Phishing platforms are no longer stopping at stolen passwords. CloudSEK researchers have uncovered how BlueKit is evolving into a full-scale criminal SaaS platform that can hijack active sessions, enrol attacker-controlled passkeys, change passwords and lock victims out of their accounts almost immediately.
The most significant finding is BlueKit’s migration to a peer-to-peer phishing-page rendering architecture, designed to conceal its backend infrastructure from browser developer tools and conventional network analysis. This makes reverse-IP tracking, infrastructure fingerprinting, automated scanning and traditional IOC-based detection considerably more difficult.
CloudSEK’s investigation also identified:
- 87 ready-made phishing kits targeting banks, cloud platforms, cryptocurrency exchanges, enterprise services and global consumer brands
- Automated post-compromise workflows for Google, Microsoft and Amazon accounts
- Session-cookie theft that can undermine conventional MFA protections
- A Google Ads workflow capable of adding an attacker as an account administrator
- Ledger and Trezor templates designed to steal cryptocurrency wallet recovery phrases
- BlueKit’s complete 29-table database schema, including victim records, operator accounts, reseller infrastructure and cryptocurrency payment data
- A reseller and white-label model that allows other cybercriminal groups to rebrand and distribute the platform
While BlueKit has been previously documented, CloudSEK’s research provides a deeper view into its evolving architecture, internal database, commercial ecosystem and automated account-takeover capabilities.
Full report: https://www.cloudsek.com/blog/bluekit-phishing-as-a-service-phaas
Related
This entry was posted on June 17, 2026 at 9:21 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
BlueKit’s P2P phishing infrastructure makes detection and takedowns harder says CloudSEK
Phishing platforms are no longer stopping at stolen passwords. CloudSEK researchers have uncovered how BlueKit is evolving into a full-scale criminal SaaS platform that can hijack active sessions, enrol attacker-controlled passkeys, change passwords and lock victims out of their accounts almost immediately.
The most significant finding is BlueKit’s migration to a peer-to-peer phishing-page rendering architecture, designed to conceal its backend infrastructure from browser developer tools and conventional network analysis. This makes reverse-IP tracking, infrastructure fingerprinting, automated scanning and traditional IOC-based detection considerably more difficult.
CloudSEK’s investigation also identified:
While BlueKit has been previously documented, CloudSEK’s research provides a deeper view into its evolving architecture, internal database, commercial ecosystem and automated account-takeover capabilities.
Full report: https://www.cloudsek.com/blog/bluekit-phishing-as-a-service-phaas
Share this:
Like this:
Related
This entry was posted on June 17, 2026 at 9:21 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.