Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pages

Researchers at Abnormal Security have uncovered a new phishing kit that proxies live login pages, bypasses MFA, and includes a full credential-harvesting platform for a monthly fee.

While most phishing kits rely on static HTML clones of login pages, these are inherently fragile, as even minor interface updates from the impersonated brand can reveal the deception immediately.

However, a new framework called Starkiller – not to be confused with the legitimate BC-Security red team tool of the same name – does things differently.

"Sold openly as a commercial-grade cybercrime platform by a threat group calling itself Jinkusu, Starkiller is distributed like a SaaS product," said Abnormal.

"It launches a headless Chrome instance — a browser that operates without a visible window — inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site."

How Starkiller works

Cyber criminals select a brand to impersonate; for example, Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, and various banks.

Because the recipients are served genuine page content directly through the attacker's infrastructure, the phishing page never goes out of date. Similarly, as Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.

Researchers found that Starkiller's control panel gives cyber criminals a polished dashboard for deploying phishing campaigns, and the core workflow requires almost no technical skill.

Docker engine status, image builds, and active containers are managed from the same panel, meaning threat actors don't need to understand reverse proxies or certificate management to launch an attack.

An attacker enters a brand’s real URL, and the platform spins up a Docker container running a headless Chrome instance that loads the real login page.

The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site's responses.

"Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way," the researchers said.

Keeping tabs on victims

Notably, the package offers real-time session monitoring, allowing attackers to watch the target interact with the phishing page live.

Along with keylogger capture for every keystroke, it includes cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in.

Because the end user is actually authenticating with the real site through the proxy, any one-time codes or authentication tokens they submit are forwarded to the legitimate service in real time.

Capturing the resulting session cookies and tokens gives the attacker authenticated access to the account. This means that MFA protections can effectively be neutralized, despite functioning exactly as designed.

Jinkusu maintains a community forum where cyber criminals discuss techniques, request features, and troubleshoot deployments.

"The forum shows an active user base sharing operational tips and asking about mobile support, indicating a growing pool of operators using the framework in the wild," the researchers said.

"Operators also receive dedicated support via Telegram, monthly framework updates, and documentation. The level of ongoing development means Starkiller is likely to become increasingly difficult to detect and defend against."

How to avoid falling prey

Traditional detection approaches such as static page analysis, domain blocklisting, and reputation-based URL filtering don't work, as Starkiller dynamically generates phishing pages for each session.

Instead, Abnormal said detection needs to shift toward behavioral signals such as anomalous login patterns and session token reuse from unexpected locations.

Elsewhere, identity-aware analysis needs to be improved to catch a compromised session - even when the phishing page itself looks perfect.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.