New Bluekit Phishing Kit Emerges With AI-Powered Features
Security researchers have identified a new phishing-as-a-service (PhaaS) toolkit called Bluekit that is currently under active development and circulating on cybercrime forums. The kit distinguishes itself from existing phishing platforms by integrating an AI assistant to help operators craft convincing lures and automate key operational steps, including automated domain registration — removing significant friction from the phishing workflow.
What Is Bluekit?
Bluekit is a modular phishing toolkit being marketed to cybercriminals seeking to conduct credential harvesting campaigns at scale. Unlike older, static phishing kits that require manual setup for each campaign, Bluekit incorporates automation and artificial intelligence to streamline the attack lifecycle.
Key Features
AI-Powered Campaign Assistant
- Bluekit's integrated AI assistant helps operators generate convincing phishing email templates tailored to specific targets or industries.
- The assistant can suggest lure themes, customize messaging to match target organizations' branding, and adapt content based on operator-specified goals (credential theft, malware delivery, business email compromise).
- AI-generated content reduces typos, grammatical errors, and other indicators that trained users or spam filters might detect.
Automated Domain Registration
- One of Bluekit's most operationally significant features is its automated domain registration pipeline.
- Traditionally, phishing actors must manually register lookalike domains — a time-consuming step that also creates attribution risk.
- Bluekit automates this process, allowing operators to spin up convincing phishing domains rapidly and at scale, potentially cycling through domains faster than blocklist feeds can respond.
Modular Architecture
- The toolkit appears designed for extensibility, with modules for different phishing scenarios.
- Early analysis suggests support for credential capture pages targeting common enterprise platforms.
Development Status
Security researchers at SecurityWeek note that Bluekit is still under active development as of early May 2026. Underground forum posts advertising the kit describe it as an emerging platform rather than a fully mature product. This suggests:
- Additional features and attack modules are likely in development.
- Early adopters on criminal forums may be accessing beta or pre-release versions.
- The toolkit's capabilities — and threat potential — are expected to grow in coming months.
Why This Matters
The emergence of AI-enhanced phishing toolkits like Bluekit represents a meaningful evolution in the PhaaS threat landscape:
Lower Barrier to Entry
Automated domain registration and AI-generated lure content reduce the technical skill and time required to launch convincing phishing campaigns. This democratizes access to sophisticated phishing infrastructure for lower-tier threat actors.
Higher Campaign Quality
AI-assisted content generation can produce more grammatically correct, contextually appropriate phishing emails that bypass both human scrutiny and automated detection systems trained on lower-quality phishing samples.
Accelerated Domain Cycling
Automated domain registration enables faster rotation of phishing infrastructure, making it harder for threat intelligence feeds and DNS blocklists to keep pace with new domains before victims are targeted.
Defensive Recommendations
Organizations can take the following steps to reduce exposure to Bluekit-style phishing attacks:
Email Security
- Deploy anti-phishing email security solutions with AI-based anomaly detection to catch novel lure content.
- Enable DMARC, DKIM, and SPF authentication on all organizational domains to make impersonation harder.
- Configure email gateways to flag or quarantine messages with recently registered sender domains (domains less than 30 days old).
User Awareness
- Train staff to verify sender domains carefully, especially for emails requesting credential entry or urgent action.
- Implement regular phishing simulation exercises to keep employees sharp against evolving lure techniques.
- Encourage reporting of suspicious emails to the security team.
Technical Controls
- Use DNS filtering solutions (e.g., Cisco Umbrella, Cloudflare Gateway) that block access to newly registered or categorized phishing domains.
- Enforce multi-factor authentication (MFA) on all accounts so that stolen credentials alone are insufficient for account takeover.
- Monitor for unusual authentication events such as logins from unexpected geolocations or devices.
Context: The Growing PhaaS Ecosystem
Bluekit enters a crowded and maturing PhaaS market that includes established platforms like Tycoon 2FA, EvilProxy, and others. The integration of AI features reflects a broader trend of threat actors adapting generative AI capabilities into their criminal tooling — a development that security researchers have been tracking since early 2025.
The automation of domain registration in particular echoes tactics seen in large-scale phishing infrastructure operations, where rapid domain cycling is used to stay ahead of blocklists.