Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
Summary
Hide ▲
Show ▼
Bluekit has added browser-in-the-middle (BitM) login theft to its phishing stack, increasing the risk of session-token theft and account takeover. The mechanism uses rrweb to serialize page content and stream it over a WebSocket while an attacker-controlled browser relays victim interactions. The same infrastructure pairs the new delivery method with anti-analysis checks and live session monitoring that make the phishing flow harder to spot.
Related Happenings
Openew[.]app cloaked malware download portal
Malware Activity
H score26
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
Openew[.]app cloaked malware download portal
Malware ActivityAbout this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score25
First: 30.04.2026 21:58
Last: 30.04.2026 21:58
Sources 1
How related:
The Bluekit phishing-as-a-service platform continues to evolve with nearly 70 new hostnames identified over the past week, and by adding browser-in-the-middle (BitM) capabilities for improved data theft.
About this happening:
Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor MetaHow related: The Bluekit phishing-as-a-service platform continues to evolve with nearly 70 new hostnames identified over the past week, and by adding browser-in-the-middle (BitM) capabilities for improved data theft.
About this happening: Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Latest development: 25.06.2026 18:00
Bluekit phishing-as-a-service added browser-in-the-middle (BitM) login theft and nearly 70 new hostnames over the past week. Netcraft said the kit now uses the open-source JavaScript library rrweb to serialize the page DOM and stream it over a WebSocket connection, while the live 5-second monitoring system and victim qualification checks remain in use.
Storm infostealer server-side decryption activity
Malware Activity
H score18
First: 02.04.2026 17:15
Last: 02.04.2026 17:15
Sources 1
About this happening:
The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Storm infostealer server-side decryption activity
Malware ActivityAbout this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor Meta
H score39
First: 03.03.2026 13:10
Last: 03.03.2026 13:10
Sources 1
About this happening:
**Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor Meta
H score36
First: 19.02.2026 14:00
Last: 19.02.2026 14:00
Sources 1
About this happening:
The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor MetaAbout this happening: The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Timeline
-
25.06.2026 18:00 2 articles · 2h ago
Bluekit adopts rrweb-based browser-in-the-middle login theft
Technical Analysis UpdateBluekit now uses browser-in-the-middle (BitM) login theft with the open-source rrweb library to serialize a login page’s DOM and stream it over a WebSocket while an attacker-controlled browser relays victim input. The mechanism can complete authentication in the attacker’s session, producing a valid session token and enabling account takeover, and Netcraft says the same infrastructure also keeps anti-analysis checks such as randomized CSS filters, a rotating obfuscated JavaScript bundle, browser fingerprinting, custom CAPTCHA, and WebRTC IP mismatch detection, alongside live victim monitoring during deceptive login sessions.
Show sources
- Bluekit phishing kit adopts browser-in-the-middle for login theft — www.bleepingcomputer.com — 25.06.2026 18:00
- Bluekit phishing kit adopts browser-in-the-middle for login theft — www.bleepingcomputer.com — 25.06.2026 18:00