Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligencecybercrime-service-ecosystemcredential-access-methodidentity-authentication-vulnerability

Starkiller Phishing-as-a-Service Uses Live Proxying to Capture Credentials and MFA Codes

Updated 2d agoFirst seen Feb 20, 20265 sources

Security researchers reported a new phishing-as-a-service (PhaaS) platform, Starkiller, that defeats many common anti-phishing controls by live-proxying victims to the legitimate login pages of targeted brands while relaying traffic through attacker infrastructure. Instead of serving a static fake page, Starkiller dynamically loads the real site and captures what the user enters—username, password, and multi-factor authentication (MFA) codes—then forwards those inputs to the legitimate service and returns responses to the victim, enabling real-time session takeover.

Reporting based on Abnormal AI’s analysis describes Starkiller as a polished, SaaS-like offering with a dashboard, campaign analytics, and regular updates, lowering the technical barrier for running advanced adversary-in-the-middle phishing. The service supports brand selection (e.g., Microsoft, Google, Apple, Facebook) and uses deceptive link techniques such as embedding a trusted-looking domain before an @ (e.g., login.microsoft.com@...)—where the portion before @ is treated as username data and the actual destination is what follows—often combined with URL shorteners to increase click-through and evade user scrutiny.

Share:
Starkiller Phishing-as-a-Service Uses Live Proxying to Capture Credentials and MFA Codes
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

4 events from the most recent confirmed update back to the earliest known activity.

4 EVENTS
Feb 23, 20264mo ago

Additional reporting expands Starkiller's described capabilities

Later reporting said Starkiller also targets platforms including Apple and Facebook and may include modules for financial fraud, such as theft of credit card data and cryptocurrency wallet recovery phrases. This expanded the public understanding of the framework beyond basic credential harvesting and session hijacking.

Feb 20, 20264mo ago

Starkiller is publicly attributed to the Jinkusu operation

Subsequent coverage attributed Starkiller to a threat group or operation calling itself Jinkusu, which was described as selling the service and related add-on capabilities through a criminal ecosystem. Reports said the offering included features such as session monitoring, credential alerts, and harvesting of additional contact or account data from compromised sessions.

Researchers report Starkiller can bypass MFA via reverse-proxy session theft

Public reporting described Starkiller as a phishing-as-a-service platform that uses an adversary-in-the-middle reverse proxy to capture credentials, MFA inputs, and session tokens in real time, enabling account takeover even when MFA is completed successfully. The reporting also noted operational features such as containerized browser sessions, deceptive URL masking, and real-time monitoring of victim sessions.

Feb 19, 20264mo ago

Abnormal AI publishes research on the Starkiller phishing framework

Abnormal AI disclosed Starkiller as a phishing framework that proxies real login pages through attacker-controlled infrastructure, centralizes campaign operations in a control panel, and supports impersonation of major brands such as Microsoft and Google. The research highlighted how the framework lowers the barrier to running large-scale credential and session theft campaigns.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

11 LINKEDOpen in app
Threat actors
1 linked
Malware
1 linked
Affected products
2 linked
TelegramDocker
Organizations
7 linked
Meta PlatformsApplePayPalMicrosoft CorporationGoogleCybernewsAbnormal AI
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.