A phishing suite called Starkiller is being sold as a cybercrime platform by a threat group identifying itself as Jinkusu. According to the report, it gives customers a dashboard to select a brand to impersonate or enter a brand’s real URL directly.
The platform launches a headless Chrome instance inside a Docker container, loads the target brand’s real website, and acts as a reverse proxy between the victim and the legitimate site. Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is captured.
Because the tool proxies a live website rather than a static copy, there are no template files for security vendors to fingerprint or blocklist. The phishing page is never out of date — it reflects whatever the real site looks like at any given moment.
MFA Bypass Built In
The adversary-in-the-middle setup intercepts session tokens in real time, which allows the attacker to bypass multi-factor authentication entirely. Researchers Callie Baron and Piotr Wojtyla from Abnormal described it as centralizing “infrastructure management, phishing page deployment, and session monitoring within a single control panel.”
Users can also configure custom keywords — “login,” “verify,” “security,” or “account” — and integrate URL shorteners such as TinyURL to obscure the destination link.
The firm said the platform “gives low-skill cybercriminals access to attack capabilities that were previously out of reach.”
More Read
A Wider Pattern of Industrialized Phishing
A separate phishing kit called 1Phish, detailed by Datadog researcher Martin McCloskey, evolved from a basic credential harvester in September 2025 into a multi-stage tool targeting 1Password users. The updated kit captures one-time passcodes and recovery codes, adds browser fingerprinting to filter out bots, and includes a pre-phishing validation layer.
“Each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting,” McCloskey said.
A separate campaign has been targeting Microsoft 365 accounts across North American businesses by abusing the OAuth 2.0 device authorization grant flow. The attacker generates a device code and delivers it to the victim via a phishing email, directing them to the legitimate Microsoft domain to enter it. Once the victim authenticates, a valid OAuth access token is issued to the attacker’s application — granting persistent access to corporate accounts and data.
Researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke described the token theft as happening in real time.
Financial institutions have also been targeted. Researchers Shira Reuveny and Joshua Green from BlueVoyant identified two attack phases — one beginning in late June 2025, a second more sophisticated wave starting mid-November 2025 — using .co.com domains spoofing U.S. banks and credit unions as initial entry points in a multi-stage chain.
Photo by Tima Miroshnichenko on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
