Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pages
The Starkiller package offers monthly framework updates and documentation, meaning no technical ability is needed
Researchers at Abnormal Security have uncovered a new phishing kit that proxies live login pages, bypasses MFA, and includes a full credential-harvesting platform for a monthly fee.
While most phishing kits rely on static HTML clones of login pages, these are inherently fragile, as even minor interface updates from the impersonated brand can reveal the deception immediately.
However, a new framework called Starkiller – not to be confused with the legitimate BC-Security red team tool of the same name – does things differently.
"Sold openly as a commercial-grade cybercrime platform by a threat group calling itself Jinkusu, Starkiller is distributed like a SaaS product," said Abnormal.
"It launches a headless Chrome instance — a browser that operates without a visible window — inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site."
How Starkiller works
Cyber criminals select a brand to impersonate; for example, Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, and various banks.
Because the recipients are served genuine page content directly through the attacker's infrastructure, the phishing page never goes out of date. Similarly, as Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Researchers found that Starkiller's control panel gives cyber criminals a polished dashboard for deploying phishing campaigns, and the core workflow requires almost no technical skill.
Docker engine status, image builds, and active containers are managed from the same panel, meaning threat actors don't need to understand reverse proxies or certificate management to launch an attack.
An attacker enters a brand’s real URL, and the platform spins up a Docker container running a headless Chrome instance that loads the real login page.
The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site's responses.
"Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way," the researchers said.
Keeping tabs on victims
Notably, the package offers real-time session monitoring, allowing attackers to watch the target interact with the phishing page live.
Along with keylogger capture for every keystroke, it includes cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in.
Because the end user is actually authenticating with the real site through the proxy, any one-time codes or authentication tokens they submit are forwarded to the legitimate service in real time.
Capturing the resulting session cookies and tokens gives the attacker authenticated access to the account. This means that MFA protections can effectively be neutralized, despite functioning exactly as designed.
Jinkusu maintains a community forum where cyber criminals discuss techniques, request features, and troubleshoot deployments.
"The forum shows an active user base sharing operational tips and asking about mobile support, indicating a growing pool of operators using the framework in the wild," the researchers said.
"Operators also receive dedicated support via Telegram, monthly framework updates, and documentation. The level of ongoing development means Starkiller is likely to become increasingly difficult to detect and defend against."
How to avoid falling prey
Traditional detection approaches such as static page analysis, domain blocklisting, and reputation-based URL filtering don't work, as Starkiller dynamically generates phishing pages for each session.
Instead, Abnormal said detection needs to shift toward behavioral signals such as anomalous login patterns and session token reuse from unexpected locations.
Elsewhere, identity-aware analysis needs to be improved to catch a compromised session - even when the phishing page itself looks perfect.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
Multi-channel phishing attacks: How to manage the riskIn-depth Attackers are evolving beyond email towards phishing across multiple channels. Why is this, and what can be done to manage the risk?
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda