Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover

Threat Actor Meta
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A new phishing-as-a-service operation tied to Jinkusu is proxying real login pages through attacker infrastructure, making MFA bypass and account takeover easier for low-skill cybercriminal customers. The service lets users impersonate major brands, generate deceptive URLs, and relay victim credentials and tokens through a Docker-hosted browser. That shift commoditizes phishing infrastructure and weakens traditional defenses such as domain blocklisting and static page analysis.

Related Happenings

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

About this happening: An active **cryptojacking campaign** is using **AI chatbot interactions** and **SEO-poisoned download sites** to deliver mining malware, expanding the reach of malicious downloads...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

Vercel v0.dev phishing campaign using GenAI-built lure pages

Campaign
First: 07.05.2026 11:30 Last: 07.05.2026 11:30 Sources 1

About this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...

Open Happening

Google sponsored search ManageWP phishing campaign

Campaign
First: 07.05.2026 00:36 Last: 07.05.2026 00:36 Sources 1

About this happening: A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...

Open Happening

CloudZ RAT Pheno Microsoft Phone Link credential-theft activity

Malware Activity
First: 05.05.2026 13:03 Last: 05.05.2026 13:03 Sources 1

About this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...

Open Happening

Timeline

  1. 20.02.2026 22:00 2 articles · 3mo ago

    Starkiller phishing service analysis

    Technical Analysis Update

    Abnormal AI's analysis describes Starkiller, a phishing-as-a-service operation tied to Jinkusu, that lets customers impersonate brands such as Apple, Facebook, Google, and Microsoft, loads a live login page through attacker-controlled infrastructure, and relays account holders' usernames, passwords, MFA codes, cookies, and session tokens through a Docker-hosted headless Chrome reverse proxy while also supporting keylogger capture, Telegram alerts, geo-tracking, and campaign analytics.

    Show sources
    Open in new tab