Microsoft, Google and Apple logins targeted by new phishing kit using real websites

Published: 19 February 2026
Last updated: 19 February 2026
starkiller
Image by Cybernews

A newly identified phishing platform Starkiller gives cybercriminals a more convincing way to steal login details – using the real websites victims trust instead of fake copies.

Abnormal AI researchers Piotr Wojtyla, Callie Baron say the kit, sold by a group calling itself Jinkusu, operates like a subscription service and lowers the technical barrier for launching credential-stealing campaigns at scale.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

Rather than building imitation login pages, the platform loads legitimate sites live and sits between the victim and the real service, capturing data as it passes through.

The report adds that criminals can buy the kit which “proxies live login pages, bypasses MFA, and provides cybercriminals with a full credential-harvesting platform for a monthly fee.”

The framework is sold by a group calling itself Jinkusu and operates more like a commercial service than a traditional hacking tool.

None of the usual red flags

The likely impact is significant because the approach removes many of the visual warning signs people rely on to spot phishing.

Victims are shown genuine login pages for services such as Microsoft, Google, Apple, Facebook, Amazon, Netflix, PayPal and banking platforms.

According to the research, “Recipients are served genuine page content directly through the attacker's infrastructure, ensuring the phishing page is never out of date.”

The system forwards authentication attempts in real time, so it can also undermine multi-factor authentication.

ADVERTISEMENT

“Because the end user is actually authenticating with the real site through the proxy, any one-time codes or authentication tokens they submit are forwarded to the legitimate service in real time,” the researchers note.

The platform appears designed for scale. It is marketed, updated, and supported through a community ecosystem where operators share tactics and troubleshoot deployments.

The report states that “Jinkusu maintains a community forum where cybercriminals discuss techniques, request features, and troubleshoot deployments,” indicating an active and growing user base.

URL masking

According to the researchers, Starkiller acts as “a man-in-the-middle” between the victim and the legitimate website.

The platform launches “a headless Chrome instance” – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site.”

This means that what the victim sees is a legitimate page that’s rendered in real time, but has an attacker's server loaded in the browser where the URL is not showing.

Meanwhile, on the cybercriminal's side, the ‘Active Targets’ dashboard shows the victim’s session in real time, including their location, device type, IP address, and whether the session is still active. From this view, threat actors can watch the session live, inject additional prompts to harvest more data, or terminate the session entirely - and the victim never knows.

One particularly deceptive feature is the URL masking. The kit generates links that appear to belong to trusted brands while routing traffic elsewhere.

“Everything before the @ in a URL is treated as user info and displayed prominently, while the actual domain follows after it."

Abnormal AI
ADVERTISEMENT

Shortened links further obscure the destination, making it harder for users and automated tools to detect the threat.

People need to look out for unexpected login or document-sharing emails; links that appear legitimate but contain extra words, symbols, or shortened URLs; authentication prompts they didn’t initiate as well as alerts about new logins or MFA requests out of context.

hackers phishing
The emergence of tools like Starkiller reflects a broader shift toward “commoditized, enterprise-style cybercrime tooling say researchers.

Defenders need to be able to detect behavioral signals: anomalous login patterns, session token reuse from unexpected locations, and identity-aware analysis that can catch a compromised session even when the phishing page itself looks perfect.

“This is especially true at the inbox level, where analyzing the behavioral context of each email – rather than relying solely on the content of the links it contains–offers the most effective way to stop these attacks before they reach end users.”

Enterprise-style-cybercrime tooling

Abnormal AI said the emergence of tools like Starkiller reflects a broader shift toward “commoditized, enterprise-style cybercrime tooling.” By automating infrastructure, phishing deployment and session monitoring, the platform lowers the barrier for attackers and increases the potential scale of campaigns.

As the researchers warn, phishing remains one of the most effective entry points for breaches – and tools that use real websites in real time make those attacks harder than ever to detect.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT