Most phishing websites are simple copies of login pages and are quickly taken down. However, **Starkiller** offers a stealthy alternative, allowing attackers to sidestep these pitfalls by using cleverly disguised links to load the target brand’s real website. It then acts as a relay, forwarding the victim's credentials to the legitimate site and returning its responses. ### Starkiller: Phishing Made Easy While numerous phishing kits exist, they often require technical skills to configure servers, domain names, and proxy services. **Starkiller** simplifies this process by dynamically loading a live copy of the real login page and recording everything the user types, proxying the data from the legitimate site back to the victim. According to **Abnormal AI**, **Starkiller** allows customers to select a brand to impersonate (e.g., **Apple**, **Facebook**, **Google**, **Microsoft**) and generates a deceptive URL that mimics the legitimate domain while routing traffic through the attacker’s infrastructure. For instance, a phishing link targeting **Microsoft** customers might appear as "login.microsoft.com@[malicious/shortened URL here]." The "@" sign tricks users into thinking the domain before it is a username, while the real landing page is what follows.  ### Man-in-the-Middle Attack Once **Starkiller** customers select the URL, the service spins up a [Docker container](https://www.docker.com/resources/what-container/) running a [headless Chrome browser instance](https://developer.chrome.com/docs/chromium/headless) that loads the real login page, according to **Abnormal**. "The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses," **Abnormal** researchers **Callie Baron** and **Piotr Wojtyla** wrote in [a blog post](https://abnormal.ai/blog/starkiller-phishing-kit). "Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way." **Starkiller** offers cybercriminals real-time session monitoring, enabling them to live-stream the target’s screen as they interact with the phishing page. "The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated **Telegram** alerts when new credentials come in," they wrote. "Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS [software-as-a-service] platform would offer." ### Bypassing MFA **Abnormal** notes that the service intercepts and relays the victim’s MFA credentials, as the recipient is authenticating with the real site through a proxy. Any authentication tokens submitted are forwarded to the legitimate service in real time. "The attacker captures the resulting session cookies and tokens, giving them authenticated access to the account," the researchers wrote. "When attackers relay the entire authentication flow in real time, MFA protections can be effectively neutralized despite functioning exactly as designed."  ### Jinkusu: The Threat Group Behind Starkiller **Starkiller** is part of a suite of cybercrime services offered by the threat group **Jinkusu**, which operates an active user forum where customers can discuss techniques, request features, and troubleshoot deployments. One feature harvests email addresses and contact information from compromised sessions to build target lists for follow-on phishing campaigns. This service represents a significant evolution in phishing, lowering the barrier to entry for novice cybercriminals and circumventing traditional detection methods like domain blocklisting and static page analysis. "Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling," their report concludes. "Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach."