Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Starkiller phishing platform has emerged as a SaaS-style criminal service, raising the scale and durability of credential theft operations. It is sold on the dark web with a subscription model, updates, and customer support. The platform proxies live login pages through attacker-controlled infrastructure, making the phishing page harder to fingerprint or block. By forwarding one-time codes and authentication tokens in real time, it can bypass MFA and help attackers seize accounts across major online services.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
CypherLoc phishing-led browser scareware campaign
Campaign
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
RubyGems pauses new account signups during major malicious attack
Security Tool/Service
First: 12.05.2026 17:47
Last: 12.05.2026 17:47
Sources 1
About this happening:
**RubyGems** temporarily disabled **new account registration** after a **major malicious attack**, disrupting a core **Ruby package-registry** service while operators contain the...
RubyGems pauses new account signups during major malicious attack
Security Tool/ServiceAbout this happening: **RubyGems** temporarily disabled **new account registration** after a **major malicious attack**, disrupting a core **Ruby package-registry** service while operators contain the...
Timeline
-
19.02.2026 14:00 2 articles · 3mo ago
Starkiller dark-web phishing SaaS enables live credential theft
Initial DisclosureStarkiller is a dark-web phishing platform sold with subscriptions, updates, and customer support. It proxies live login pages through attacker-controlled infrastructure in headless Chrome, supports real-time session monitoring and keylogging, and can bypass MFA by relaying one-time codes and authentication tokens in real time. The kit can mimic Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, various banks and other online services, and is likely distributed through phishing emails that imitate legitimate alerts and notifications.
Show sources
- Starkiller: New ‘Commercial-Grade’ Phishing Kit Bypasses MFA — www.infosecurity-magazine.com — 19.02.2026 14:00
- Starkiller: New ‘Commercial-Grade’ Phishing Kit Bypasses MFA — www.infosecurity-magazine.com — 19.02.2026 14:00