Starkiller: New Phishing Framework Proxies Real Login Pages to Bypass MFA
Summary:
Starkiller is a commercially sold phishing-as-a-service framework developed by a threat group called Jinkusu, first reported by Abnormal AI in February 2026. Unlike traditional phishing kits that rely on static HTML clones of legitimate login pages, Starkiller takes a fundamentally different approach: it spins up a headless Chrome instance inside a Docker container that loads a brand's real website and proxies it live to the victim. This man-in-the-middle reverse proxy architecture means every keystroke, form submission, session token, and MFA code the victim enters is intercepted in real time as it passes through attacker-controlled infrastructure before being forwarded to the legitimate service.
The platform includes a polished operator dashboard with real-time session monitoring (including live screen streaming of the victim's session), keylogger capture, cookie and session token theft, geo-tracking, and automated Telegram alerts when credentials arrive. A built-in URL masking tool allows operators to generate deceptive links that visually mimic legitimate domains using the classic @ symbol URL trick, further obscured with URL shorteners.
Starkiller also ships with specialized modules for financial fraud, credit card capture, crypto wallet seed theft, and bank credential harvesting, as well as fake browser update templates for malware delivery. The platform is actively maintained with a community forum, monthly updates, and Telegram-based operator support, and notably protects its own operators with TOTP-based 2FA.
Security Officer Comments:
Starkiller represents a meaningful escalation in the accessibility and effectiveness of phishing infrastructure. Its most significant consequence is the effective neutralization of MFA: because victims are authenticating against the real service through the proxy in real time, one-time codes and hardware tokens function exactly as designed but are still captured by the attacker, who harvests the resulting authenticated session cookies for immediate account takeover.
The live-proxy architecture also eliminates the primary detection mechanism most security tools rely on, static page fingerprinting and domain blocklisting, since no template files exist to fingerprint and page content is always current.
The platform's low technical barrier means threat actors without deep technical knowledge can launch credential harvesting campaigns at enterprise scale against major brands including Microsoft, Google, Apple, Amazon, PayPal, and various financial institutions.
The built-in email harvesting capability creates a compounding risk: compromised sessions yield contact lists that can fuel follow-on campaigns, enabling lateral expansion across an organization from a single initial compromise.
Suggested Corrections:
Because Starkiller's architecture defeats traditional URL-based and page-content defenses, defenders need to shift focus toward behavioral and identity-aware controls. Phishing-resistant MFA methods, specifically FIDO2/passkeys and hardware security keys, are the most effective technical countermeasure.
Organizations should implement Conditional Access or Zero Trust policies that flag anomalous session behaviors such as token reuse from unexpected geolocations, impossible travel, or new device fingerprints following authentication.
At the email layer, detection should rely on behavioral context and sender anomaly analysis rather than link content alone, since the proxied URLs will not match known-bad indicators at time of delivery.
User training should emphasize URL inspection as a last line of defense , specifically, verifying the actual domain after any @ character in a URL and treating shortened URLs in unexpected emails with heightened suspicion.
Finally, organizations should monitor for signs of session hijacking post-authentication, including rapid privilege escalation, unexpected mailbox rule creation, or OAuth application consent grants, as these are common indicators of a successful Starkiller-style account takeover.
Link(s):
https://abnormal.ai/blog/starkiller-phishing-kit
Starkiller is a commercially sold phishing-as-a-service framework developed by a threat group called Jinkusu, first reported by Abnormal AI in February 2026. Unlike traditional phishing kits that rely on static HTML clones of legitimate login pages, Starkiller takes a fundamentally different approach: it spins up a headless Chrome instance inside a Docker container that loads a brand's real website and proxies it live to the victim. This man-in-the-middle reverse proxy architecture means every keystroke, form submission, session token, and MFA code the victim enters is intercepted in real time as it passes through attacker-controlled infrastructure before being forwarded to the legitimate service.
The platform includes a polished operator dashboard with real-time session monitoring (including live screen streaming of the victim's session), keylogger capture, cookie and session token theft, geo-tracking, and automated Telegram alerts when credentials arrive. A built-in URL masking tool allows operators to generate deceptive links that visually mimic legitimate domains using the classic @ symbol URL trick, further obscured with URL shorteners.
Starkiller also ships with specialized modules for financial fraud, credit card capture, crypto wallet seed theft, and bank credential harvesting, as well as fake browser update templates for malware delivery. The platform is actively maintained with a community forum, monthly updates, and Telegram-based operator support, and notably protects its own operators with TOTP-based 2FA.
Security Officer Comments:
Starkiller represents a meaningful escalation in the accessibility and effectiveness of phishing infrastructure. Its most significant consequence is the effective neutralization of MFA: because victims are authenticating against the real service through the proxy in real time, one-time codes and hardware tokens function exactly as designed but are still captured by the attacker, who harvests the resulting authenticated session cookies for immediate account takeover.
The live-proxy architecture also eliminates the primary detection mechanism most security tools rely on, static page fingerprinting and domain blocklisting, since no template files exist to fingerprint and page content is always current.
The platform's low technical barrier means threat actors without deep technical knowledge can launch credential harvesting campaigns at enterprise scale against major brands including Microsoft, Google, Apple, Amazon, PayPal, and various financial institutions.
The built-in email harvesting capability creates a compounding risk: compromised sessions yield contact lists that can fuel follow-on campaigns, enabling lateral expansion across an organization from a single initial compromise.
Suggested Corrections:
Because Starkiller's architecture defeats traditional URL-based and page-content defenses, defenders need to shift focus toward behavioral and identity-aware controls. Phishing-resistant MFA methods, specifically FIDO2/passkeys and hardware security keys, are the most effective technical countermeasure.
Organizations should implement Conditional Access or Zero Trust policies that flag anomalous session behaviors such as token reuse from unexpected geolocations, impossible travel, or new device fingerprints following authentication.
At the email layer, detection should rely on behavioral context and sender anomaly analysis rather than link content alone, since the proxied URLs will not match known-bad indicators at time of delivery.
User training should emphasize URL inspection as a last line of defense , specifically, verifying the actual domain after any @ character in a URL and treating shortened URLs in unexpected emails with heightened suspicion.
Finally, organizations should monitor for signs of session hijacking post-authentication, including rapid privilege escalation, unexpected mailbox rule creation, or OAuth application consent grants, as these are common indicators of a successful Starkiller-style account takeover.
Link(s):
https://abnormal.ai/blog/starkiller-phishing-kit