Phishing Kits Now Ship With AI, Voice Cloning, and 40 Templates—Bluekit's Default Target Is Your Gmail

The 40 Templates Read Like a Daily Use Inventory

The brands Bluekit currently impersonates are the brands most people log into every day. Varonis catalogued the templates across five categories:

• Email and personal accounts: Gmail, Outlook, Hotmail, Yahoo, ProtonMail, iCloud, Apple ID, Zoho
• Developer platforms: GitHub
• Social and communications: Twitter
• Retail: Zara
• Cryptocurrency: Ledger

Five of the eight email templates target consumer or prosumer mail providers. Gmail and Outlook are obvious. The presence of ProtonMail in the lineup is the more telling choice. ProtonMail's user base self-selects for privacy concern—activists, journalists, security professionals, and people who specifically opted out of Gmail. A phishing kit that ships ProtonMail support out of the box is signaling who its operators expect to target.

The MFA Bypass Is the Real Product

The most consequential capability isn't the number of templates. It's how Bluekit handles the second factor. The kit ships with Evilginx style adversary in the middle (AiTM) support—the same pattern documented in a string of phishing kits from EvilProxy onward.

When a victim lands on a Bluekit page and types their credentials, the kit forwards those credentials to the real service in real time. The legitimate Gmail or Microsoft 365 prompt for a TOTP code, push approval, or hardware token completes against the real service—from the victim's perspective, the login "works." But the session cookie that the real service issues is captured by the proxy. So is local storage. So is whatever the browser put into the IndexedDB layer.

According to Hackread's coverage, the attacker walks away with a fully authenticated session to the victim's Gmail or iCloud, which they can replay from their own machine indefinitely until the cookie expires. MFA technically did its job. The cookie that MFA produced is what got stolen.

The AI Assistant Has Five Models

Bluekit's UI exposes a separate AI Assistant panel. Varonis confirmed five available models:

• An "abliterated" Llama model as default (an open source Llama variant with safety guardrails removed)
• GPT-4.1
• Claude Sonnet 4
• Gemini
• DeepSeek

In Varonis testing, only the default Llama variant worked end to end. The commercial models appeared in the interface but required additional API key configuration—a small barrier for any operator with $20 to spend. Varonis described the AI generated lure copy as preliminary: "The draft included a useful structure, but it still depended on generic link fields, placeholder QR blocks, and copy that would need cleanup." That assessment understates the trajectory. Six months ago, phishing kits did not ship with AI panels at all. The fact that operators can now toggle between five models—including one with safety guardrails specifically removed—is the trend that matters.

Voice Cloning Closes the Vishing Loop

The voice cloning module turns Bluekit from a credential phishing kit into a multi channel attack platform. Operators can upload a target's voice sample and synthesize new audio in that voice—useful for the callback phishing flow that the ATHR vishing platform pioneered at $4,000 per month. Bluekit bundles a similar capability into a kit that costs a fraction of that.

The combination means a single subscriber can run an email lure to a Gmail user, capture their session cookie via Evilginx, then follow up with a voice cloned phone call from "their bank's fraud department" to extract a wire transfer authorization. Each step happens inside the same dashboard.

Antibot Cloaking Hides the Pages From Researchers

Bluekit ships with VPN and proxy detection, headless browser fingerprint filtering, and geolocation gating. The practical effect is that a security researcher visiting a Bluekit phishing URL from a sandbox sees a benign decoy—often a real corporate website. A real victim from the targeted geography sees the credential capture page.

This is why phishing URLs increasingly survive in the wild for hours or days before being blacklisted. The automated scanners that Google Safe Browsing and Microsoft SmartScreen rely on get served clean pages. Real users get the malicious one.

What This Tells Us About the Phishing Market

Bluekit is not a one off. It joins a steady drumbeat of full stack phishing as a service offerings: the Venom kit aimed at executive Microsoft 365 accounts, the W3LL kit the FBI just shut down, ConsentFix v3, which skips the password entirely by abusing Azure CLI's first party trust, and the broader Evilginx ecosystem. Each new kit pushes the same direction: more brands, more automation, less expertise required to operate.

For a buyer with no technical skill, Bluekit reduces the cost of running a Gmail phishing campaign to almost zero. The kit handles the cloaking, the AiTM proxying, the AI lure drafting, the voice cloning, and the cookie exfiltration. The buyer brings only a target list—and as the recent 6.8 billion email dump on BreachForums demonstrates, target lists are now a commodity input.

How to Defend Against Bluekit Style Attacks

The defensive moves that work against Bluekit are the ones that defeat AiTM specifically:

• Use phishing resistant authentication. Hardware security keys (YubiKey, Google Titan) and platform passkeys bind the authentication to the legitimate domain. A Bluekit proxy on a typosquatted domain cannot complete the handshake. TOTP codes, SMS, and push approvals all remain phishable.
• Verify URLs before typing credentials. Bluekit relies on lookalike domains. Bookmark the real Gmail, iCloud, and ProtonMail login pages and reach them through bookmarks—not links in email.
• Treat unexpected MFA prompts as a phishing signal. If you receive a push notification for a login you didn't initiate, decline and rotate the password immediately.
• Audit OAuth tokens and session activity monthly. An AiTM session cookie keeps working until expired or revoked. Reviewing active sessions in Gmail's "Last account activity" or Microsoft's "Sign in activity" log catches unauthorized persistence.
• Block known phishing infrastructure. Domain registration patterns, Telegram exfiltration endpoints, and the Bluekit beaconing IPs documented in Varonis's IOC list are blockable at the firewall and DNS layers.

The Trajectory Is the Story

Bluekit's individual features are not unprecedented. Evilginx has been around for years. AI lure generation has been documented since GPT-3.5 became scriptable. Voice cloning is a Cloned Voice API call away from anyone. What's new is that all three live in a single $200 or less commercial product, with Gmail, Outlook, iCloud, and ProtonMail as supported targets out of the box.

The threshold for running a sophisticated phishing campaign just dropped again. The defense has to assume that any operator, anywhere, can spin up an AiTM campaign against any of the major email providers without writing a line of code. Microsoft's own Q1 2026 telemetry confirms the trajectory: 8.3 billion phishing emails blocked in 90 days, with QR phishing surging 146%—a direct measure of how many Bluekit style campaigns are reaching mailboxes.