TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS NEWS Best-in-Class 'Starkiller' Phishing Kit Bypasses MFA A user-friendly PhaaS tool beats standard methods for detecting phishing attacks by live-proxying legitimate login sites. Nate Nelson,Contributing Writer February 19, 2026 4 Min Read SOURCE: PHOTOBYT VIA ALAMY STOCK PHOTO A growing phishing-as-a-service (PhaaS) tool reliably undermines traditional methods for detecting phishing attacks, both technical and psychological. "Starkiller," described this week by researchers at Abnormal AI, is packaged and sold with a sleekness comparable to legitimate software-as-a-service (SaaS) platforms. It's got a clean, retrofuturist dashboard, sporting real-time campaign analytics. It gets periodic updates, and even allows its cybercriminal users to log in using two-factor authentication (2FA). It's got substance to back up its style, too. Its website advertises "enterprise-grade phishing infrastructure" for "campaigns that bypass modern security systems." Though its self-reported 99.7% success rate is almost certainly fictional, it really does help attackers bypass many of the traditional phishing security techniques so many enterprises rely on, according to Abormal AI's research. Related:Critical Grandstream VoIP Bug Highlights SMB Security Blind Spot Its foremost trick is that, where other PhaaS platforms might help hackers create phishing pages that convincingly mimic popular websites, Starkiller goes one step further, proxying the actual websites that users want to visit and swiping their credentials along the way. For Callie Baron, senior content marketing manager for threat intelligence at Abnormal AI, "What is novel isn't a single feature; it’s the architecture and packaging. Starkiller turns high-end reverse-proxy tradecraft into a turnkey, SaaS-style workflow that dramatically lowers the skill barrier and removes the usual weak points defenders rely on." Meet Starkiller Starkiller offers an end-to-end phishing suite, starting with its techniques for masking URLs. From Starkiller's graphical user interface (GUI), users can simply select one of a variety of brand name companies to impersonate, from Apple to PayPal to Instagram. Then they can select a keyword to modify the link, like "login" or "security," depending on the nature of their scam. Because "login.apple.com" isn't a domain available to hackers, Starkiller uses two classic tricks to make the URL as close to realistic as possible. It integrates URL shorteners, and employs the "@" symbol technique. Browsers treat characters before an @ symbol in a URL as innocuous user info, but still display it prominently, allowing attackers to frontload a fake, legitimate-looking half of a domain and deemphasize the actual domain users are funneled to. When a victim clicks the malicious link, they don't see some diligently crafted landing page made to look almost but not quite exactly like a legitimate one. They're brought to the actual website they intended to go to. The catch is, that site is being funneled through an attacker's cloud infrastructure. Starkiller spins up a Docker container, running a headless Chrome instance for the user. Related:Threat Intelligence Has a Human-Shaped Blind Spot Once the victim enters their login information, or even a multifactor authentication (MFA) code, they'll successfully get into their account. Meanwhile, their hacker will have nabbed the credentials they entered and the session token granted to the victim for having passed the MFA check, allowing the hacker to log into the account as well. Even better — this entire process is essentially automated. Besides identifying which service they'd like to impersonate, all a Starkiller user really has to do is sit back and track their infections from an easy-to-use GUI. The program does all the dirty work. Baron explains, "It centralizes container life cycle, builds, and active infrastructure alongside phishing deployment and active session monitoring, explicitly reducing the need to understand reverse proxies and certificates. Lowering that technical barrier expands who can execute high-end phishing tradecraft and is a major differentiator in real-world impact." How Starkiller Beats Standard Phishing Detection Related:Poland Energy Survives Attack on Wind, Solar Infrastructure Starkiller's login page proxying technique saves its users all kinds of time they'd otherwise have to spend designing phishing pages. It also shields them from "template drift" — having to update their phishing pages as the real pages they're mimicking get updated. More than anything, though, "it highlights why traditional phishing detection approaches — like static page analysis, blocklists, and reputation-based URL filtering — can fall short. Because Starkiller proxies real login pages live rather than serving a cloned template, there often isn't a stable phishing-page fingerprint to match, and the victim experience can look indistinguishable from a legitimate sign-in," Baron says. From her perspective, Starkiller represents a broader shift in phishing infrastructure, with attackers moving toward real-time, session-aware compromises rather than straightforward credential harvesting. In the face of that, she says, "Organizations have to shift toward behavioral and identity-aware detection. This means monitoring for anomalous sign-ins, session token reuse, impossible travel patterns, and other signals of compromised sessions, even when MFA was technically completed and the login page looked legitimate." "If defenders are only asking, 'Was MFA completed?' they’re asking the wrong question," she argues. "The more important question is whether the authenticated session itself behaves like the legitimate user." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE 'Darcula' Phishing Kit Can Now Impersonate Any Brand by Nate Nelson, Contributing Writer FEB 20, 2025 THREAT INTELLIGENCE MITRE EMB3D for OT & ICS Threat Modeling Takes Flight by Robert Lemos, Contributing Writer MAR 07, 2025 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers 5 Steps to Stop Ransomware With Zero Trust The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 10 Ways a Zero Trust Architecture Protects Against Ransomware Lock the Front Door: The Easiest Way to Reduce Your Attack Surface Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget,