Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligencecredential-access-methodidentity-authentication-vulnerabilitycybercrime-service-ecosystem

Starkiller Adversary-in-the-Middle Phishing Suite Bypasses MFA via Reverse Proxy

Updated 2d agoFirst seen Mar 3, 20262 sources

Researchers disclosed Starkiller, a phishing-as-a-service suite advertised by a group calling itself Jinkusu that uses an adversary-in-the-middle (AiTM) reverse proxy to bypass multi-factor authentication by relaying victims to live legitimate login pages while capturing credentials and session tokens for account takeover. The tooling reportedly runs a headless Chrome instance inside a Docker container to load the real target site and proxy traffic end-to-end, reducing the need for static phishing templates and making fingerprinting/blocklisting harder; it also provides an operator dashboard to select brands/URLs to impersonate, supports lure keyword customization (e.g., “login,” “verify,” “security,” “account”), and integrates URL shorteners (e.g., TinyURL) to mask destinations.

Separate reporting described a targeted AiTM intrusion attempt that used multiple redirect hops and an ASP.NET Core reverse proxy in front of Microsoft 365 login pages, but the author could not attribute it to any known commercial kit based on published AiTM “cheat sheets,” highlighting ongoing evolution and diversification of reverse-proxy phishing stacks beyond commonly documented PHP/Node/Go/Python implementations. Other items in the set cover unrelated malware and threat activity (Android trojans, an Iraq-focused APT campaign, an APT42 PowerShell backdoor, malvertising redirect mechanics, and scam-infrastructure/supply-chain activity) and do not materially add to the Starkiller AiTM disclosure.

Share:
Starkiller Adversary-in-the-Middle Phishing Suite Bypasses MFA via Reverse Proxy
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

7 events from the most recent confirmed update back to the earliest known activity.

7 EVENTS
Mar 3, 20264mo ago

BlueVoyant describes multi-phase phishing targeting U.S. financial sector

BlueVoyant detailed phishing campaigns against U.S. banks and credit unions using spoofed .co.com domains, fake Cloudflare CAPTCHA lures, Base64-encoded redirects, and layered evasion. The activity showed a multi-phase approach designed to hinder scanners and analyst review.

Researchers detail OAuth device-code phishing against Microsoft 365

A report described a Microsoft 365 compromise technique that abuses the OAuth 2.0 device authorization grant flow. Victims are tricked into entering attacker-supplied device codes at microsoft.com/devicelogin, causing OAuth tokens to be issued to the attacker's application.

Datadog reports 1Phish evolved into multi-stage 1Password framework

Datadog reported that the 1Phish kit had evolved into a multi-stage phishing framework targeting 1Password users. The updated framework added fingerprinting and validation, OTP and recovery-code capture, and bot-filtering capabilities.

Researchers disclose Starkiller AiTM phishing suite

Researchers revealed a phishing suite called Starkiller, marketed by a group calling itself Jinkusu, that uses a reverse-proxy AiTM design to present live login pages and steal credentials and session tokens for MFA bypass. The kit runs headless Chrome in Docker, supports brand impersonation from real URLs, and uses URL shorteners and centralized dashboards to scale phishing operations.

Mar 2, 20264mo ago

OSINT Team reports attribution remains inconclusive for AiTM kit

The OSINT Team case study found some URL and endpoint similarities to EvilGinx, but the backend stack and other indicators did not match any single known kit. The author concluded the tooling was either an undocumented evolution of a known kit or bespoke infrastructure, with insufficient evidence for firm attribution.

Observed AiTM campaign uses fake Defender lure and ASP.NET Core proxy

An analyzed phishing operation used a fake Microsoft Defender 'Quarantine Report' lure, multiple redirect hops, and an ASP.NET Core reverse proxy of the Microsoft 365 login flow. The campaign also employed two-layer bot detection with client-side interaction checks and server-side fingerprint validation.

Jun 1, 20251y ago

Sekoia documents 11 AiTM phishing kits in global analysis

In June 2025, Sekoia published a global analysis of adversary-in-the-middle phishing threats covering 11 documented phishing-as-a-service kits. This report later served as a baseline for comparing newer AiTM campaigns and tooling.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

15 LINKEDOpen in app
Threat actors
1 linked
Malware
2 linked
Affected products
2 linked
Docker1password
Organizations
10 linked
Microsoft CorporationTinyURLCloudflareSekoiaDatadog1passwordAbnormal AIBlueVoyantAbuseIPDBOmegatech LTD
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.