A new, off-the-shelf phishing tool called Starkiller recently appeared on the darknet. It’s weaponizing at an alarming rate by the cybercriminal’s marketing campaign led by the threat group Jinkusu. This Turkish solution offers a much more advanced platform for running phishing attacks. Second, it reduces the entry barrier, enabling even the relatively inexperienced criminal to run massive campaigns.
Starkiller’s unique features allow users to select a brand to impersonate or input a brand’s actual URL. The tool proxies the real site in real time. With this action it becomes nearly impossible for security vendors to find or stop these attacks. Starkiller’s improved iteration now features cutting-edge capabilities. It can capture one-time passcodes (OTPs) and recovery codes, supercharging its capacity to defeat multi-factor authentication (MFA) systems.
A New Era of Phishing
Starkiller’s customized phishing capabilities to give adversaries a Software as a Service (SaaS)-style workflow for phishing. This shift makes operating phishing campaigns easier and centralizes infrastructure control. Now, you can control phishing page deployment and session monitoring entirely from one convenient control panel.
“The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel,” – Abnormal.
The tool was not surprisingly at the fore of a multi-stage phishing campaign targeting financial institutions within North America. This campaign played out in two separate waves, starting in late June 2025 and running through mid-November 2025. During this time, Starkiller was employed to produce realistic impersonations of major financial institutions.
“The actors began registering [.]co[.]com domains spoofing financial institution websites, presenting credible impersonations of real financial institutions,” – Shira Reuveny and Joshua Green.
Advanced Evasion Techniques
One of the worst elements of Starkiller is its advanced evasion techniques. These are the kinds of techniques that completely bypass the defenses of legacy security solutions. The tool takes advantage of the OAuth 2.0 device authorization grant flow. This arms attackers with the ability to completely bypass MFA and easily compromise Microsoft 365 accounts.
“The victim is directed to the legitimate Microsoft domain (microsoft.com/devicelogin) portal to enter an [attacker-supplied device code],” – Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke.
Starkiller adds a phishing pre-fingerprint and validation layer to the mix, filtering out bots and illicit traffic from the jump. Mimicking this advanced logic further complicates detection efforts for security providers as well. Page delivery Starkiller serves real page content directly through the attack infrastructure, providing an up-to-date and relevant phishing page.
“Recipients are served genuine page content directly through the attacker’s infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.”
Implications for Cybersecurity
The rise of Starkiller should be a major red flag to cybersecurity professionals. Stringent design released on this release enables phishers to use complex multi-layered evasion chain. This chain combines methods such as referrer validation, cookie-based access controls, intentional delays, and code obfuscation.
“The adversary’s deployment of a more advanced multi-layered evasion chain – incorporating referrer validation, cookie-based access controls, intentional delays, and code obfuscation – effectively creates a more resilient infrastructure that presents barriers for automated security tools and manual analysis,” – BlueVoyant.
Cybersecurity experts have widely condemned Starkiller as a major leap forward in phishing methods. Martin McCloskey from Datadog emphasizes that this progression indicates “deliberate iteration rather than simple template reuse.” Without an improvement in their defense strategy to match such advancements, many of these organizations will still be at risk.