Close Menu
    What's Hot

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    The viral watermelon ice cream hack looks like magic. Does it actually work?

    Trump’s Election Claims and SAVE Act Push Find Muted Response From G.O.P. Lawmakers

    Facebook X (Twitter) Instagram
    Trending
    • OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
    • The viral watermelon ice cream hack looks like magic. Does it actually work?
    • Trump’s Election Claims and SAVE Act Push Find Muted Response From G.O.P. Lawmakers
    • Trump Pursues a Deeper Bond With China’s Leader, Despite Hostile Speech
    • Opinion | How Trump Abused the Power to Declassify America’s Secrets
    • EU urges Israel to halt settlement expansion as settlers attack children | Occupied West Bank News
    • Ezri Konsa: Arsenal preparing offer for Aston Villa defender as Morgan Rogers talks continue – Paper Talk | Football News
    • Does Cuba Have Iranian Drones?
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication

    adminBy adminMarch 3, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication

    Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.

    It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets users choose custom keywords like “login,” “verify,” “security,” or “account,” and integrates URL shorteners such as TinyURL to obscure the destination URL.

    “It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.

    “Recipients are served genuine page content directly through the attacker’s infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.”

    This login page proxying technique obviates the need for attackers to update their phishing page templates periodically as the real pages they’re impersonating get updated.

    Cybersecurity

    Put differently, the container acts as an AitM reverse proxy, forwarding the end user’s inputs entered on the spoofed live page to the legitimate site and returning the site’s responses. Under the hood, every keystroke, form submission, and session token is routed through attacker-controlled infrastructure and is captured for account takeover.

    “The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel,” Abnormal said. “Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.”

    The development comes as Datadog revealed that the 1Phish kit had evolved from a basic credential harvester in September 2025 into a multi-stage phishing kit targeting 1Password users.

    The updated version of the kit incorporates a pre-phishing fingerprint and validation layer, support for capturing one-time passcodes (OTPs) and recovery codes, and browser fingerprinting logic to filter out bots.

    “This progression reflects deliberate iteration rather than simple template reuse,” security researcher Martin McCloskey said. “Each version builds upon the previous one, introducing controls designed to increase conversion rates, reduce automated analysis, and support secondary authentication harvesting.”

    The findings show that turkey solutions like Starkiller and 1Phish are increasingly turning phishing into SaaS-style workflows, further lowering the skill barrier necessary to pull off such attacks at scale.

    They also coincide with a sophisticated phishing campaign targeting North American businesses and professionals by abusing the OAuth 2.0 device authorization grant flow to sidestep multi-factor authentication (MFA) and compromise Microsoft 365 accounts.

    To achieve this, the attacker registers on the Microsoft OAuth application and generates a unique device code, which is then delivered to the victim via a targeted phishing email.

    “The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an attacker-supplied device code,” researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke said. “This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real-time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data.”

    In recent months, phishing campaigns have also targeted financial institutions, specifically U.S.-based banks and credit unions, to harvest credentials. The campaign is said to have taken place over two distinct phases, an initial wave beginning in late June 2025 and a more sophisticated set of attacks beginning in mid-November 2025.

    Cybersecurity

    “The actors began registering [.]co[.]com domains spoofing financial institution websites, presenting credible impersonations of real financial institutions,” BlueVoyant researchers Shira Reuveny and Joshua Green said. “These [.]co[.]com domains serve as the initial entry point in a refined multi-stage chain.”

    The domain, when visited from a clickable link in a phishing email, is designed to load a fraudulent Cloudflare CAPTCHA page that mimics the targeted institution. The CAPTCHA is non-functional and creates a deliberate delay before a Base64-encoded script redirects users to the credential harvesting page.

    In an effort to evade detection and prevent automated scanners from flagging the malicious content, directly accessing the [.]co[.]com domains trigger a redirect to a malformed “www[.]www” URL.

    “The adversary’s deployment of a more advanced multi-layered evasion chain – incorporating referrer validation, cookie-based access controls, intentional delays, and code obfuscation – effectively creates a more resilient infrastructure that presents barriers for automated security tools and manual analysis,” BlueVoyant said.

    AitM Authentication Bypass MultiFactor Phishing Proxy reverse Starkiller Suite
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleYou Could Get Banned from This Major Airline for Not…
    Next Article Highguard has raided its last fortress, will shutdown on March 12
    admin
    • Website

    Related Posts

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    July 18, 2026

    New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

    July 17, 2026

    Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

    July 17, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    The viral watermelon ice cream hack looks like magic. Does it actually work?

    Trump’s Election Claims and SAVE Act Push Find Muted Response From G.O.P. Lawmakers

    Trump Pursues a Deeper Bond With China’s Leader, Despite Hostile Speech

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by