Best-in-Class 'Starkiller' Phishing Kit Bypasses MFA - Dark Reading

Threat IntelligenceCyber RiskVulnerabilities & ThreatsCybersecurity OperationsNewsBest-in-Class 'Starkiller' Phishing Kit Bypasses MFAA user-friendly PhaaS tool beats standard methods for detecting phishing attacks by live-proxying legitimate login sites.Nate Nelson,Contributing WriterFebruary 19, 20264 Min ReadSource: Photobyt via Alamy Stock PhotoA growing phishing-as-a-service (PhaaS) tool reliably undermines traditional methods for detecting phishing attacks, both technical and psychological."Starkiller," described this week by researchers at Abnormal AI, is packaged and sold with a sleekness comparable to legitimate software-as-a-service (SaaS) platforms. It's got a clean, retrofuturist dashboard, sporting real-time campaign analytics. It gets periodic updates, and even allows its cybercriminal users to log in using two-factor authentication (2FA).It's got substance to back up its style, too. Its website advertises "enterprise-grade phishing infrastructure" for "campaigns that bypass modern security systems." Though its self-reported 99.7% success rate is almost certainly fictional, it really does help attackers bypass many of the traditional phishing security techniques so many enterprises rely on, according to Abormal AI's research.Related:Feuding Ransomware Groups Leak Each Other's DataIts foremost trick is that, where other PhaaS platforms might help hackers create phishing pages that convincingly mimic popular websites, Starkiller goes one step further, proxying the actual websites that users want to visit and swiping their credentials along the way.For Callie Baron, senior content marketing manager for threat intelligence at Abnormal AI, "What is novel isn't a single feature; it’s the architecture and packaging. Starkiller turns high-end reverse-proxy tradecraft into a turnkey, SaaS-style workflow that dramatically lowers the skill barrier and removes the usual weak points defenders rely on."Meet Starkiller Starkiller offers an end-to-end phishing suite, starting with its techniques for masking URLs.From Starkiller's graphical user interface (GUI), users can simply select one of a variety of brand name companies to impersonate, from Apple to PayPal to Instagram. Then they can select a keyword to modify the link, like "login" or "security," depending on the nature of their scam.Because "login.apple.com" isn't a domain available to hackers, Starkiller uses two classic tricks to make the URL as close to realistic as possible. It integrates URL shorteners, and employs the "@" symbol technique. Browsers treat characters before an @ symbol in a URL as innocuous user info, but still display it prominently, allowing attackers to frontload a fake, legitimate-looking half of a domain and deemphasize the actual domain users are funneled to.When a victim clicks the malicious link, they don't see some diligently crafted landing page made to look almost but not quite exactly like a legitimate one. They're brought to the actual website they intended to go to. The catch is, that site is being funneled through an attacker's cloud infrastructure. Starkiller spins up a Docker container, running a headless Chrome instance for the user.Related:North Korea's Lazarus Targets macOS Users via ClickFixOnce the victim enters their login information, or even a multifactor authentication (MFA) code, they'll successfully get into their account. Meanwhile, their hacker will have nabbed the credentials they entered and the session token granted to the victim for having passed the MFA check, allowing the hacker to log into the account as well.Even better — this entire process is essentially automated. Besides identifying which service they'd like to impersonate, all a Starkiller user really has to do is sit back and track their infections from an easy-to-use GUI. The program does all the dirty work.Baron explains, "It centralizes container life cycle, builds, and active infrastructure alongside phishing deployment and active session monitoring, explicitly reducing the need to understand reverse proxies and certificates. Lowering that technical barrier expands who can execute high-end phishing tradecraft and is a major differentiator in real-world impact."How Starkiller Beats Standard Phishing DetectionRelated:Tropic Trooper APT Takes Aim at Home Routers, Japanese TargetsStarkiller's login page proxying technique saves its users all kinds of time they'd otherwise have to spend designing phishing pages. It also shields them from "template drift" — having to update their phishing pages as the real pages they're mimicking get updated.More than anything, though, "it highlights why traditional phishing detection approaches — like static page analysis, blocklists, and reputation-based URL filtering — can fall short. Because Starkiller proxies real login pages live rather than serving a cloned template, there often isn't a stable phishing-page fingerprint to match, and the victim experience can look indistinguishable from a legitimate sign-in," Baron says.From her perspective, Starkiller represents a broader shift in phishing infrastructure, with attackers moving toward real-time, session-aware compromises rather than straightforward credential harvesting. In the face of that, she says, "Organizations have to shift toward behavioral and identity-aware detection. This means monitoring for anomalous sign-ins, session token reuse, impossible travel patterns, and other signals of compromised sessions, even when MFA was technically completed and the login page looked legitimate.""If defenders are only asking, 'Was MFA completed?' they’re asking the wrong question," she argues. "The more important question is whether the authenticated session itself behaves like the legitimate user."About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsThe Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOpsThe Total Economic Impact™ Of Google SecOpsThe Business Value of Google Threat IntelligenceThe Total Economic Impact™ Of Google SecOpsAI-driven SecOps: Transforming Financial Services SecurityAccess More ResearchWebinarsHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningZero Trust Architecture for Cloud environments: Implementation RoadmapTips for Managing Cloud Security in a Hybrid Environment?More WebinarsYou May Also LikeThreat IntelligenceHackers Target Cybersecurity Firm Outpost24 in 7-Stage Phishby Jai VijayanMar 17, 2026Threat IntelligenceIran's Cyber-Kinetic War Doctrine Takes Shapeby Alexander CulafiMar 06, 2026Threat IntelligenceReact2Shell Exploits Flood the Internet as Attacks Continueby Rob WrightDec 12, 2025Threat IntelligenceChinese Gov't Fronts Trick the West to Obtain Cyber Techby Nate Nelson, Contributing WriterOct 06, 2025Editor's ChoiceСloud SecurityNavigating the Unique Security Risks of Asia's Digital Supply ChainNavigating the Unique Security Risks of Asia's Digital Supply ChainbyAlexander CulafiApr 15, 20263 Min ReadCyberattacks & Data BreachesStuxnet, The Prequel: Earlier Version Of Cyberweapon DiscoveredStuxnet, The Prequel: Earlier Version Of Cyberweapon DiscoveredbyKelly Jackson HigginsFeb 26, 20135 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningMon, May 11, 2026 at 1:00pm ETZero Trust Architecture for Cloud environments: Implementation RoadmapTues, May 12, 2026 at 1pm ESTTips for Managing Cloud Security in a Hybrid Environment?Thurs, May 7, 2026 at 1pm ESTMore WebinarsWhite Papers7 best practices for secrets lifecycle managementReinventing the SOC with agentic AIEnhancing SecOps with Google Threat IntelligenceEnhancing SecOps with Google Threat IntelligenceEnhancing SecOps with Google Threat IntelligenceExplore More White PapersBlack Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASS