Full Report
Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections. It's advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand's real URL. It also lets
Analysis Summary
# Tool/Technique: Starkiller Phishing Suite
## Overview
Starkiller is a sophisticated, advertised cybercrime platform offered as a phishing suite. Its primary purpose is to facilitate credential harvesting and Multi-Factor Authentication (MFA) bypass by operating as an "Adversary-in-the-Middle" (AitM) reverse proxy targeting legitimate login pages. It is marketed on a Cybercrime-as-a-Service (CaaS) model.
## Technical Details
- Type: Attack Tool / Phishing Framework
- Platform: Mechanism suggests web-based execution, leveraging a headless Chrome instance (likely targeting desktop/browser sessions).
- Capabilities: Reverse proxying of live legitimate websites, live MFA token capture, session hijacking, URL obscuring, centralized management dashboard.
- First Seen: Information not explicitly available, but referenced in a March 2026 publication.
## MITRE ATT&CK Mapping
The primary activity maps to the initial stages of credential theft and session takeover:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied, as tailored emails would precede the link delivery)
- T1566.002 - Spearphishing Link
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Less direct, but the ultimate goal)
- T1555 - Credentials from Password Stores (Indirectly, by gaining access via harvested tokens)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Via URL shorteners)
*Note: The live proxying circumvents many typical host-based detections related to static phishing page templates.*
## Functionality
### Core Capabilities
- **Brand Impersonation:** Customers can select a brand to impersonate or input a real URL of the target organization.
- **URL Obscuration:** Integrates URL shorteners like TinyURL to hide the final destination.
- **Live Proxying:** Loads the brand’s real website within a containerized, headless Chrome instance, acting as a reverse proxy between the victim and the legitimate site.
- **Input Capture:** Captures user inputs (keystrokes, form submission data) and session tokens in real-time.
### Advanced Features
- **MFA Bypass:** By proxying the legitimate site live, it captures session information necessary to complete or bypass MFA challenges.
- **Templateless Phishing:** Because it proxies the live site, the phishing page content is always current, eliminating the need for attackers to periodically update static template files, which are otherwise easy for security vendors to fingerprint and blocklist.
- **Centralized Control Panel:** Provides a dashboard for infrastructure management, phishing page deployment, and session monitoring.
- **Keyword Integration:** Allows selection of common login keywords like "login," "verify," "security," or "account" for better targeting.
## Indicators of Compromise
*Based solely on the description, high-fidelity IoCs are not provided, as this is a dynamic platform infrastructure.*
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: [Domains hosting the custom phishing landing pages, or the C2 infrastructure behind the proxy domain. Custom domains or short URLs would be created per campaign.]
- Behavioral Indicators:
- Execution of a browser process in a headless state (Headless Chrome instance launch).
- Traffic consistently flowing to and from an attacker-controlled domain that immediately passes traffic to a known legitimate site (AitM behavior).
## Associated Threat Actors
- Jinkusu (The threat group advertising and operating the Starkiller cybercrime platform).
## Detection Methods
- Signature-based detection: Ineffective against the framework itself due to dynamic templating and live proxying.
- Behavioral detection: Focus on detecting the initiation and operation of headless browser instances used to establish the reverse proxy session. Monitoring for unusual traffic flows where a user interacts with a domain that immediately mirrors a known legitimate login portal.
- YARA rules: [Not specified]
## Mitigation Strategies
- **MFA Hardening:** Implement phishing-resistant MFA methods (e.g., FIDO2/WebAuthn hardware tokens) that are resilient to AitM proxying, as session token theft relies on the convenience of standard MFA factors.
- **User Training:** Continuous user education on identifying URL anomalies, even when content appears live and legitimate.
- **Endpoint Monitoring:** Monitor for the unauthorized execution of headless browser utilities (like Chrome) initiating network connections that mirror AITM proxy activities.
- **Certificate Pinning/Validation:** Ensure applications (especially internal tools) strictly validate SSL certificates for expected domain names, which AitM frameworks often struggle to fully mimic without proper certificate infrastructure setup for every target.
## Related Tools/Techniques
- **1Phish Kit:** Another evolving phishing kit mentioned in the context, also displaying SaaS-style workflow evolution, advanced fingerprinting, and session harvesting capabilities.
- **OAuth Device Authorization Flow Phishing:** A conceptually similar MFA bypass technique mentioned against M365, relying on session token theft rather than direct credential harvesting via proxying.
- General Adversary-in-the-Middle (AitM) Phishing Frameworks.