and partly because criminal developers tend to be late adopters of the hard parts. The real productivity gains for attackers are in the boring infrastructure โ the templates, the proxy, the dashboard, the exfil channel. Bluekit’s boring infrastructure is the actual story.
The real AI shift: jailbreaks are out, abliteration is in
The single most interesting AI detail in the writeup is the word “abliterated.” Abliteration is a community technique that surgically removes the refusal directions from an open-weight model’s hidden states, producing a version that will answer essentially any prompt without complaint. It runs locally; there is no API provider to detect a misuse pattern, no terms of service to invoke, no rate limit to throttle the operator. Kelley’s framing in the Varonis writeup is that this represents a shift away from jailbreaking the frontier APIs and toward open-weight, safety-stripped models hosted by the criminal directly.
This is the AI-and-security thread worth following over the next year. Frontier model providers have spent significant money making jailbreaks harder to discover and faster to patch. The response from the lower end of the market is not to keep jailbreaking; it is to stop using the frontier providers at all. Llama, Mistral, DeepSeek, and the rest can be downloaded, abliterated, and served from a single GPU, with no governance layer in the loop. Whatever a defender’s plan was for catching suspicious AI use at the API provider, that plan does not apply to a model running in a basement.
Bottom line
The press writeup of Bluekit is “AI-powered phishing-as-a-service.” The accurate writeup is “fully commoditized AiTM phishing-as-a-service, with a not-very-impressive AI feature attached.” The first framing makes the AI the threat. The second puts the threat where it actually lives โ in the productization of session-stealing infrastructure that the average mid-sized organization is still defending with SMS codes and a phishing-awareness slide deck from 2023. The Bluekit AI assistant doesn’t change much. The Bluekit dashboard does.
Sources
- Varonis Threat Labs - Meet Bluekit: The AI-Powered All-in-One Phishing Kit
- BleepingComputer - New Bluekit phishing service includes an AI assistant, 40 templates
- Hackread - New AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks
- TechRadar Pro - Researchers discover new all-in-one ‘Bluekit’ phishing kit