Starkiller Phishing-as-a-Service Uses Live Proxying to Capture Credentials and MFA Codes
Security researchers reported a new phishing-as-a-service (PhaaS) platform, Starkiller, that defeats many common anti-phishing controls by live-proxying victims to the legitimate login pages of targeted brands while relaying traffic through attacker infrastructure. Instead of serving a static fake page, Starkiller dynamically loads the real site and captures what the user enters—username, password, and multi-factor authentication (MFA) codes—then forwards those inputs to the legitimate service and returns responses to the victim, enabling real-time session takeover.
Reporting based on Abnormal AI’s analysis describes Starkiller as a polished, SaaS-like offering with a dashboard, campaign analytics, and regular updates, lowering the technical barrier for running advanced adversary-in-the-middle phishing. The service supports brand selection (e.g., Microsoft, Google, Apple, Facebook) and uses deceptive link techniques such as embedding a trusted-looking domain before an @ (e.g., login.microsoft.com@...)—where the portion before @ is treated as username data and the actual destination is what follows—often combined with URL shorteners to increase click-through and evade user scrutiny.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Additional reporting expands Starkiller's described capabilities
Later reporting said Starkiller also targets platforms including Apple and Facebook and may include modules for financial fraud, such as theft of credit card data and cryptocurrency wallet recovery phrases. This expanded the public understanding of the framework beyond basic credential harvesting and session hijacking.
Starkiller is publicly attributed to the Jinkusu operation
Subsequent coverage attributed Starkiller to a threat group or operation calling itself Jinkusu, which was described as selling the service and related add-on capabilities through a criminal ecosystem. Reports said the offering included features such as session monitoring, credential alerts, and harvesting of additional contact or account data from compromised sessions.
Researchers report Starkiller can bypass MFA via reverse-proxy session theft
Public reporting described Starkiller as a phishing-as-a-service platform that uses an adversary-in-the-middle reverse proxy to capture credentials, MFA inputs, and session tokens in real time, enabling account takeover even when MFA is completed successfully. The reporting also noted operational features such as containerized browser sessions, deceptive URL masking, and real-time monitoring of victim sessions.
Abnormal AI publishes research on the Starkiller phishing framework
Abnormal AI disclosed Starkiller as a phishing framework that proxies real login pages through attacker-controlled infrastructure, centralizes campaign operations in a control panel, and supports impersonation of major brands such as Microsoft and Google. The research highlighted how the framework lowers the barrier to running large-scale credential and session theft campaigns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
New Phishing Framework Starkiller Proxies Real Login Pages to Bypass MFA - Cyber Security News
cybersecuritynews.com
Open sourceNovel Starkiller phishing kit harnesses legitimate login sites | SC Media
scworld.com
Open source‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA - Krebs on Security
krebsonsecurity.com
Open sourceBest-in-Class 'Starkiller' Phishing Kit Bypasses MFA
darkreading.com
Open sourceStarkiller Phishing Framework Proxies Real Login Pages… | Abnormal AI
abnormal.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


