The operators behind the Bluekit phishing-as-a-service (PhaaS) platform have significantly upgraded their toolkit by introducing Browser-in-the-Middle (BitM) capabilities, enabling cybercriminals to steal authenticated user sessions more effectively while making phishing attacks increasingly difficult to detect, according to a new report by digital risk protection firm Netcraft.
Bluekit first came to light in April after researchers revealed that the platform offered cybercriminals an AI-powered assistant capable of generating phishing emails using multiple large language models, including GPT-4.1, Claude, Gemini, Llama, and DeepSeek. The service also provided dozens of ready-made phishing templates targeting widely used platforms such as Outlook, Gmail, Yahoo, ProtonMail, iCloud, GitHub, and Ledger.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
According to the latest findings, Bluekit has now shifted from the traditional Adversary-in-the-Middle (AiTM) model to a more sophisticated Browser-in-the-Middle (BitM) approach. The new mechanism relies on the open-source JavaScript library rrweb, which is commonly used for legitimate session replay and analytics, to stream a victim’s browser session in real time over a WebSocket connection.
In a BitM attack, victims unknowingly interact with a browser session controlled by the attacker instead of directly communicating with the legitimate website. The attacker loads the genuine login page, relays all requests and responses between the victim and the target service, and captures authentication data without raising immediate suspicion.
Researchers noted that while rrweb itself is a legitimate software library, its misuse in phishing infrastructure demonstrates how attackers increasingly exploit trusted open-source technologies. Images, fonts, and style sheets are delivered through the attackers’ infrastructure, while user keystrokes and other inputs are forwarded directly to the attacker’s browser.
Once authentication is completed, the attacker gains access to a valid authenticated session token, allowing them to access the victim’s account even if passwords or multi-factor authentication have already been used successfully.
Although the browsing experience closely resembles the legitimate website, researchers say users may notice slight delays in keyboard responses or mouse clicks because every interaction is relayed through the attacker’s infrastructure. Such latency can serve as an important warning sign during login sessions.
Bluekit has also strengthened its anti-analysis capabilities to prevent detection by researchers and automated security tools. The latest version reportedly uses randomized CSS filters to evade screenshot-based detection, large obfuscated JavaScript bundles that change frequently, browser fingerprinting to identify virtual machines or headless browsers, WebRTC-based IP mismatch detection for VPN and proxy users, and custom CAPTCHA pages that imitate well-known security services or trusted brands.
In addition, the platform continues to provide operators with near real-time monitoring, allowing them to observe victims throughout the phishing process and monitor account activity immediately after successful authentication.
Cybersecurity experts warn that the growing adoption of Browser-in-the-Middle attacks represents a significant evolution in credential theft because attackers focus on stealing authenticated sessions rather than merely collecting usernames and passwords.
Renowned cybercrime expert and former IPS officer Prof. Triveni Singh said cybercriminals are increasingly combining artificial intelligence, social engineering, and advanced browser manipulation techniques to bypass traditional security measures. He advised users to verify website addresses carefully, remain alert for unusual login behavior or response delays, avoid clicking links received through unsolicited emails or messages, and rely on phishing-resistant authentication methods wherever possible.
Security researchers recommend that organizations strengthen phishing awareness, deploy modern email security solutions, monitor for suspicious session activity, implement phishing-resistant multi-factor authentication, and continuously update detection mechanisms to counter increasingly sophisticated phishing campaigns.
