Bluekit phishing kit enables automated phishing with 40+ templates and AI tools
May 04, 2026 
Bluekit is a new phishing kit with AI features, automated domain setup, and tools like spoofing, voice cloning, and 40+ attack templates.
Bluekit is a newly discovered phishing kit still in development that includes advanced features such as an AI assistant and automated domain registration. According to Varonis, it offers over 40 website templates along with tools for spoofing, voice cloning, antibot protection, geolocation tricks, and two-factor authentication bypass support.
“Varonis Threat Labs recently discovered Bluekit, a new phishing kit pitching a broader model. It advertises 40+ website templates, automated domain purchase and registration, 2FA support, spoofing, geolocation emulation, Telegram and browser notifications, antibot cloaking, and add-ons like an AI assistant, voice cloning, and a mail sender.” reads the report published by Varonis.
Bluekit supports multiple phishing templates targeting major services such as iCloud, Apple ID, Gmail, Outlook, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger. It combines email, cloud, crypto, and developer platforms in one kit.
The researchers accessed Bluekit to analyze its internal dashboard, which centralizes phishing operations in a single interface. Operators can create campaigns, register or link domains, manage captured credentials, and send stolen data via Telegram.
The kit also includes a site-builder where users select domains, templates, and target brands. It provides detailed control over phishing pages, including login detection, redirects, anti-analysis checks, spoofing, and device filtering.
Bluekit tracks sessions in real time, storing cookies and login data, and displays post-login activity. Overall, it acts as a full phishing platform rather than a simple credential-stealing tool.
Bluekit includes an AI Assistant panel with multiple model options such as Llama (default), GPT-4.1, Claude Sonnet 4, Gemini, and DeepSeek variants.
The researcher noted that in testing, only the default Llama model was usable, while the others appeared but required extra configuration, suggesting possible use of jailbroken or non-standard setups if activated in practice.
The researchers tested the assistant with a phishing scenario targeting a Microsoft 365 MFA reset for a company executive, including QR-based lures and credential-harvesting pages.
Instead of producing a ready-made phishing campaign, the AI generated only a structured draft. The output relied heavily on placeholders and generic text, requiring manual refinement.
“We expected something closer to a polished phishing copilot: a finished lure, cleaner email copy, and perhaps even a workable QR-driven flow with less manual effort. What we received was much more limited.” continues the report. “The assistant returned a structured campaign draft, and much of it relied on placeholders instead of content that looked ready to use as-is.”
Overall, the AI Assistant acts more as a tool for building campaign outlines rather than delivering fully functional phishing kits.
Bluekit has been monitored over time not just for isolated campaigns, but for how quickly it evolves. Researchers initially aimed to catch it in real-world phishing activity, but its rapid development made the release cycle itself part of the observation. New features and templates were added so frequently that tracking updates became as important as identifying active deployments.
“Compared with similar phishing kits that have already advanced further into automation and operator convenience, Bluekit still appears to be a kit in active development.” concludes the report. “The feature set keeps evolving as we track it, and if that pace continues with broader adoption, Bluekit is likely to surface in future campaigns.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Bluekit phishing kit)
Stephan is the sports journalist for the Maple Grove Report.
