New phishing framework Starkiller is enabling more convincing, scalable credential theft by proxying real login pages and bypassing multi-factor authentication (MFA), significantly raising the bar for defenders.
Traditional phishing kits typically serve static HTML clones of popular login portals, which quickly become outdated when brands update their interfaces, creating telltale visual discrepancies.
Starkiller takes a different route by spinning up a headless Chrome instance inside a Docker container, loading the real website, and then acting as a reverse proxy between the victim and the legitimate service.
This architecture means the target interacts with genuine HTML, CSS, and JavaScript from the real site.
At the same time, all traffic is transparently funneled through attacker-controlled infrastructure. Because Starkiller proxies the site live, there are no static templates for security tools to fingerprint or reliably blocklist, reducing the effectiveness of traditional page-based detection.
The kit is operated by a group calling itself Jinkusu and is sold as a commercial-grade cybercrime SaaS platform, complete with subscriptions, updates, and support.
Starkiller Phishing Kit
Starkiller’s web panel is designed to make phishing campaigns accessible to low-skill operators, offering a polished dashboard where attackers paste a target brand’s URL and launch a new campaign.
The framework then automatically manages Docker engine status, image builds, and active containers, eliminating the need for operators to understand reverse proxies, TLS certificates, or hosting setup.
The target types their credentials into what is an authentic Microsoft login form, but because the traffic passes through the attacker’s server, every input is captured in transit.
Every keystroke, form submission, cookie, and session token is captured as it passes through the proxy, and operators can view real-time session details, including victim location, device, and session state.
Starkiller also supports live session monitoring, keylogging, geo-tracking, automated Telegram alerts for new credentials, and campaign analytics such as visit counts and conversion rates, closely mirroring the telemetry expected from legitimate SaaS platforms.
Its MFA bypass capability is particularly dangerous: because the victim is authenticating against the real site through Starkiller’s proxy, one-time passcodes and authentication tokens are forwarded in real time.
The attacker then harvests the resulting session cookies and tokens, enabling full account access without needing to re-prompt for credentials or MFA.
This adversary-in-the-middle model effectively neutralizes MFA protections while they continue to operate exactly as designed, aligning Starkiller with a growing class of reverse-proxy phishing-as-a-service kits.
URL masking, delivery, and growing ecosystem
To drive clicks, Starkiller includes a URL masking tool that generates deceptive links mimicking brands like Microsoft, Google, Apple, Amazon, and major banks, often combined with misleading keywords such as “login” or “verify.”
The toolkit supports URL shorteners to further obscure the true destination and can abuse long-standing URL tricks, such as placing the impersonated brand name in the userinfo portion of the address before the @ symbol.
Researchers assess email as the most likely delivery vector, with Starkiller-powered campaigns expected to imitate routine business notifications, such as authentication prompts or document-sharing alerts from widely used cloud providers.
The platform reportedly harvests email addresses and contact details from compromised sessions to build follow-on target lists, enabling lateral expansion within organizations through subsequent phishing waves.
Starkiller is backed by an active community ecosystem: Jinkusu maintains a forum where users share techniques, request features, and troubleshoot deployments, and operators receive Telegram-based support, documentation, and monthly framework updates.
The service even protects its own customers with time-based one-time password two-factor authentication on the operator login panel, underscoring its “enterprise” positioning.
Security researchers warn that this combination of live proxying, URL masking, MFA bypass, and continuous development marks a significant escalation in phishing infrastructure and underscores why phishing remains the dominant initial access vector for modern breaches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
