Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
1 malware family

Jinkusu

Also known asJinkusu

Jinkusu is a cybercrime threat group associated with operating and advertising Starkiller, a newer adversary-in-the-middle (AiTM) phishing-as-a-service platform. The content describes Jinkusu as marketing Starkiller as a commercial SaaS-style cybercrime platform with a subscription dashboard and an active user forum where customers discuss techniques, request features, and troubleshoot deployments. Starkiller is described as allowing customers to impersonate brands including Microsoft, Google, Apple, and Facebook, and to enter a brand’s real URL for phishing operations. According to the content, Starkiller uses a headless Chrome browser in a Docker container and acts as a reverse proxy between victims and legitimate websites, serving live login content while capturing credentials, MFA inputs, session cookies, and session tokens. Reported platform features include centralized infrastructure management, phishing page deployment, session monitoring, URL masking and URL shortener integration, deceptive URL generation, campaign analytics, geo-tracking, Telegram alerts, and an “Active Targets” dashboard for real-time monitoring. The content states this design lowers the barrier for less skilled attackers and makes detection harder because the phishing pages relay genuine content from legitimate portals. The content also states that Jinkusu offers several cybercrime services beyond Starkiller, and that an add-on capability associated with the service can harvest email addresses and contact information from compromised sessions for follow-on phishing. No nation-state attribution is provided in the content. Known alias in the provided content: jinkusu.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

MITRE ATT&CK

Tradecraft

10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589
Gather Victim Identity Information
T1589.002
Email Addresses
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.002×2
Spearphishing Link
TA0005
Stealth
1 technique
T1036
Masquerading
TA0006
Credential Access
4 techniques
T1056
Input Capture
T1056.001
Keylogging
T1539×5
Steal Web Session Cookie
T1557×2
Adversary-in-the-Middle
T1621
Multi-Factor Authentication Request Generation
TA0007
Discovery
1 technique
T1614
System Location Discovery
TA0009
Collection
2 techniques
T1056
Input Capture
T1056.001
Keylogging
T1557×2
Adversary-in-the-Middle
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping10

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.