ctipilot.ch

Netcraft

campaign · campaign:bluekit-phaas-browser-in-the-middle

Netcraft: Bluekit PhaaS uses Browser-in-the-Middle (rrweb DOM streaming) to defeat FIDO2 and DBSC

Coverage timeline
2
first 2026-06-28 → last 2026-06-29
Entries
2
2 distinct days
Sources cited
8
8 hosts
Sections touched
2
research, weekly-research
Co-occurring entities
1
see Related entities below
2026-06-282 appearances2026-06-29

Story timeline

  1. 2026-06-29Research: the trust chain, not the perimeter, was the week's attack surface
    weekly-researchResearch: the trust chain, not the perimeter, was the week's attack surface
  2. 2026-06-28Netcraft: Bluekit PhaaS uses Browser-in-the-Middle to defeat FIDO2 and Device Bound Session Credentials
    researchNetcraft: Bluekit PhaaS uses Browser-in-the-Middle to defeat FIDO2 and Device Bound Session Credentials

Where this entity is cited

  • research1
  • weekly-research1

Source distribution

  • blog.talosintelligence.com1 (12%)
  • island.io1 (12%)
  • netcraft.com1 (12%)
  • novee.security1 (12%)
  • socket.dev1 (12%)
  • tenable.com1 (12%)
  • unit42.paloaltonetworks.com1 (12%)
  • varonis.com1 (12%)

Related entities

Entries about Netcraft (2)

2026-06-29 · view entry permalink →

Research: the trust chain, not the perimeter, was the week's attack surface

high research discovered 2026-06-29 00:21 UTC

The week's research converges on one structural shift: the productive attack surface in 2026 is the set of trust relationships connecting developer tools, CI/CD pipelines, SaaS integrations, AI coding agents and the browser — not the network perimeter. Tenable's analysis of the Miasma worm frames it as a "Developer Credential Economy": an infostealer harvests a developer credential (a Red Hat GitHub token sat in infostealer logs ~7 weeks before weaponisation), it is brokered underground, then weaponised through npm and — the novel capability — injected into the SessionStart hooks of AI coding tools so it runs when a developer opens a repo (Socket enumerates at least five affected tools — Claude Code, GitHub Copilot, Gemini CLI, Cursor, VS Code). The entire kill chain carries no CVE, and SLSA provenance attestations passed registry checks — provenance without content scanning is no defence (Socket).

The same trust-boundary theme runs through the week's other primary research: the Klue/Icarus cascade (a 2022 OAuth grant, § 2); Cordyceps, which found 300+ exploitable pull_request_target GitHub Actions misconfigurations leaking main-branch secrets (Novee Security); Unit 42's malicious-skill payloads bypassing the OpenClaw agent sandbox (Unit 42); and Island's "BadBlocker", an 11M-install Chrome ad-blocker one server-side config change away from arbitrary JavaScript on any site, with no extension update or store review (Island). On the identity plane, Netcraft documented Bluekit, a Browser-in-the-Middle phishing-as-a-service platform that authenticates the victim into the attacker's browser session, defeating Device Bound Session Credentials (Netcraft) — a reminder that session-binding controls like DBSC do not stop a browser-in-the-middle relaying the live authenticated session. Cisco Talos's field guide to Windows COM abuse (ITaskService, BITS, WMI, DCOM as EDR-evasion primitives) closes the loop on detection: indirect vtable calls hide activity behind legitimate service call stacks. The defender takeaway is uniform — audit OAuth grants and integration service accounts older than 12 months, restrict AI-agent hook configuration to read-only paths, treat CI/CD token scope as a reviewed principal, and don't assume FIDO2 closes the phishing path.

supply-chain identity ai-abuse cloud global europe

2026-06-28 · view entry permalink →

Netcraft: Bluekit PhaaS uses Browser-in-the-Middle to defeat FIDO2 and Device Bound Session Credentials

notable research discovered 2026-06-28 05:05 UTC

Netcraft published a technical breakdown (2026-06-25) of Bluekit, a phishing-as-a-service platform first documented by Varonis Threat Labs (2026-04-29) and now seen by Netcraft at scale (~70 active hostnames in a single week) (Netcraft, 2026-06-25; Varonis, 2026-04-29). Bluekit's distinguishing technique is Browser-in-the-Middle (BitM): instead of proxying the victim's HTTP traffic the way Evilginx/AiTM kits do (which leaves session-fingerprint mismatches), it runs a real automated browser on attacker infrastructure and streams its live DOM to the victim over WebSocket using the open-source rrweb DOM-serialisation library. The victim's keystrokes and clicks are relayed into the attacker's browser and executed against the genuine site, so the session is created in and owned by the attacker from the start — which is why Device Bound Session Credentials (DBSC, which bind tokens to the legitimate device's keys) provide no protection, and why FIDO2/WebAuthn is bypassed (the attacker's browser completes the relying-party challenge on the victim's behalf). Anti-analysis: per-load randomised CSS filter values to defeat screenshot pixel-hashing, >1 MB rotating obfuscated JS bundles, brand-impersonating CAPTCHA, and WebRTC IP-mismatch checks to spot analyst proxies. Detection concepts: rrweb presence outside legitimate analytics; WebSocket streams of binary/encrypted DOM diffs to unexpected origins; sub-second form-submission round-trip latency characteristic of BitM relay; randomised CSS filter rules on top-level HTML. Relevant because Microsoft 365 / Entra ID tenants — including Swiss and EU public-sector ones — are named targets, and BitM degrades the "phishing-resistant MFA solves this" assumption.

“The victim completes what appears to be a normal login flow but in reality, they have authenticated into the attacker's browser session on the attacker's browser.” — Netcraft

“Device Bound Session Credentials (DBSC) cannot protect against BitM attacks” — Netcraft

phishing identity cloud ai-abuse global europe