Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.
It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets users choose custom keywords like “login,” “verify,” “security,” or “account,” and integrates URL shorteners such as TinyURL to obscure the destination URL.
“It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.
“Recipients are served genuine page content directly through the attacker’s infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.”
This login page proxying technique obviates the need for attackers to update their phishing page templates periodically as the real pages they’re impersonating get updated.
Put differently, the container acts as an AitM reverse proxy, forwarding the end user’s inputs entered on the spoofed live page to the legitimate site and returning the site’s responses. Under the hood, every keystroke, form submission, and session token is routed through attacker-controlled infrastructure and is captured for account takeover.
“The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel,” Abnormal said. “Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.”
The development comes as Datadog revealed that the 1Phish kit had evolved from a basic credential harvester in September 2025 into a multi-stage phishing kit targeting 1Password users.
The updated version of the kit incorporates a pre-phishing fingerprint and validation layer, support for capturing one-time passcodes (OTPs) and recovery codes, and browser fingerprinting logic to filter out bots.
“This progression reflects deliberate iteration rather than simple template reuse,” security researcher Martin McCloskey said. “Each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting.”
The findings show that turkey solutions like Starkiller and 1Phish are increasingly turning phishing into SaaS-style workflows, further lowering the skill barrier necessary to pull off such attacks at scale.
They also coincide with a sophisticated phishing campaign targeting North American businesses and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
