Bluekit Phishing as a Service (PhaaS)

CloudSek TRIAD identified BlueKit, a commercially operated PhaaS platform that provides phishing kits, session hijacking, smishing, and automated account takeover tooling against major cloud, financial, crypto, and e-commerce brands worldwide. The platform uses P2P page rendering, anti-detection controls, reseller support, and cryptocurrency-only monetization to evade analysis and scale operations, with notable exposure across victim data, operator accounts, and payment infrastructure. #BlueKit #CloudSekTRIAD #OctoBrowser #CapSolver #NanoGPT

Keypoints

BlueKit is an actively operated Phishing-as-a-Service platform discovered through CloudSek TRIAD dark web monitoring.
The platform targets financial institutions, cloud providers, cryptocurrency services, and major e-commerce brands with phishing templates for global companies.
BlueKit offers subscription tiers, automated deployment, centralized dashboards, reseller support, and anti-detection tooling to lower the barrier for affiliates.
A recent P2P phishing page rendering model hides backend infrastructure and makes IOC-based detection and attribution more difficult.
The platform supports session hijacking, account takeover, smishing, and post-compromise automation such as password resets and passkey enrollment.
Investigation exposed sensitive platform data, including operator credentials, victim records, WebAuthn credentials, and cryptocurrency payment records.
BlueKit accepts only cryptocurrency payments and uses infrastructure, communications, and OPSEC patterns that may align with CIS-linked cybercrime ecosystems.

MITRE Techniques

[T1566 ] Phishing – BlueKit uses phishing kits and brand impersonation to harvest credentials and session data through email, cloud, and smishing lures. [‘phishing templates for multiple global brands’]
[T1185 ] Browser Session Hijacking – The platform captures session cookies and imports them into anti-detect browser workflows to replay authenticated sessions. [‘captures credentials, authentication tokens, and session cookies’]
[T1110 ] Brute Force – Not directly brute force against accounts, but the platform supports credential harvesting at scale and automated post-capture workflows to exploit stolen logins. [‘large-scale credential harvesting’]
[T1071.001 ] Web Protocols – BlueKit uses web-based phishing infrastructure and centralized dashboards to deliver and manage campaigns over HTTP/S-like web traffic. [‘centralized management dashboards’, ‘phishing page rendering model’]
[T1090 ] Proxy – The platform stores configured proxy lists and uses proxy/VPN blocking to control access and obscure operator or victim traffic. [‘Configured proxy list’, ‘proxy/VPN blocking flag’]
[T1583.001 ] Acquire Infrastructure: Domains – BlueKit operates multiple clearnet domains and a Tor onion service to host its phishing ecosystem. [‘Clearnet domains: bluekit[.]ws, bluekit[.]cc, bluekit[.]su, bluekit[.]pk’]
[T1583.006 ] Acquire Infrastructure: Web Services – The operators rely on Cloudflare, Luxhost, CapSolver, NanoGPT, and Octo Browser as part of the phishing service stack. [‘DNS Provider Cloudflare’, ‘Registrar Integration Luxhost’, ‘CAPTCHA Solver CapSolver’]
[T1027 ] Obfuscated Files or Information – The P2P rendering approach is designed to hide backend phishing infrastructure and evade conventional analysis. [‘obscure the phishing server origin from browser developer tools’]
[T1650 ] Acquire Access via Application API – Reseller and distributor records expose API credentials and third-party service integrations used to run the platform. [‘platform-level API credentials’, ‘LuxHost API key’]
[T1056.001 ] Keylogging – BlueKit collects identifiers, passwords, URLs, and credential artifacts from victim workflows, consistent with credential capture behavior. [‘latestIdentifier’, ‘latestPassword’, ‘latestUrl’]
[T1552.001 ] Credentials in Files – The exposed database includes stored passwords, WebAuthn credentials, and operator authentication artifacts. [‘Argon2id password hash’, ‘Raw WebAuthn credential’]
[T1113 ] Screen Capture – The article references victim dashboards and automated workflow views, but this is not directly evidenced; therefore the closest relevant behavior is credential and session capture. [‘victim data’, ‘authentication artifacts’]

Indicators of Compromise

[Domains] BlueKit clearnet and Tor infrastructure – bluekit[.]ws, bluekit[.]cc, bluekit[.]su, bluekit[.]pk, bluekitsmi6sd5mjurh3l7n7oeizbedoe2hw2lsljtb5nbxiul6hzkqd[.]onion
[DNS/Nameservers] Cloudflare-hosted nameservers for the platform – fish.ns.cloudflare.com, osmar.ns.cloudflare.com
[Tokens/IDs] Platform and analytics identifiers exposed in infrastructure – 2f08ce5a60ec42ffaaac4c46ba18bac8, si5xclgoe0pl5yd5zsfaik8k
[API Keys/Credentials] Reseller and service credentials exposed in distributor records – LuxHost API key, Capsolver API key, NanoGPT API key
[File/Template IDs] Phishing template and wallet workflow identifiers – z8di9wjjsl6qn402zu3zfz9y, zk5ixc0p1qiqhd1qpr03l4ej, zd0dqf1yxwggrxjqegmm0dqu
[Usernames/Service Handles] Operator communication and support channels – Telegram, Jabber/XMPP, PGP encryption, Tor infrastructure
[Databases/Tables] Exposed platform tables and datasets – mammoths, customers, sites_settings, webauthn_credentials, deposits, distributors

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print