Bluekit — Phishing Kit Ships with AI Assistant, Voice Cloning, and 40+ Templates
AI relevance: Bluekit embeds an AI phishing-campaign assistant directly into its dashboard, allowing operators to draft lures, configure 2FA bypass flows, and manage credential harvesting — lowering the technical barrier for AI-augmented social engineering at scale.
What's happening
Varonis Threat Labs has discovered Bluekit, a phishing kit still in active development that packages an AI assistant, voice cloning, automated domain registration, and over 40 phishing templates into a single platform.
- Bluekit's AI Assistant panel supports multiple LLM models: Llama (default/functional), GPT-4.1, Claude Sonnet 4, Gemini, and DeepSeek variants — though only Llama was operational during testing.
- When tested with a Microsoft 365 MFA-reset phishing scenario for a corporate executive, the assistant produced a structured campaign draft with placeholders rather than a fully operational lure, suggesting the AI component is still maturing.
- The kit includes 40+ website templates targeting major services: iCloud, Apple ID, Gmail, Outlook, Yahoo, ProtonMail, GitHub, Twitter, Zoho, and crypto wallets like Ledger.
- Operators can create campaigns, register or link domains, manage captured credentials, and exfiltrate stolen data via Telegram — all from a centralized dashboard.
- Advanced features include 2FA bypass, spoofing, geolocation-based targeting, antibot cloaking, browser notifications, and voice cloning add-ons.
- Researchers tracked Bluekit's rapid feature evolution over time — new templates and capabilities are added frequently, suggesting the kit will reach broader adoption as it matures.
Why it matters
Bluekit represents the operationalization of AI-assisted phishing. While the AI assistant currently produces structured drafts with placeholders rather than ready-to-deploy lures, the trajectory is clear: phishing kits are integrating LLMs to reduce the skill floor for operators. Combined with voice cloning and automated infrastructure setup, Bluekit enables less technically skilled threat actors to launch sophisticated, multi-vector phishing campaigns. For defenders, this means AI-generated social engineering will become more accessible and harder to distinguish from legitimate communications.
What to do
- Assume AI-generated phishing will improve rapidly: Bluekit's AI assistant is early-stage; expect future iterations to produce more convincing lures with less operator input.
- Deploy phishing-resistant MFA: Kits with 2FA bypass and voice cloning make SMS, TOTP, and push-based MFA increasingly unreliable. Prioritize FIDO2/WebAuthn hardware keys.
- Monitor for credential harvesting patterns: Bluekit captures cookies and post-login activity in real-time — detect anomalous session tokens and unusual geographic access patterns.
- Educate on AI-assisted social engineering: Voice cloning and AI-drafted lures will reduce traditional phishing tells (grammar errors, generic greetings). Train users to verify requests through secondary channels.