Jinkusu
Jinkusu is a cybercrime threat group associated with operating and advertising Starkiller, a newer adversary-in-the-middle (AiTM) phishing-as-a-service platform. The content describes Jinkusu as marketing Starkiller as a commercial SaaS-style cybercrime platform with a subscription dashboard and an active user forum where customers discuss techniques, request features, and troubleshoot deployments. Starkiller is described as allowing customers to impersonate brands including Microsoft, Google, Apple, and Facebook, and to enter a brand’s real URL for phishing operations. According to the content, Starkiller uses a headless Chrome browser in a Docker container and acts as a reverse proxy between victims and legitimate websites, serving live login content while capturing credentials, MFA inputs, session cookies, and session tokens. Reported platform features include centralized infrastructure management, phishing page deployment, session monitoring, URL masking and URL shortener integration, deceptive URL generation, campaign analytics, geo-tracking, Telegram alerts, and an “Active Targets” dashboard for real-time monitoring. The content states this design lowers the barrier for less skilled attackers and makes detection harder because the phishing pages relay genuine content from legitimate portals. The content also states that Jinkusu offers several cybercrime services beyond Starkiller, and that an add-on capability associated with the service can harvest email addresses and contact information from compromised sessions for follow-on phishing. No nation-state attribution is provided in the content. Known alias in the provided content: jinkusu.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operator of the Starkiller AiTM-as-a-service platform.
Operator of the Starkiller AiTM-as-a-service platform.
Advertising and enabling use of the Starkiller phishing suite, which proxies legitimate login pages to bypass MFA and capture credentials/sessions; provides centralized infrastructure management, page deployment, and session monitoring to lower the barrier for phishing operations.
Operates/markets the Starkiller phishing suite as a cybercrime platform (phishing-as-a-service) that uses adversary-in-the-middle (AitM) reverse-proxying of legitimate login pages to capture credentials and session tokens, enabling MFA bypass and account takeover. Provides centralized infrastructure management, phishing page deployment, and session monitoring; supports URL masking/shorteners to obscure destinations.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.