Cybersecurity researchers have revealed details of a new phishing suite called Starkiller that bypasses multi-factor authentication (MFA) protections by proxying legitimate login pages.
It is promoted as a cybercrime platform by a threat group calling itself Jinkusu, and customers are given access to a dashboard where they can select brands to impersonate and enter the brands’ real URLs. It also allows users to select custom keywords such as “login,” “verification,” “security,” and “account,” and integrates URL shorteners like TinyURL to obfuscate destination URLs.
“The virus launches a headless Chrome instance (a browser that runs without a window) inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” said abnormal researchers Callie Baron and Piotr Wojtyla.
“Phishing pages never become stale because recipients are served the real page content directly through the attacker’s infrastructure. And because Starkiller proxies real sites live, there are no template files for security vendors to fingerprint or blocklist.”
This login page proxy technique eliminates the need for attackers to regularly update their phishing page templates when the real page they are impersonating is updated.
In other words, the container acts as an AitM reverse proxy, forwarding end user input on the spoofed live page to the legitimate site and returning the site’s response. Inside, every keystroke, form submission, and session token is routed through attacker-controlled infrastructure and captured for account takeover.
“This platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within one control panel,” Abnormal said. “Combined with URL masking, session hijacking, and MFA bypass, this allows low-skilled cybercriminals to access attack capabilities that were previously beyond their reach.”
The development comes after Datadog revealed that the 1Phish kit evolved from a basic credential harvester to a multi-stage phishing kit targeting 1Password users in September 2025.
The updated version of the kit includes a pre-phishing fingerprinting and verification layer, support for one-time passcode (OTP) and recovery code capture, and browser fingerprinting logic to filter out bots.
“This progression reflects deliberate repetition rather than simple template reuse,” said security researcher Martin McCloskey. “Each version builds on the previous one and introduces controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication collection.”
This finding shows that turkey solutions like Starkiller and 1Phish are increasingly turning phishing into a SaaS-style workflow, further lowering the skill barrier required to execute such attacks at scale.
It is also consistent with a sophisticated phishing campaign targeting businesses and professionals in North America by exploiting the OAuth 2.0 device authorization grant flow to bypass multi-factor authentication (MFA) and compromise Microsoft 365 accounts.
To accomplish this, the attacker registers with a Microsoft OAuth application and generates a unique device code, which is then delivered to the victim through a targeted phishing email.
“Victims are directed to a legitimate Microsoft domain (microsoft.com/devicelogin) portal and enter the device code provided by the attacker,” said researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke. “This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. These tokens are stolen in real time, granting the attacker permanent access to the victim’s Microsoft 365 account and corporate data.”
In recent months, phishing campaigns have also targeted financial institutions, particularly US-based banks and credit unions, to harvest credentials. The campaign is said to have taken place in two distinct phases: an initial wave beginning in late June 2025, and a series of more sophisticated attacks beginning in mid-November 2025.
“Actors have started registering. [.]Ko[.]com domains disguise financial institution websites and impersonate real financial institutions,” said BlueVoyant researchers Shira Reuveny and Joshua Green. [.]Ko[.]The com domain serves as the first entry point in a sophisticated multi-stage chain. ”
This domain is designed to load a malicious Cloudflare CAPTCHA page imitating the targeted institution when accessed through a clickable link in a phishing email. CAPTCHA does not work and there is an intentional delay before the Base64 encoded script redirects the user to the credential capture page.
To avoid detection and prevent automated scanners from flagging malicious content, [.]Ko[.]com domain triggers a malformed redirect to “www”.[.]This is the URL of “www”.
“Adversaries’ deployment of more sophisticated multi-layer evasion chains that incorporate referrer validation, cookie-based access controls, intentional delays, and code obfuscation effectively create a more resilient infrastructure that creates barriers to automated security tools and manual analysis,” BlueVoyant said.
Source link
