A new phishing-as-a-service style platform, Bluekit (bluekit[.]pk / .su / .cc), is currently being advertised and actively developed.
Bluekit dashboard presentation
Positioned as an alternative to tools like Evilginx Pro, Tycoon2FA, and EvilProxy, Bluekit emphasizes accessibility and anonymity, lowering the barrier to entry for both red teamers and threat actors.
🔑 Key features being promoted:
- 40+ ready-made phishing templates (major platforms like Google, Apple, Microsoft, crypto exchanges, banks, etc.)
- Rapid template deployment on request
- Built-in domain purchasing and management
- 2FA interception with device and geolocation spoofing
- Real-time notifications (Telegram and in-browser)
- Advanced anti-bot cloaking
- Capture of cookies, local storage, and keystrokes
- Tor registration and Monero payments
- “Bulletproof” infrastructure claims
- Additional tooling such as AI assistant, VM checker, voice cloning, and mail sender
💰 Pricing model:
- 7 days: $90
- 14 days: $170
- 30 days: $350
📌 Notable positioning:
Unlike some competitors, Bluekit explicitly removes vetting requirements. There are no identity checks and no LinkedIn verification, which may significantly broaden its user base.
📊 Takeaway:
This is another example of the continued commoditization of adversary tooling, making sophisticated phishing infrastructure more accessible, scalable, and user-friendly.
Defenders should expect:
- Faster campaign deployment cycles
- More realistic phishing lures (1:1 templates and 2FA bypass)
- Increased volume from lower-skilled actors
Worth keeping an eye on as it evolves.