Find notable cyber news and cases, enriched with sources, timelines, and signals.

Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover

Threat Actor Meta
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A new phishing-as-a-service operation tied to Jinkusu is proxying real login pages through attacker infrastructure, making MFA bypass and account takeover easier for low-skill cybercriminal customers. The service lets users impersonate major brands, generate deceptive URLs, and relay victim credentials and tokens through a Docker-hosted browser. That shift commoditizes phishing infrastructure and weakens traditional defenses such as domain blocklisting and static page analysis.

Related Happenings

REF6045 ClickFix banking fraud campaign targeting Mexican financial users

Campaign
H score36 First: 08.07.2026 15:52 Last: 08.07.2026 15:52 Sources 1

About this happening: The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...

Underground credential ecosystem shift changes threat-actor operations

Threat Actor Meta
H score69 First: 22.06.2026 17:05 Last: 22.06.2026 17:05 Sources 1

About this happening: A **search-your-target** underground service layer is turning **stolen infostealer logs** into on-demand credentials, raising **account takeover** and **corporate intrusion** risk...

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

Sniper Dz MENA fake Facebook phishing and monetization campaign

Campaign
H score30 First: 15.06.2026 09:30 Last: 15.06.2026 09:30 Sources 1

About this happening: A **Sniper Dz** fraud campaign is targeting **users across the Middle East and North Africa** with **fake Facebook accounts** that impersonate politicians, public figures, and tru...

Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend

Trend
H score22 First: 05.06.2026 17:00 Last: 05.06.2026 17:00 Sources 1

About this happening: **Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...

Timeline

  1. 20.02.2026 22:00 2 articles · 4mo ago

    Starkiller phishing service analysis

    Technical Analysis Update

    Abnormal AI's analysis describes Starkiller, a phishing-as-a-service operation tied to Jinkusu, that lets customers impersonate brands such as Apple, Facebook, Google, and Microsoft, loads a live login page through attacker-controlled infrastructure, and relays account holders' usernames, passwords, MFA codes, cookies, and session tokens through a Docker-hosted headless Chrome reverse proxy while also supporting keylogger capture, Telegram alerts, geo-tracking, and campaign analytics.

    Show sources