Over 70 new Bluekit hostnames appeared in the past week, and the phishing-as-a-service operation has swapped its attack chain from adversary-in-the-middle to browser-in-the-middle (BitM). That shift means attackers no longer just proxy traffic; they stream a live, interactive copy of the legitimate login page straight to the victim's browser using the open-source library rrweb.
How BitM Works: Streaming the DOM Over WebSocket
rrweb serializes the Document Object Model of the attacker's controlled browser session and pushes it to the victim over a WebSocket. Images, fonts, and CSS are served through the phishing infrastructure, but the login page itself is real. The victim types credentials into what looks like the actual Outlook, Gmail, or GitHub login form, and every keystroke and mouse click gets forwarded back to the attacker's browser.
Authentication completes in that attacker-controlled browser, handing over a valid session token before the victim even hits "log in." Netcraft notes that rrweb is a legitimate project used for session replay and analytics -- its presence alone isn't a compromise indicator. But any perceptible lag on keyboard input or mouse clicks should raise a red flag; the round-trip through the attacker's browser introduces latency.
Bluekit's Anti-Analysis Toolbox
Before Bluekit steals anything, it qualifies each target to filter out researchers and crawlers. The latest kit includes randomized CSS filters that defeat screenshot-based detection systems, a frequently changing obfuscated JavaScript bundle larger than 1 MB, and a custom CAPTCHA that can impersonate Cloudflare or the target brand.
Browser fingerprinting checks RAM, CPU cores, screen resolution, language, headless browser detection, and anti-fingerprinting extensions. WebRTC-based IP mismatch detection flags victims behind proxies or VPNs. These anti-analysis measures were documented by Varonis in April and now confirmed by Netcraft's deeper dive.
Live Monitoring Persists
Bluekit's 5-second update interval monitoring system, first reported by Varonis, is still active. Operators watch victims in real time as they fill in credentials and track post-login activity. The session token gives them unlimited account access -- no password rotation or MFA bypass required once the token is captured.
For defenders, the key signal isn't a single technical artifact but a combination: CSS filter manipulation on top-level HTML elements, a large obfuscated JS bundle that rotates, WebSocket connections carrying encrypted or binary data on login pages, and WebRTC IP mismatch detection on landing pages. No single indicator is definitive; contextual correlation matters.
BitM phishing is not new -- researcher mr.d0x described the technique in 2022 -- but Bluekit's packaging of it as a service with AI-assisted email drafting (supporting Llama, GPT-4.1, Claude, Gemini, and DeepSeek) and 40 templates makes it a commodity threat. Expect more phishing kits to follow the same architectural pattern as detection tools get better at spotting reverse proxies.
Source: Bluekit phishing kit adopts browser-in-the-middle for login theft
Domain: bleepingcomputer.com
Comments load interactively on the live page.