Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor Meta
Summary
Hide ▲
Show ▼
A new phishing-as-a-service operation tied to Jinkusu is proxying real login pages through attacker infrastructure, making MFA bypass and account takeover easier for low-skill cybercriminal customers. The service lets users impersonate major brands, generate deceptive URLs, and relay victim credentials and tokens through a Docker-hosted browser. That shift commoditizes phishing infrastructure and weakens traditional defenses such as domain blocklisting and static page analysis.
Related Happenings
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
Campaign
H score36
First: 08.07.2026 15:52
Last: 08.07.2026 15:52
Sources 1
About this happening:
The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
CampaignAbout this happening: The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
Underground credential ecosystem shift changes threat-actor operations
Threat Actor Meta
H score69
First: 22.06.2026 17:05
Last: 22.06.2026 17:05
Sources 1
About this happening:
A **search-your-target** underground service layer is turning **stolen infostealer logs** into on-demand credentials, raising **account takeover** and **corporate intrusion** risk...
Underground credential ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: A **search-your-target** underground service layer is turning **stolen infostealer logs** into on-demand credentials, raising **account takeover** and **corporate intrusion** risk...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Sniper Dz MENA fake Facebook phishing and monetization campaign
Campaign
H score30
First: 15.06.2026 09:30
Last: 15.06.2026 09:30
Sources 1
About this happening:
A **Sniper Dz** fraud campaign is targeting **users across the Middle East and North Africa** with **fake Facebook accounts** that impersonate politicians, public figures, and tru...
Sniper Dz MENA fake Facebook phishing and monetization campaign
CampaignAbout this happening: A **Sniper Dz** fraud campaign is targeting **users across the Middle East and North Africa** with **fake Facebook accounts** that impersonate politicians, public figures, and tru...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
Trend
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
TrendAbout this happening: **Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Timeline
-
20.02.2026 22:00 2 articles · 4mo ago
Starkiller phishing service analysis
Technical Analysis UpdateAbnormal AI's analysis describes Starkiller, a phishing-as-a-service operation tied to Jinkusu, that lets customers impersonate brands such as Apple, Facebook, Google, and Microsoft, loads a live login page through attacker-controlled infrastructure, and relays account holders' usernames, passwords, MFA codes, cookies, and session tokens through a Docker-hosted headless Chrome reverse proxy while also supporting keylogger capture, Telegram alerts, geo-tracking, and campaign analytics.
Show sources
- ‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA — krebsonsecurity.com — 20.02.2026 22:00
- ‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA — krebsonsecurity.com — 20.02.2026 22:00