Bluekit adopts browser-in-the-middle for login theft
π‘οΈ The Bluekit phishing-as-a-service platform has added browser-in-the-middle (BitM) capabilities and nearly 70 new hostnames, enabling attackers to load legitimate login pages and capture valid session tokens. Netcraft found Bluekit uses the open-source rrweb library to serialize and stream page DOM data over WebSockets while fetching assets through phishing infrastructure. The kit also includes advanced anti-analysis features such as randomized CSS filters, large rotating obfuscated JavaScript bundles, custom CAPTCHAs, browser fingerprinting, and WebRTC IP-mismatch checks.
