Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Jinkusu is marketing Starkiller as a phishing-as-a-service platform that proxies live login pages to bypass MFA and capture session tokens. The service lets customers pick a brand to impersonate or enter a real URL, turning brand spoofing into a managed workflow. Its AitM reverse proxy design keeps pages current and reduces the need for custom templates, which makes detection harder. The result is a lower barrier for account takeover and session hijacking at scale.
Related Happenings
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
H score34
First: 25.06.2026 18:00
Last: 25.06.2026 18:00
Sources 1
About this happening:
**Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical AnalysisAbout this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
OpenAI ChatGPT renderer Markdown link/image phishing security flaw
Vulnerability
H score16
First: 29.05.2026 21:07
Last: 29.05.2026 21:07
Sources 1
About this happening:
**ChatGPT** has a **response-renderer vulnerability** that turns summarized third-party pages into **live phishing links** and auto-fetched **attacker-hosted images** inside the t...
OpenAI ChatGPT renderer Markdown link/image phishing security flaw
VulnerabilityAbout this happening: **ChatGPT** has a **response-renderer vulnerability** that turns summarized third-party pages into **live phishing links** and auto-fetched **attacker-hosted images** inside the t...
Infostealer malware operation targeting online store users
Malware Activity
H score32
First: 21.05.2026 00:36
Last: 21.05.2026 00:36
Sources 1
About this happening:
A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Infostealer malware operation targeting online store users
Malware ActivityAbout this happening: A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Vercel v0.dev phishing campaign using GenAI-built lure pages
Campaign
H score29
First: 07.05.2026 11:30
Last: 07.05.2026 11:30
Sources 1
About this happening:
A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
Vercel v0.dev phishing campaign using GenAI-built lure pages
CampaignAbout this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score39
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Timeline
-
03.03.2026 13:10 2 articles · 4mo ago
Starkiller phishing-as-a-service disclosure
Initial DisclosureJinkusu markets Starkiller as a phishing-as-a-service platform that uses a headless Chrome instance inside a Docker container to load a brand's real website, act as a reverse proxy, and capture keystrokes, form submissions, and session tokens. Customers can choose a brand to impersonate or enter a real URL, while the control panel centralizes infrastructure management, phishing page deployment, session monitoring, and URL masking.
Show sources
- Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication — thehackernews.com — 03.03.2026 13:10
- Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication — thehackernews.com — 03.03.2026 13:10