Starkiller Phishing-as-a-Service: Technical Analysis of Adversary-in-the-Middle Frameworks

Technical Overview: The Evolution to AitM Phishing

The Starkiller Phishing-as-a-Service (PhaaS) platform represents a significant shift from traditional static credential harvesting to sophisticated Adversary-in-the-Middle (AitM) operations. Unlike legacy kits that host static HTML clones of target sites, Starkiller acts as a transparent relay between the victim and the legitimate service provider.

Proxy Mechanism and MFA Interception

Starkiller utilizes a reverse proxy architecture to intercept communication between the end-user and the authentication server in real-time. This methodology allows for several advanced capabilities:

• Dynamic Content Loading: Instead of serving pre-rendered pages, the service loads the target brand’s live website through a proxied connection, ensuring that visual elements, JavaScript, and input validation remain identical to the legitimate source.
• Credential and Token Capture: As the user interacts with the proxied page, the service captures raw POST data, including usernames and passwords, before forwarding them to the legitimate endpoint.
• MFA Relay: When the legitimate service triggers a Time-based One-Time Password (TOTP) or SMS-based MFA prompt, Starkiller relays this request to the victim. Upon submission, the platform captures the MFA token and immediately authenticates against the real service to establish a valid session.
• Session Cookie Exfiltration: The primary technical objective is the extraction of session cookies (e.g., SID, JWT). By obtaining these tokens, attackers can bypass future MFA requirements and maintain persistence until the session expires or is manually revoked.

Evasion and Infrastructure Persistence

Traditional anti-phishing measures often rely on hash-based detection of static assets. Starkiller evades these by utilizing dynamic infrastructure and traffic filtering. The platform employs domain cloaking through URL shortening services and legitimate redirectors to mask the proxy destination. Furthermore, it implements browser fingerprinting to filter incoming traffic, ensuring only real human browsers access the proxy while blocking automated scanners and security crawlers.

Security teams conducting infrastructure scanning via tools like Pocket Pentest should prioritize the detection of unauthorized proxy redirects and anomalous session originations that may indicate an AitM deployment.

Strategic Mitigation

Organizations must transition toward phishing-resistant authentication methods to neutralize this threat vector. FIDO2/WebAuthn-compliant hardware keys provide the most effective defense, as they cryptographically bind the authentication process to the legitimate domain, rendering AitM relay attacks technically unfeasible. Additionally, implementing Conditional Access policies that monitor for anomalous ASN origins or ‘impossible travel’ can assist in identifying and terminating compromised sessions in real-time.