Key Findings:

• Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.

• Starkiller is advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard to impersonate brands or enter a brand's real URL.

• The platform lets users choose custom keywords and integrates URL shorteners to obscure the destination URL.

• Starkiller launches a headless Chrome instance within a Docker container, loads the brand's real website, and acts as a reverse proxy between the target and the legitimate site.

• This login page proxying technique obviates the need for attackers to update their phishing page templates periodically, as the real pages they're impersonating get updated.

• The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel.

• Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.

Background

Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections. The platform is advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand's real URL. It also lets users choose custom keywords like "login," "verify," "security," or "account," and integrates URL shorteners such as TinyURL to obscure the destination URL.

Reverse Proxy and Headless Chrome

Starkiller launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand's real website, and acts as a reverse proxy between the target and the legitimate site. Recipients are served genuine page content directly through the attacker's infrastructure, ensuring the phishing page is never out of date. Because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.

Streamlining Phishing Operations

The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel. Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.

Evolving Phishing Kits

The findings show that phishing kits like Starkiller and 1Phish are increasingly turning phishing into SaaS-style workflows, further lowering the skill barrier necessary to pull off such attacks at scale. This progression reflects deliberate iteration rather than simple template reuse, with each version building upon the previous one to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting.

Targeting Financial Institutions

In recent months, phishing campaigns have also targeted financial institutions, specifically U.S.-based banks and credit unions, to harvest credentials. The campaign is said to have taken place over two distinct phases, an initial wave beginning in late June 2025 and a more sophisticated set of attacks beginning in mid-November 2025. The actors registered [.]co[.]com domains spoofing financial institution websites, presenting credible impersonations of real financial institutions.

Bypassing MFA with OAuth 2.0

The findings also coincide with a sophisticated phishing campaign targeting North American businesses and professionals by abusing the OAuth 2.0 device authorization grant flow to sidestep multi-factor authentication (MFA) and compromise Microsoft 365 accounts. The attacker registers on the Microsoft OAuth application and generates a unique device code, which is then delivered to the victim via a targeted phishing email.

Sources

• https://thehackernews.com/2026/03/starkiller-phishing-suite-uses-aitm.html

• https://news.backbox.org/2026/03/03/starkiller-phishing-suite-uses-aitm-reverse-proxy-to-bypass-multi-factor-authentication/

• https://www.reddit.com/r/SecOpsDaily/comments/1rjoraa/starkiller_phishing_suite_uses_aitm_reverse_proxy/

• https://www.linkedin.com/posts/dlross_starkiller-phishing-suite-uses-aitm-reverse-activity-7434723038446817280-8c8G

• https://x.com/Dinosn/status/2028812623085519113