0/100

high Risk

bluekit.ws

https://bluekit.ws/

172.67.147.28 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

—

HTTP

200 · 30.8s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "bluekit - your phishing kit"

Save

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

bluekit.ws

Data Harvesting

technology | finance | ecommerce | social_media | other · 4/29/2026

Summary

The page presents branding and UI similar to a phishing kit service called 'bluekit' and explicitly labels itself as a phishing kit in the page title. HTML title reads 'bluekit - your phishing kit' and the screenshot shows a dashboard-like UI with prominent credentials-related branding. Network and SPA-like behavior indicate credential collection potential via dynamically rendered forms, with POST activity observed to a rum endpoint and multiple external JS assets suggesting analytics/tracking and possible credential capture logic. The domain appears to be hosting a phishing toolkit rather than a legitimate service, indicating abuse potential and credential harvesting risk.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://bluekit.ws/cdn-cgi/rum?.

▸Distinctive asset clues: 16d0_mohw7xfy.js, 0bwofn5_qzn1~.js, 11_7gtyx.9m5g.css, 16-2pyq9-p~3g.css, image.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 45

Hosts: 2

Domains: 2

Attack Techniques (4)

SPA-like dynamic form rendering (no static login form in HTML but credentials may be captured via JS bundles)Credential harvesting possibility through dynamically loaded JS bundles and hidden/inline formsExternal script loading for UI/branding and potential obfuscation of credential capture logicPOST request to /cdn-cgi/rum? (likely a tracking/CTA beacon, but could be leveraged for data exfiltration in abuse scenarios)

Indicators of Compromise (6)

▸Page title explicitly states 'bluekit - your phishing kit'

▸Screenshot shows dashboard-like UI with branding that mimics legitimate analytics dashboards

▸POST request detected to https://bluekit.ws/cdn-cgi/rum? (204) implying data or beacon transmission

▸High external script count (17) and SPA-like structure with dynamic credential UI

▸SSL certificate issued recently (Let's Encrypt) and domain resolves behind Cloudflare

▸URL path and branding do not clearly indicate a legitimate, widely-known service; the page markets itself as a phishing kit

Risk AssessmentUsed in abuse reports

The site bluekit.ws presents itself as a 'phishing kit' and appears to be a tool for building or deploying phishing campaigns. The presence of SPA JavaScript bundles, dynamic credential UI, and an explicit branding around 'phishing kit' strongly suggests misuse potential and credential harvesting capabilities. Although the domain is secured behind Cloudflare and has a fresh Let's Encrypt certificate, these factors, combined with the UI messaging and observed POST beacon behavior, indicate high risk. Action is warranted to monitor and potentially take down if abuse is confirmed, given the explicit nature of the kit and the potential for credential theft.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence