Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareUsed by 2 actors

Starkiller

Starkiller is a phishing-as-a-service / adversary-in-the-middle phishing framework advertised by a group calling itself Jinkusu. The reporting consistently describes it as a newer AiTM-as-a-service platform with a subscription-style dashboard and centralized control panel for infrastructure management, phishing page deployment, and session monitoring. It is designed to bypass multi-factor authentication by proxying legitimate login pages in real time, allowing attackers to capture credentials, MFA inputs, session cookies, and session tokens for account takeover.

The framework launches a headless Chrome instance inside a Docker container and loads the real target website while acting as a reverse proxy between the victim and the legitimate service. This architecture keeps phishing pages synchronized with the genuine site, reduces static template artifacts, and makes detection by static page fingerprinting, blocklists, and reputation-based URL filtering more difficult. Reported operator features include selecting brands to impersonate or supplying a real brand URL, customizing lure keywords such as login, verify, security, and account, integrating URL shorteners including TinyURL, URL masking, and real-time monitoring via an Active Targets-style dashboard.

Starkiller has been described as targeting major platforms including Microsoft, Google, Apple, Facebook, PayPal, and Instagram. Delivery is described primarily through phishing emails containing malicious links, including lures resembling authentication prompts or document-sharing alerts. The content also notes email/contact harvesting from compromised sessions for follow-on phishing. Multiple sources characterize Starkiller as lowering the barrier for less skilled attackers by automating reverse-proxy, container, certificate, and hosting complexity.

The provided content also contains a separate, unrelated use of the name Starkiller as the GUI front-end for PowerShell Empire, including a Censys observation of a Starkiller login panel on TCP port 1337. However, the dominant and current usage in the supplied reporting refers to the phishing framework operated by Jinkusu.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Jinkusu

Starkiller (operated by a group called Jinkusu) is a newer AiTM-as-a-service with a subscription dashboard, further demonstrating how commoditised the technique now is.

via detectdetect.fyi
TeamPCP

From November 8th to December 11th, Censys captured a Starkiller login panel on port 1337. Starkiller is the front-end for PowerShell Empire, an open-source post-exploitation framework.

via ctrlaltintel blogctrlaltintel.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence2

"The primary delivery channel for this threat is deceptive email messages containing malicious links. When a target clicks the link... the attacker’s server then acts as a middleman, forwarding the victim’s keystrokes, passwords, and multi-factor authentication codes directly to the legitimate service."

T1566.002Spearphishing LinkEvidence3

"a new phishing suite named Starkiller has emerged, designed to circumvent multi-factor authentication (MFA) by proxying legitimate login pages... launching a headless Chrome browser within a Docker container, acting as a reverse proxy between the target and the genuine website."

Stealth

1 technique
T1036MasqueradingEvidence1

"By combining fake software update templates with advanced link obfuscation techniques, the platform tricks users and automated security scanners."

Credential Access

4 techniques
T1539Steal Web Session CookieEvidence5

Microsoft sets a valid session cookie and the attacker quietly keeps a copy of that cookie. The user sees their real mailbox or Teams, while the attacker opens the same session somewhere else.

T1557Adversary-in-the-MiddleEvidence3

In an Adversary‑in‑the‑Middle (AiTM) attack, the victim sees the real Microsoft login page not a fake copy. The attacker runs a proxy that sits between the user and Microsoft, forwarding everything in real time.

T1557.002ARP Cache PoisoningEvidence1

“Since the framework proxies legitimate login pages in real time, recipients who click these links are presented with authentic website content rather than static replicas…”

T1621Multi-Factor Authentication Request GenerationEvidence1

The user types their password, does MFA and logs in normally ... Because the attacker just relays the whole flow, this method bypasses normal MFA like SMS, OTP and push prompts.

Collection

2 techniques
T1557Adversary-in-the-MiddleEvidence3

In an Adversary‑in‑the‑Middle (AiTM) attack, the victim sees the real Microsoft login page not a fake copy. The attacker runs a proxy that sits between the user and Microsoft, forwarding everything in real time.

T1557.002ARP Cache PoisoningEvidence1

“Since the framework proxies legitimate login pages in real time, recipients who click these links are presented with authentic website content rather than static replicas…”

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.