Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Starkiller phishing platform has emerged as a SaaS-style criminal service, raising the scale and durability of credential theft operations. It is sold on the dark web with a subscription model, updates, and customer support. The platform proxies live login pages through attacker-controlled infrastructure, making the phishing page harder to fingerprint or block. By forwarding one-time codes and authentication tokens in real time, it can bypass MFA and help attackers seize accounts across major online services.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
Campaign
H score36
First: 08.07.2026 15:52
Last: 08.07.2026 15:52
Sources 1
About this happening:
The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
CampaignAbout this happening: The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
H score34
First: 25.06.2026 18:00
Last: 25.06.2026 18:00
Sources 1
About this happening:
**Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical AnalysisAbout this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
UK under-16 social media age-check ban
Public Sector Action
H score25
First: 16.06.2026 17:38
Last: 16.06.2026 17:38
Sources 1
About this happening:
The **UK government** announced a ban on **under-16s** using social media, requiring **age checks** for new accounts and tightening access to major platforms. The rollout is set f...
UK under-16 social media age-check ban
Public Sector ActionAbout this happening: The **UK government** announced a ban on **under-16s** using social media, requiring **age checks** for new accounts and tightening access to major platforms. The rollout is set f...
Sniper Dz MENA fake Facebook phishing and monetization campaign
Campaign
H score30
First: 15.06.2026 09:30
Last: 15.06.2026 09:30
Sources 1
About this happening:
A **Sniper Dz** fraud campaign is targeting **users across the Middle East and North Africa** with **fake Facebook accounts** that impersonate politicians, public figures, and tru...
Sniper Dz MENA fake Facebook phishing and monetization campaign
CampaignAbout this happening: A **Sniper Dz** fraud campaign is targeting **users across the Middle East and North Africa** with **fake Facebook accounts** that impersonate politicians, public figures, and tru...
Timeline
-
19.02.2026 14:00 2 articles · 4mo ago
Starkiller dark-web phishing SaaS enables live credential theft
Initial DisclosureStarkiller is a dark-web phishing platform sold with subscriptions, updates, and customer support. It proxies live login pages through attacker-controlled infrastructure in headless Chrome, supports real-time session monitoring and keylogging, and can bypass MFA by relaying one-time codes and authentication tokens in real time. The kit can mimic Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, various banks and other online services, and is likely distributed through phishing emails that imitate legitimate alerts and notifications.
Show sources
- Starkiller: New ‘Commercial-Grade’ Phishing Kit Bypasses MFA — www.infosecurity-magazine.com — 19.02.2026 14:00
- Starkiller: New ‘Commercial-Grade’ Phishing Kit Bypasses MFA — www.infosecurity-magazine.com — 19.02.2026 14:00