Starkiller
Starkiller is a phishing-as-a-service / adversary-in-the-middle phishing framework advertised by a group calling itself Jinkusu. The reporting consistently describes it as a newer AiTM-as-a-service platform with a subscription-style dashboard and centralized control panel for infrastructure management, phishing page deployment, and session monitoring. It is designed to bypass multi-factor authentication by proxying legitimate login pages in real time, allowing attackers to capture credentials, MFA inputs, session cookies, and session tokens for account takeover.
The framework launches a headless Chrome instance inside a Docker container and loads the real target website while acting as a reverse proxy between the victim and the legitimate service. This architecture keeps phishing pages synchronized with the genuine site, reduces static template artifacts, and makes detection by static page fingerprinting, blocklists, and reputation-based URL filtering more difficult. Reported operator features include selecting brands to impersonate or supplying a real brand URL, customizing lure keywords such as login, verify, security, and account, integrating URL shorteners including TinyURL, URL masking, and real-time monitoring via an Active Targets-style dashboard.
Starkiller has been described as targeting major platforms including Microsoft, Google, Apple, Facebook, PayPal, and Instagram. Delivery is described primarily through phishing emails containing malicious links, including lures resembling authentication prompts or document-sharing alerts. The content also notes email/contact harvesting from compromised sessions for follow-on phishing. Multiple sources characterize Starkiller as lowering the barrier for less skilled attackers by automating reverse-proxy, container, certificate, and hosting complexity.
The provided content also contains a separate, unrelated use of the name Starkiller as the GUI front-end for PowerShell Empire, including a Censys observation of a Starkiller login panel on TCP port 1337. However, the dominant and current usage in the supplied reporting refers to the phishing framework operated by Jinkusu.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Starkiller (operated by a group called Jinkusu) is a newer AiTM-as-a-service with a subscription dashboard, further demonstrating how commoditised the technique now is.
From November 8th to December 11th, Censys captured a Starkiller login panel on port 1337. Starkiller is the front-end for PowerShell Empire, an open-source post-exploitation framework.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
"The primary delivery channel for this threat is deceptive email messages containing malicious links. When a target clicks the link... the attacker’s server then acts as a middleman, forwarding the victim’s keystrokes, passwords, and multi-factor authentication codes directly to the legitimate service."
"a new phishing suite named Starkiller has emerged, designed to circumvent multi-factor authentication (MFA) by proxying legitimate login pages... launching a headless Chrome browser within a Docker container, acting as a reverse proxy between the target and the genuine website."
Stealth
1 technique
Stealth
Credential Access
4 techniques
Credential Access
Microsoft sets a valid session cookie and the attacker quietly keeps a copy of that cookie. The user sees their real mailbox or Teams, while the attacker opens the same session somewhere else.
In an Adversary‑in‑the‑Middle (AiTM) attack, the victim sees the real Microsoft login page not a fake copy. The attacker runs a proxy that sits between the user and Microsoft, forwarding everything in real time.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newer AiTM-as-a-service platform with a subscription dashboard used for phishing and session theft.
Open-source post-exploitation framework interface observed exposed on infrastructure associated with TeamPCP. The content does not describe payload behavior beyond identifying it as the front-end for PowerShell Empire.
Phishing suite that uses a headless Chrome browser in a Docker container to reverse-proxy legitimate login pages (AiTM), keeping phishing pages current while capturing credentials and session data to bypass MFA.
A phishing suite/platform that uses a headless Chrome instance in a Docker container to act as an AitM reverse proxy for legitimate login pages, enabling real-time credential and session token capture, session hijacking, and MFA bypass via a centralized operator dashboard.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.