Most phishing kits rely on static HTML clones of login pages. While effective, they’re inherently fragile: even minor interface updates from the impersonated brand can immediately reveal the deception.

A new framework called Starkiller (not to be confused with the legitimate BC Security red team tool of the same name) takes a different approach. Sold openly as a commercial-grade cybercrime platform by a threat group calling itself Jinkusu, Starkiller is distributed like a SaaS product. It launches a headless Chrome instance—a browser that operates without a visible window—inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site.

Recipients are served genuine page content directly through the attacker's infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.

In this blog post, we take a look at the platform and its panel to break down how it works and what defenders are up against.

Starkiller's control panel gives cybercriminals a polished dashboard for deploying phishing campaigns, and the core workflow requires almost no technical skill. An attacker enters a brand’s real URL, and the platform spins up a Docker container running a headless Chrome instance that loads the real login page.

The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site's responses. Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.

The feature list goes well beyond basic credential capture. Starkiller offers cybercriminals real-time session monitoring, allowing them to live-stream the target's screen as they interact with the phishing page. The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in. Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS platform would offer.

The MFA bypass deserves particular attention. Because the end user is actually authenticating with the real site through the proxy, any one-time codes or authentication tokens they submit are forwarded to the legitimate service in real time. The attacker captures the resulting session cookies and tokens, giving them authenticated access to the account. When attackers relay the entire authentication flow in real time, MFA protections can be effectively neutralized despite functioning exactly as designed.

Starkiller's marketing materials indicate the platform is also built for financial fraud, advertising specialized modules for capturing credit card numbers, crypto wallet seeds, bank credentials, and payment information. The platform also promotes fake software update templates for browsers like Chrome and Firefox, designed to trick targets into downloading malicious payloads, and an EvilEngine Core module that it claims makes phishing links completely undetectable.

The platform handles all the operational infrastructure automatically. Docker engine status, image builds, and active containers are managed from the same panel, meaning cybercriminals don't need to understand reverse proxies or certificate management to launch an attack. The low technical barrier is what makes Starkiller particularly dangerous for defenders.

Convincing recipients to interact with a suspicious link is the most challenging aspect of any phishing campaign, and Starkiller has a dedicated URL masker tool that lowers this barrier, too.

Cybercriminals select a brand to impersonate (e.g., Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, various banks, and more), and the tool generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker's infrastructure.

Once a brand is selected, operators can further customize the URL by choosing keyword modifiers, such as "login," "verify," "security," "account," "signin," "auth," or "myaccount."

The tool also integrates URL shorteners (e.g., TinyURL, is.gd, v.gd) to further obscure the destination, making it significantly more difficult for recipients and automated security controls to reliably determine the link’s true destination.

This feature uses the classic @ symbol URL trick. Everything before the @ in a URL is treated as userinfo and displayed prominently, while the actual domain follows after it. It's an old technique, but Starkiller's point-and-click interface means even novice cybercriminals don't need to understand URL parsing to weaponize it.

When recipients click a Starkiller phishing link, they are presented with the legitimate site rendered in real time—for example, a Microsoft login portal. The attacker's server has loaded it in a headless browser and is acting as a reverse proxy, forwarding the legitimate site's HTML, CSS, and JavaScript directly to the end user’s browser.

The target types their credentials into what is an authentic Microsoft login form, but because the traffic passes through the attacker's server, every input is captured in transit. The URL is the only giveaway, and the masking tricks above are designed to eliminate even that signal.

Meanwhile, on the cybercriminal's side, the Active Targets dashboard shows the target’s session in real time, including their location, device type, IP address, and whether the session is still active.

From this view, threat actors can watch the session live, inject additional prompts to harvest more data, or terminate the session entirely. The target never knows.

While Starkiller's reverse proxy engine and URL masking tools are technically impressive on their own, the framework is ultimately only as effective as the delivery mechanism that places its links in front of recipients. For many phishing operations, that mechanism is email.

The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel. This architecture reduces the need for operators to manually configure components such as reverse proxies, certificates, and hosting infrastructure, lowering the technical barrier to launching credential harvesting campaigns at scale.

Because Starkiller supports brand impersonation for Microsoft, Google, and other major providers, these links could plausibly appear in campaigns impersonating familiar business notifications, such as authentication prompts or document-sharing alerts. Since the framework proxies legitimate login pages in real time, recipients who click these links are presented with authentic website content rather than static replicas, reducing the visual inconsistencies that often expose traditional phishing pages.

The platform also advertises an email harvesting capability that collects email addresses and contact information from compromised sessions. According to the kit’s marketing materials, this data can be used to build target lists for follow-on campaigns. In theory, this could create a compounding effect in which a single successful credential compromise fuels the next wave of phishing emails, enabling lateral expansion across an organization.

Starkiller isn't a standalone tool. Jinkusu maintains a community forum where cybercriminals discuss techniques, request features, and troubleshoot deployments. The forum shows an active user base sharing operational tips and asking about mobile support, indicating a growing pool of operators using the framework in the wild.

The platform even protects its own operators with time-based one-time password two-factor authentication—the same type of protection it's designed to bypass for end users. Operators also receive dedicated support via Telegram, monthly framework updates, and documentation. The level of ongoing development means Starkiller is likely to become increasingly difficult to detect and defend against.

Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling. By proxying real websites live instead of serving static clones, it bypasses the primary detection mechanism most security tools rely on: page fingerprinting.

Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach. Tools like this are why phishing remains the most common initial access vector for breaches—and why the problem is getting worse.

Traditional detection approaches—including static page analysis, domain blocklisting, and reputation-based URL filtering—are insufficient when frameworks like Starkiller dynamically generate phishing pages for each session. Detection needs to shift toward behavioral signals: anomalous login patterns, session token reuse from unexpected locations, and identity-aware analysis that can catch a compromised session even when the phishing page itself looks perfect.

This is especially true at the inbox level, where analyzing the behavioral context of each email—rather than relying solely on the content of the links it contains—offers the most effective way to stop these attacks before they reach end users.

For additional insight into the attack landscape and analyses of other dark web tools, visit Abnormal Intelligence, our threat intelligence data and research hub.