Bluekit phishing kit has adopted a browser-in-the-middle (BitM) attack method, leveraging the rrweb JavaScript library to serialize and stream the victim's DOM over WebSocket to the attacker. This allows the attacker to relay interactions with the legitimate login page, capturing valid session tokens and gaining unlimited access to victim accounts. Bluekit also integrates AI-assisted phishing email generation and uses multiple anti-analysis techniques including randomized CSS filters, obfuscated JavaScript, custom CAPTCHAs, browser fingerprinting, and WebRTC IP mismatch detection to evade detection and qualify victims. The platform provides live victim monitoring and supports multiple popular online services as targets.

Successful exploitation results in attackers obtaining valid session tokens and full access to victims' accounts on targeted services. The use of BitM allows attackers to bypass traditional credential theft detection by interacting with legitimate login pages in real time. The advanced anti-analysis features reduce the likelihood of detection by security researchers and automated systems, increasing the threat's effectiveness and persistence.

No official patch or fix is applicable as this is a phishing kit rather than a software vulnerability. Defenders should educate users to recognize signs of BitM phishing, such as input delays or unusual login page behavior. Security teams should enhance phishing detection capabilities, including monitoring for WebSocket connections on login pages and suspicious JavaScript activity. Employing multi-factor authentication (MFA) can reduce the impact of credential theft. Organizations should also consider behavioral AI-based email security solutions to detect and respond to sophisticated phishing campaigns. There is no vendor advisory or patch available; mitigation relies on detection and user awareness.