
A deep dive into the Bluekit and SnagX Phishing-as-a-Service platforms, analyzing how threat actors utilize Adversary-in-the-Middle reverse proxies to bypass multi-factor authentication and execute automated account takeovers targeting e-commerce credentials.


Japanese localized lures leading to Let's Encrypt wildcard domains.
Backend filters connections based on Geofencing, WebRTC, CSS shifts, and CAPTCHAs.
Interacts directly with victim, proxying requests and MFA codes in real time.
Session cookies are intercepted and exfiltrated to Telegram channels.
Premium script changes account password and recovery details, locking the victim out.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
A targeted spearphishing campaign linked to Russian intelligence services focuses on stealing Signal Backup Recovery Keys. By exploiting the human layer, attackers reconstruct private messaging archives without breaking the underlying cryptographic protocol.

June 3, 2026
The emergence of the HeartSender V6 platform leak highlights the ongoing risks of mass-email delivery tools in the wild. We analyze the implications and provide defensive strategies.

Threat actors are distributing advanced phishing and credit card harvesting toolkits designed to exploit payment gateways. Learn how these threats impact your enterprise and how to defend your infrastructure.
Japanese e-commerce credentials and active browser sessions are the latest assets targeted in a sophisticated cybercrime campaign utilizing advanced Adversary-in-the-Middle (AiTM) phishing architectures. Security researchers monitoring underground criminal marketplaces recently identified threat actors selling access to compromised corporate and personal e-commerce accounts, with specific evidence pointing to the automated theft of Japanese shopping credentials. The primary driving force behind this wave of attacks is an emerging Phishing-as-a-Service (PhaaS) platform known as Bluekit, along with its localized reseller variant SnagX, which specialize in bypassing multi-factor authentication (MFA) to facilitate complete account takeovers.
For organizations operating in highly competitive retail, supply chain, and e-commerce landscapes, this threat represents a significant escalation. It demonstrates how easily traditional credential protections can be neutralized by automated, consumer-grade cybercrime kits. When employee or administrator accounts on massive platforms are hijacked, adversaries do not just gain shopping access; they secure a foothold to intercept shipping logs, compromise corporate purchasing cards, and harvest valuable proprietary data.
While this specific campaign has highly localized Japanese targeting, the underlying technology represents a borderless threat. Phishing-as-a-Service tools such as Bluekit are rapidly adaptable. GCC enterprises must recognize that these automated reverse proxies are increasingly targeted at corporate Single Sign-On (SSO) portals, email access points, and critical supplier networks. If an employee uses their corporate email or a reused password on a personal e-commerce site compromised via AiTM, threat actors can weaponize those credentials to access your internal corporate network.
Furthermore, standard multi-factor authentication (such as SMS OTPs and standard mobile push notifications) is no longer sufficient to stop modern, automated attacks. Organizations must evaluate their authentication strategies to ensure that a hijacked cookie cannot be utilized to bypass enterprise perimeters.
Understanding your exposed domain footprint is a critical step in stopping credential compromise before it affects your internal operations. Using continuous monitoring and offensive security validation ensures your business stays ahead of emerging PhaaS techniques.
Free exposure check
Dark Web Scanner
check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
By leveraging comprehensive Dark Web Monitoring, organizations can gain real-time visibility into credential leaks and compromised sessions, allowing security teams to invalidate hijacked tokens and reset compromised passwords before threat actors can execute lateral movement within your corporate infrastructure.
The underground distribution of these stolen credentials highlights a highly organized commercial ecosystem. Bluekit, operated by a threat actor using the alias petrushka (also known as petrushkablue), is marketed as an elite phishing solution. To expand its market share, the platform collaborates with a Chinese-language reseller and co-founder operating under the handle @nm9333, who distributes a white-labeled version of the software called SnagX. This platform is advertised directly to Chinese-speaking cybercriminals as a comprehensive reverse-proxy solution designed specifically to target Japanese enterprise and consumer accounts.
Unlike old-school phishing templates that merely copy the visual appearance of a login screen, Bluekit and SnagX use a Next.js backend and a headless browser engine. This setup allows the platform to function as a live intermediary between the target user and the legitimate authentication server. The kit is highly customizable, offering specialized templates and modules such as an automated password-changer that immediately locks victims out of their accounts once their credentials and session tokens have been harvested.
The attack chain utilized by Bluekit and SnagX is highly systematic, relying on automated defense evasion, precise geolocation filtering, and real-time proxying of web requests. Understanding this multi-stage execution flow is critical for constructing robust enterprise detection mechanisms.
The campaign begins when the threat actor distributes highly localized, professionally written Japanese-language messages via email or SMS (smishing). These lures typically masquerade as urgent notifications from major service providers, alerting the recipient to a locked account, an unauthorized payment attempt, or a high-value shipping update. Embedded links inside these messages do not lead to static replica pages but instead point to dynamically generated domains that utilize wildcard SSL certificates from Let's Encrypt to mimic legitimate corporate endpoints.
Before any phishing content is displayed to the visitor, the backend infrastructure performs a series of complex checks to ensure the visitor is a genuine human target and not an automated security scanner, sandbox, or security researcher. The qualification suite includes the following operations:
Geofencing: The system validates the visitor's IP address against geographical databases. If the IP address does not originate from Japan or the specific targeted GCC territories, the backend instantly redirects the request to the legitimate service provider website, successfully hiding the malicious infrastructure from international security researchers.
WebRTC IP Leak Verification: The script checks for mismatches between the browser's HTTP headers and its WebRTC-reported IP address to identify whether the visitor is utilizing a VPN or proxy service.
Hardware Fingerprinting: Bluekit collects device signatures including CPU core counts, available RAM, screen resolution, and headless browser attributes to filter out automated testing frameworks.
Perceptual Hash Manipulation: To defeat automated screenshot-matching scanners used by cybersecurity vendors, Bluekit applies random CSS filters to the rendered page. This includes a 2 percent hue shift and a 1-pixel spatial offset. These tiny, imperceptible adjustments shift the visual cryptographic hash of the page enough to bypass visual detection engines while keeping the page visually identical to the human eye.
Custom Bot Protection: The framework forces the user to complete a simulated CAPTCHA to ensure that only human targets proceed to the credential entry stage.
Once the visitor passes the qualification checks, they are presented with a live, reverse-proxied interface of the legitimate login portal. The user interacts with this page exactly as they would on the official site. When the victim enters their username and password, the reverse-proxy intercepts the keystrokes and relays them to the actual e-commerce authentication servers in real time. If the legitimate site prompts the user for a multi-factor authentication (MFA) challenge, such as a One-Time Password (OTP) sent via SMS or an authenticator app, the proxy relays this prompt to the victim. The victim inputs the code, and the proxy forwards it to the authentic server, completing the authentication flow.
Upon successful authentication, the legitimate server issues session cookies to confirm the user's identity. Because the connection is routed through the attacker's reverse-proxy, the Bluekit/SnagX backend intercepts and duplicates these session cookies before passing them back to the victim's browser. The victim is then redirected to their actual account page, unaware that a complete compromise has occurred. The stolen credentials and active session tokens are immediately packaged and exfiltrated to the attacker's server, often forwarded instantly to private Telegram channels using integrated bots such as @bluekit_official_bot or @snagx_official_bot.
For attackers using the premium automation modules, the PhaaS system does not simply collect the credentials; it immediately launches an automated script using the hijacked session cookies. This script logs in, modifies the registered email address and phone number, and changes the account password to a hardcoded platform default such as blueKIT123#!. By the time the legitimate owner attempts to log back in, they are completely locked out, and the account is listed for sale on underground cybercrime forums.
Analyzing the behavior of the Bluekit and SnagX frameworks reveals clear alignments with established cyber-adversary tactics and techniques:
T1566.002 (Phishing: Spearphishing Link): Delivering localized e-commerce lures to target victims via SMS and email.
T1090 (Proxy): Establishing a reverse-proxy architecture to sit between the user and the authentic server.
T1539 (Steal Web Session Cookie): Intercepting and duplicating valid session tokens post-authentication.
T1556.006 (Modify Authentication Process): Bypassing multi-factor authentication by harvesting session tokens.
T1071.001 (Application Layer Protocol: Web Protocols): Utilizing HTTP and WebSockets to communicate with command-and-control servers and Telegram APIs.
T1564 (Hide Artifacts): Utilizing obfuscated JavaScript payloads exceeding 1MB and applying perceptual hash evasion techniques to avoid detection.
To defend against advanced reverse-proxy frameworks, security teams must implement a multi-layered detection and containment strategy:
Monitor Session Consistency: Implement strict risk-based authentication policies that trigger alerts for anomalous session cookie usage, such as impossible travel indicators (for example, a session authenticated in Dubai but utilized minutes later from an overseas cloud hosting provider's IP block).
Adjust URL Scanner Thresholds: Configure automated security scanners and email sandbox solutions to identify visual anomalies. Scanner configurations should account for a 2 percent hue shift and a 1-pixel layout offset to counter the perceptual-hash evasion tactics used by Bluekit and SnagX.
Deploy Phishing-Resistant MFA: Transition high-privilege users and general staff from standard SMS or authenticator codes to phishing-resistant authentication methods such as FIDO2/WebAuthn hardware keys or device-bound passkeys. These protocols bind the authentication handshake to the specific domain, making it impossible for a reverse-proxy to relay the token to a separate malicious site.
Track Let's Encrypt Wildcard Certificates: Run automated threat-hunting queries to identify newly registered domains matching wildcard structures resolving through proxy services. This proactive attack surface management can identify infrastructure before it is actively used in phishing campaigns.