The Starkiller phishing framework uses reverse proxies between legitimate websites and targets, bypassing traditional detection methods.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Starkiller is a new SaaS-style phishing framework developed by threat group Jinkusu that uses headless Chrome inside Docker containers to act as a live reverse proxy between victims and real brand websites. Unlike traditional phishing kits that clone static HTML pages, Starkiller proxies the legitimate site in real time, making it impossible for security vendors to fingerprint or blocklist template files. The platform captures keystrokes, cookies, session tokens, and MFA codes, enabling full account takeover. It features a polished dashboard requiring minimal technical skill, campaign analytics, geo-tracking, Telegram alerts, and specialized modules for financial fraud. Security experts warn that this approach renders MFA insufficient on its own, since the session token itself is intercepted post-authentication, and recommend phishing-resistant FIDO2/passkey credentials and zero-trust architectures as mitigations.

Starkiller Phishing Framework Bypasses Defenses with Reverse Proxies, Takes an SaaS Approach