Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication

Source: The Hacker News

Starkiller Phishing Suite Overview

Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi‑factor authentication (MFA) protections.

It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them:

• Select a brand to impersonate or enter a brand’s real URL.
• Choose custom keywords such as “login,” “verify,” “security,” or “account.”
• Integrate URL shorteners (e.g., TinyURL) to obscure the destination URL.

“It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.¹

“Recipients are served genuine page content directly through the attacker’s infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.”

This login‑page proxying technique eliminates the need for attackers to update phishing page templates whenever the legitimate pages change.

How Starkiller Operates

The container acts as an MITM reverse proxy, forwarding the end‑user’s inputs entered on the spoofed live page to the legitimate site and returning the site’s responses. Under the hood, every keystroke, form submission, and session token is routed through attacker‑controlled infrastructure and captured for account takeover.

“The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel,” Abnormal said. “Combined with URL masking, session hijacking, and MFA bypass, it gives low‑skill cybercriminals access to attack capabilities that were previously out of reach.”

Comparison with the 1Phish Kit

The development of Starkiller coincides with Datadog’s revelation that the 1Phish kit has evolved from a basic credential harvester (September 2025) into a multi‑stage phishing kit targeting 1Password users. The updated version adds:

• A pre‑phishing fingerprint and validation layer.
• Support for capturing one‑time passcodes (OTPs) and recovery codes.
• Browser‑fingerprinting logic to filter out bots.

“This progression reflects deliberate iteration rather than simple template reuse,” security researcher Martin McCloskey said.² “Each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting.”

Both Starkiller and 1Phish illustrate a shift toward SaaS‑style phishing workflows, lowering the skill barrier required to launch large‑scale attacks.

OAuth 2.0 Device‑Authorization Grant Flow Attack

A sophisticated phishing campaign targeting North American businesses has been abusing the OAuth 2.0 device‑authorization grant flow to sidestep MFA and compromise Microsoft 365 accounts. The attacker registers a malicious application on the Microsoft OAuth platform and generates a unique device code. This code is delivered to victims via a targeted phishing email.

“The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an attacker‑supplied device code,” researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke said.³ “This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real‑time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data.”

Financial Institution Phishing Campaign

Recent months have seen phishing campaigns aimed at U.S. banks and credit unions. The operation unfolded in two phases: an initial wave beginning in late June 2025 and a more sophisticated set of attacks starting in mid‑November 2025.

“The actors began registering .co.com domains spoofing financial institution websites, presenting credible impersonations of real financial institutions,” BlueVoyant researchers Shira Reu.

Veny and Joshua Green said:

“These [.]co[.]com domains serve as the initial entry point in a refined multi‑stage chain.”⁴

When visited from a phishing email link, the domain loads a fraudulent Cloudflare CAPTCHA page that mimics the targeted institution. The CAPTCHA is non‑functional and deliberately delays the victim before a Base64‑encoded script redirects to the credential‑harvesting page. Direct access to the [.]co[.]com domains triggers a redirect to a malformed “www[.]www” URL, further evading automated scanners.

“The adversary’s deployment of a more advanced multi‑layered evasion chain – incorporating referrer validation, cookie‑based access controls, intentional delays, and code obfuscation – effectively creates a more resilient infrastructure that presents barriers for automated security tools and manual analysis,” BlueVoyant said.

Stay Informed

Found this article interesting? Follow us for more exclusive content:

• Google News
• Twitter
• LinkedIn

Footnotes

1. Callie Baron and Piotr Wojtyla, Abnormal – Starkiller Phishing Kit, link. ↩

2. Martin McCloskey, Datadog – Hook Line Vault: A Deep Dive into 1Phish, link. ↩

3. Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke, KnowBe4 – Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA, link. ↩

4. BlueVoyant, “Multi‑stage phishing campaign targets finance,” https://www.bluevoyant.com/blog/multi-stage-phishing-campaign-targets-finance. ↩