Cybersecurity researchers have uncovered a powerful new phishing toolkit named Starkiller that leverages adversary in the middle technology to bypass multi factor authentication protections.
The phishing suite is being promoted by a cybercrime group calling itself Jinkusu. It is marketed as a phishing as a service platform that provides subscribers with a centralized dashboard to launch credential harvesting campaigns against major brands.
Live Proxying of Legitimate Login Pages
Unlike traditional phishing kits that rely on cloned HTML templates, Starkiller operates by launching a headless Chrome browser instance inside a Docker container. The tool loads the genuine website of the targeted brand and functions as a reverse proxy between the victim and the authentic login portal.
Because it relays live content from the legitimate site, the phishing page always mirrors the real one. This eliminates the need for attackers to manually update templates when websites change their design or security prompts.
Security researchers Callie Baron and Piotr Wojtyla explained that every keystroke, login submission, and session token entered by the victim is routed through attacker controlled infrastructure before reaching the real site. This setup enables real time capture of authentication data.
MFA Bypass Through Adversary in the Middle
Starkiller effectively acts as an adversary in the middle proxy. It forwards user credentials to the legitimate platform and returns the site’s responses to the victim without raising suspicion.
Since authentication tokens pass through the attacker’s system, multi factor authentication protections can be bypassed. Even one time passcodes and session cookies can be intercepted, allowing threat actors to hijack active sessions and perform account takeover attacks.
The platform also integrates URL shortening services such as TinyURL to obscure phishing links. Users of the kit can select brand names to impersonate, input real URLs, and customize lure related keywords such as login, verify, security, or account.
By consolidating infrastructure setup, phishing deployment, and session monitoring into a single interface, Starkiller significantly lowers the technical barrier required to execute advanced phishing campaigns.
1Phish Kit Evolves with Advanced Capabilities
The emergence of Starkiller comes alongside updates to another phishing toolkit known as 1Phish. Researchers at Datadog revealed that 1Phish evolved from a simple credential harvesting page in September 2025 into a sophisticated multi stage phishing kit targeting 1Password users.
The upgraded version incorporates fingerprinting mechanisms to validate victims before launching attacks, along with support for capturing one time passcodes and account recovery codes. It also includes browser fingerprinting logic to filter automated bots and security scanners.
Security experts noted that these iterative improvements demonstrate deliberate refinement aimed at increasing success rates and evading detection.
OAuth Device Code Phishing Targets Microsoft 365
Researchers have also documented a separate phishing campaign targeting North American businesses by abusing the OAuth 2.0 device authorization grant flow to bypass MFA and compromise Microsoft 365 accounts.
In this technique, attackers register their own OAuth application and generate a unique device code. Victims receive phishing emails instructing them to visit microsoft.com/devicelogin and enter the provided code.
By doing so, victims unknowingly authorize the attacker’s application. This results in the issuance of a valid OAuth access token to the malicious app, granting persistent access to corporate email and data without directly stealing credentials.
Financial Institutions Targeted in Multi Stage Campaign
Phishing actors have also focused on U.S. based banks and credit unions in a separate campaign conducted in two waves, beginning in June 2025 and intensifying in November 2025.
Attackers registered deceptive .co.com domains that closely resembled legitimate financial institution websites. When accessed through phishing emails, these domains loaded fake Cloudflare CAPTCHA pages designed to appear credible.
The CAPTCHA pages were intentionally non functional and introduced a delay before redirecting victims through a Base64 encoded script to credential harvesting portals.
To evade automated security scanners, direct visits to these domains triggered redirection to malformed URLs, such as www.www variants, effectively blocking automated analysis.
Researchers observed that the attackers deployed layered evasion tactics including referrer validation, cookie based access restrictions, deliberate delays, and code obfuscation. These measures created a more resilient phishing infrastructure capable of bypassing both automated detection systems and manual investigation.
Phishing as a Service Becomes More Advanced
The rise of Starkiller and similar kits signals a shift toward phishing as a service ecosystems. These turnkey platforms package sophisticated attack techniques into accessible tools, allowing even low skill cybercriminals to execute complex multi factor authentication bypass operations at scale.
Security professionals warn that organizations must strengthen email filtering, enforce phishing resistant authentication methods, monitor OAuth application registrations, and implement continuous session monitoring to defend against this evolving threat landscape.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
