Starkiller is an adversary-in-the-middle phishing-as-a-service platform associated with a group referred to as Jinkusu. It is used to impersonate major consumer and enterprise brands, including large technology companies, financial institutions, payment providers, and streaming services, in order to capture credentials and authenticated sessions at scale. Rather than relying on static phishing templates, Starkiller proxies legitimate login pages in real time, allowing operators to present victims with convincing brand-faithful authentication flows while relaying traffic through attacker-controlled infrastructure. Because the victim authenticates against the real service through the proxy, Starkiller can capture credentials, one-time passcodes, session cookies, and authentication tokens, enabling account takeover and effective bypass of many common MFA implementations such as SMS, OTP, and push-based approval flows. This places it in the broader category of AiTM tooling designed to defeat traditional phishing-page detection and blocklisting approaches. Its use of deceptive lookalike URLs and proxy-based delivery reduces defenders’ ability to rely on template matching or simple URL takedowns, since the phishing component can be rapidly replaced while the underlying credential-harvesting workflow persists. Starkiller has been described as a newer, commoditized subscription-based service with an operator dashboard, reflecting the continued industrialization of phishing operations. It exemplifies the shift from isolated phishing pages to resilient phishing infrastructure that supports rapid deployment, brand impersonation, session theft, and scalable campaign management. Alias: starkiller.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operators use a phishing kit that proxies legitimate websites, generates deceptive lookalike URLs, and captures one-time codes or authentication tokens to bypass MFA and gain authenticated account access.
AiTM-as-a-service platform with a subscription dashboard used to commoditize session-stealing phishing operations.
AiTM-as-a-service platform with a subscription dashboard.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.