A new phishing framework departs from the static HTML clones of login pages to an SaaS-like model that launches a headless Chrome instance inside a Docker container, then loads a brand’s real website and serves as a reverse proxy between the legit site and the prospective victim, according to research from Abnormal Security. 

All that’s to say the Starkiller framework, the brainchild of threat group Jinkusu, offers a sturdier model than traditional phishing frameworks. Not only is the phishing page never out of data, but the researchers wrote in a blog post, that “because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.” 

Starkiller features a control panel that gives bad actors access to “a polished dashboard” they can use to launch phishing campaigns, choosing from a broad menu of items beyond basic credential capture. Upping its value—“the core workflow requires almost no technical skill,” the researchers point out. 

A keylogger capture scoops up every keystroke, cookie and session token theft so bad actors can execute a direct account takeover, geo-track targets and automate Telegram alerts “when new credentials come in. 

And the framework offers campaign analytics that provide visit counts, conversion rates and performance graphs, just like legit SaaS platforms provide. 

“Starkiller’s marketing materials indicate the platform is also built for financial fraud, advertising specialized modules for capturing credit card numbers, crypto wallet seeds, bank credentials, and payment information,” along with fake software update templates for browsers like Chrome and Firefox,” the researchers say. The unsuspecting target is tricked into downloading malicious payloads. And an EvilEngine Core module is billed as making phishing links “completely undetectable.” 

The platform, they wrote, “spins up a Docker container running a headless Chrome instance that loads the real login page.” 

Acting as a man-in-the-middle reverse proxy, the container forwards end-user inputs to the legit site, then returns responses from the site. “Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way,” Abnormal says. 

The Starkiller phishing kit “demonstrates how attackers continue to invest and innovate with phishing attacks to bypass traditional controls,” says Kern Smith, senior vice president of global solutions engineering at Zimperium. 

That is of particular concern in mobile environments, “where devices serve as the primary access point to corporate and personal accounts,” he says, noting that “mobile users are the main the target of phishing attacks, especially through SMS and QR codes” since they “frequently authenticate through apps and browsers outside the visibility of traditional security tools, making credential theft and account takeover harder to detect.” 

What also “makes this development particularly concerning is not simply the use of reverse proxy infrastructure, but the fact that it allows attackers to operate inside a legitimate authentication flow without triggering traditional alarms,” says Shane Barney, CISO at Keeper Security.  

“Users interact with real login pages, enter valid credentials and complete Multi-Factor Authentication (MFA) challenges successfully, yet the entire session is quietly relayed through attacker-controlled infrastructure,” he says. 

Noting “that dynamic exposes an uncomfortable reality for many organizations that MFA alone is no longer a definitive safeguard when the session itself can be intercepted,” Barney says, One-time passcodes and push approvals may “remain valuable controls, but when authentication is proxied in real time, the resulting session token becomes the attacker’s entry point.”  

He maintains “identity security must extend beyond the moment of authentication,” explaining that “phishing-resistant methods such as passkeys and hardware-backed FIDO2 credentials significantly reduce replay risk because they are cryptographically bound to the legitimate domain and cannot be forwarded through a proxy in the same way.” 

Even so, he says, “organizations must use a zero-trust model that assumes some credentials or sessions will eventually be exposed.” 

Smith stresses the importance of organizations having “dedicated mobile security that can detect phishing, malicious links, and credential theft directly on the device, providing real-time visibility and protection against increasingly sophisticated identity-focused threats.”