Starkiller Adversary-in-the-Middle Phishing Suite Bypasses MFA via Reverse Proxy
Researchers disclosed Starkiller, a phishing-as-a-service suite advertised by a group calling itself Jinkusu that uses an adversary-in-the-middle (AiTM) reverse proxy to bypass multi-factor authentication by relaying victims to live legitimate login pages while capturing credentials and session tokens for account takeover. The tooling reportedly runs a headless Chrome instance inside a Docker container to load the real target site and proxy traffic end-to-end, reducing the need for static phishing templates and making fingerprinting/blocklisting harder; it also provides an operator dashboard to select brands/URLs to impersonate, supports lure keyword customization (e.g., “login,” “verify,” “security,” “account”), and integrates URL shorteners (e.g., TinyURL) to mask destinations.
Separate reporting described a targeted AiTM intrusion attempt that used multiple redirect hops and an ASP.NET Core reverse proxy in front of Microsoft 365 login pages, but the author could not attribute it to any known commercial kit based on published AiTM “cheat sheets,” highlighting ongoing evolution and diversification of reverse-proxy phishing stacks beyond commonly documented PHP/Node/Go/Python implementations. Other items in the set cover unrelated malware and threat activity (Android trojans, an Iraq-focused APT campaign, an APT42 PowerShell backdoor, malvertising redirect mechanics, and scam-infrastructure/supply-chain activity) and do not materially add to the Starkiller AiTM disclosure.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
BlueVoyant describes multi-phase phishing targeting U.S. financial sector
BlueVoyant detailed phishing campaigns against U.S. banks and credit unions using spoofed .co.com domains, fake Cloudflare CAPTCHA lures, Base64-encoded redirects, and layered evasion. The activity showed a multi-phase approach designed to hinder scanners and analyst review.
Researchers detail OAuth device-code phishing against Microsoft 365
A report described a Microsoft 365 compromise technique that abuses the OAuth 2.0 device authorization grant flow. Victims are tricked into entering attacker-supplied device codes at microsoft.com/devicelogin, causing OAuth tokens to be issued to the attacker's application.
Datadog reports 1Phish evolved into multi-stage 1Password framework
Datadog reported that the 1Phish kit had evolved into a multi-stage phishing framework targeting 1Password users. The updated framework added fingerprinting and validation, OTP and recovery-code capture, and bot-filtering capabilities.
Researchers disclose Starkiller AiTM phishing suite
Researchers revealed a phishing suite called Starkiller, marketed by a group calling itself Jinkusu, that uses a reverse-proxy AiTM design to present live login pages and steal credentials and session tokens for MFA bypass. The kit runs headless Chrome in Docker, supports brand impersonation from real URLs, and uses URL shorteners and centralized dashboards to scale phishing operations.
OSINT Team reports attribution remains inconclusive for AiTM kit
The OSINT Team case study found some URL and endpoint similarities to EvilGinx, but the backend stack and other indicators did not match any single known kit. The author concluded the tooling was either an undocumented evolution of a known kit or bespoke infrastructure, with insufficient evidence for firm attribution.
Observed AiTM campaign uses fake Defender lure and ASP.NET Core proxy
An analyzed phishing operation used a fake Microsoft Defender 'Quarantine Report' lure, multiple redirect hops, and an ASP.NET Core reverse proxy of the Microsoft 365 login flow. The campaign also employed two-layer bot detection with client-side interaction checks and server-side fingerprint validation.
Sekoia documents 11 AiTM phishing kits in global analysis
In June 2025, Sekoia published a global analysis of adversary-in-the-middle phishing threats covering 11 documented phishing-as-a-service kits. This report later served as a baseline for comparing newer AiTM campaigns and tooling.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


