Phase 1: Initial Delivery and Localized Smishing
The campaign begins when the threat actor distributes highly localized, professionally written Japanese-language messages via email or SMS (smishing). These lures typically masquerade as urgent notifications from major service providers, alerting the recipient to a locked account, an unauthorized payment attempt, or a high-value shipping update. Embedded links inside these messages do not lead to static replica pages but instead point to dynamically generated domains that utilize wildcard SSL certificates from Let's Encrypt to mimic legitimate corporate endpoints.
Phase 2: Automated Victim Qualification and Evasion
Before any phishing content is displayed to the visitor, the backend infrastructure performs a series of complex checks to ensure the visitor is a genuine human target and not an automated security scanner, sandbox, or security researcher. The qualification suite includes the following operations:
Geofencing: The system validates the visitor's IP address against geographical databases. If the IP address does not originate from Japan or the specific targeted GCC territories, the backend instantly redirects the request to the legitimate service provider website, successfully hiding the malicious infrastructure from international security researchers.
WebRTC IP Leak Verification: The script checks for mismatches between the browser's HTTP headers and its WebRTC-reported IP address to identify whether the visitor is utilizing a VPN or proxy service.
Hardware Fingerprinting: Bluekit collects device signatures including CPU core counts, available RAM, screen resolution, and headless browser attributes to filter out automated testing frameworks.
Perceptual Hash Manipulation: To defeat automated screenshot-matching scanners used by cybersecurity vendors, Bluekit applies random CSS filters to the rendered page. This includes a 2 percent hue shift and a 1-pixel spatial offset. These tiny, imperceptible adjustments shift the visual cryptographic hash of the page enough to bypass visual detection engines while keeping the page visually identical to the human eye.
Custom Bot Protection: The framework forces the user to complete a simulated CAPTCHA to ensure that only human targets proceed to the credential entry stage.
Phase 3: Real-Time Adversary-in-the-Middle Relay
Once the visitor passes the qualification checks, they are presented with a live, reverse-proxied interface of the legitimate login portal. The user interacts with this page exactly as they would on the official site. When the victim enters their username and password, the reverse-proxy intercepts the keystrokes and relays them to the actual e-commerce authentication servers in real time. If the legitimate site prompts the user for a multi-factor authentication (MFA) challenge, such as a One-Time Password (OTP) sent via SMS or an authenticator app, the proxy relays this prompt to the victim. The victim inputs the code, and the proxy forwards it to the authentic server, completing the authentication flow.
Phase 4: Token Theft and Automated Exfiltration
Upon successful authentication, the legitimate server issues session cookies to confirm the user's identity. Because the connection is routed through the attacker's reverse-proxy, the Bluekit/SnagX backend intercepts and duplicates these session cookies before passing them back to the victim's browser. The victim is then redirected to their actual account page, unaware that a complete compromise has occurred. The stolen credentials and active session tokens are immediately packaged and exfiltrated to the attacker's server, often forwarded instantly to private Telegram channels using integrated bots such as @bluekit_official_bot or @snagx_official_bot.
Phase 5: Automated Takeover and Persistence
For attackers using the premium automation modules, the PhaaS system does not simply collect the credentials; it immediately launches an automated script using the hijacked session cookies. This script logs in, modifies the registered email address and phone number, and changes the account password to a hardcoded platform default such as blueKIT123#!. By the time the legitimate owner attempts to log back in, they are completely locked out, and the account is listed for sale on underground cybercrime forums.
MITRE ATT&CK Mapping of the Threat
Analyzing the behavior of the Bluekit and SnagX frameworks reveals clear alignments with established cyber-adversary tactics and techniques:
T1566.002 (Phishing: Spearphishing Link): Delivering localized e-commerce lures to target victims via SMS and email.
T1090 (Proxy): Establishing a reverse-proxy architecture to sit between the user and the authentic server.
T1539 (Steal Web Session Cookie): Intercepting and duplicating valid session tokens post-authentication.
T1556.006 (Modify Authentication Process): Bypassing multi-factor authentication by harvesting session tokens.
T1071.001 (Application Layer Protocol: Web Protocols): Utilizing HTTP and WebSockets to communicate with command-and-control servers and Telegram APIs.
T1564 (Hide Artifacts): Utilizing obfuscated JavaScript payloads exceeding 1MB and applying perceptual hash evasion techniques to avoid detection.