Jinkusu | Threat Actor Profile

An emerging cybercriminal group that operates Starkiller, a commercial-grade phishing-as-a-service (PhaaS) platform that proxies legitimate login pages in real time to bypass multi-factor authentication. Starkiller uses adversary-in-the-middle (AitM) reverse proxy architecture to serve authentic website content through attacker-controlled infrastructure, capturing credentials, session tokens, and MFA codes as they pass through. Sold as a SaaS-style subscription with a community forum, Telegram support, and monthly updates, the platform significantly lowers the barrier for credential-stealing campaigns at scale.

limited intelligence

This profile is based on limited public threat intelligence. Jinkusu was first publicly disclosed by Abnormal AI in February 2026, with supplementary infrastructure analysis from VECERT. There is no MITRE ATT&CK group designation, no government advisories, no confirmed attribution beyond the group's self-identified name, and no documented operational history prior to the Starkiller platform disclosure. The group's origins, membership, geographic base, and full scope of activities remain unknown. This profile focuses primarily on the Starkiller platform's documented capabilities and infrastructure. It will be updated as additional intelligence becomes available.

attributed origin Unknown

organization type Cybercriminal / Phishing-as-a-Service Provider

first disclosed February 2026 (Abnormal AI)

primary motivation Financial (Credential Theft / Platform Sales)

primary product Starkiller PhaaS Platform (v6.2.4+)

targeted brands Microsoft, Google, Apple, Amazon, Netflix, PayPal, banks

mitre att&ck group None assigned

intelligence confidence Low — single-source disclosure

threat level Medium (emerging, escalating)

Overview

Jinkusu is the self-identified name of a cybercriminal group that develops and sells the Starkiller phishing-as-a-service platform. The group was first publicly documented in a February 2026 report by Abnormal AI researchers Callie Baron and Piotr Wojtyla, with additional infrastructure analysis published by VECERT. The platform's forum activity, version history (v6.2.4 as of early 2026), and feature maturity suggest the operation has been developing for some time prior to public disclosure, though no independent verification of the group's operational history is available.

Starkiller represents a significant escalation in phishing infrastructure. Unlike traditional phishing kits that serve static HTML clones of login pages — which break whenever the impersonated brand updates its interface — Starkiller loads the real website in a headless Chrome browser running inside a Docker container and acts as an adversary-in-the-middle (AitM) reverse proxy. The victim interacts with genuine, real-time page content rendered through attacker-controlled infrastructure. Every keystroke, form submission, session token, and MFA code passes through Starkiller's infrastructure and is captured in transit. Because the platform proxies live content, there are no static template files for security vendors to fingerprint or blocklist.

The platform is sold as a subscription service with a polished commercial model: a user dashboard, Docker infrastructure management, monthly framework updates, documentation, Telegram-based operator support, and a community forum where customers discuss techniques, request features, and troubleshoot deployments. Starkiller even protects its own operators with time-based one-time password (TOTP) two-factor authentication on the operator login panel — the same type of protection it is designed to bypass for end users. Brian Krebs of Krebs on Security described the service as "a remarkable evolution in phishing" whose success is "likely to be copied by other enterprising cybercriminals."

Service Ecosystem

VECERT's infrastructure analysis identified multiple platforms associated with the Jinkusu operation beyond Starkiller itself:

starkiller.su: The main frontend for mass credential harvesting operations.
jinkusuforum.su: Community hub and platform for distributing data leaks and operational discussion.
jinkusu.systems: Private code repository and node for selling personally identifiable information (PII).
Tor hidden service: Anonymous trading platform for exfiltrated data.

This multi-platform ecosystem suggests Jinkusu operates as more than a single-product vendor. The combination of credential harvesting (Starkiller), community infrastructure (forum), data sales (PII marketplace), and anonymous trading (Tor) indicates a vertically integrated cybercrime operation that manages the full lifecycle from credential theft through data monetization.

Target Profile

Jinkusu does not directly conduct phishing campaigns against end-user organizations. Instead, it provides the platform and infrastructure that enables its subscriber base to target any organization. The ultimate victim profile is determined by whichever operators are using the Starkiller platform at any given time.

Brand Impersonation Targets: Starkiller supports impersonation of any website by entering its URL. Marketed brand targets include Microsoft, Google, Apple, Amazon, Netflix, PayPal, and various banking institutions. The platform's reverse proxy architecture means it can impersonate any brand without requiring a custom template.
Financial Services & Banking: BlueVoyant researchers identified Jinkusu-linked campaigns using .co.com domains to spoof financial institution websites, employing multi-stage evasion chains including referrer validation, cookie-based access controls, and Cloudflare CAPTCHA pages before redirecting to credential harvesting pages.
Enterprise & Corporate Users: Marketing materials promote modules for capturing credit card numbers, cryptocurrency wallet seeds, bank credentials, and payment information, indicating a focus on high-value enterprise and financial targets.
General Consumer Targets: Fake software update templates for Chrome and Firefox suggest targeting of general consumer users for malware payload delivery alongside credential theft.

Tactics, Techniques & Procedures

The following TTPs reflect Starkiller's documented capabilities as a phishing platform. Because Jinkusu operates as a service provider, individual campaign TTPs will vary based on the operator using the platform.

mitre id	technique	description
T1557	Adversary-in-the-Middle	Core architecture. Starkiller acts as an AitM reverse proxy between the victim and the legitimate website. A headless Chrome instance in a Docker container loads the real login page, with all traffic passing through attacker-controlled infrastructure. Credentials, session tokens, cookies, and MFA codes are captured in transit while the victim sees authentic page content.
T1556.006	Multi-Factor Authentication Interception	Because the victim authenticates against the real site through Starkiller's proxy, one-time passcodes and authentication tokens are forwarded in real time. The attacker harvests resulting session cookies and tokens, enabling full account access without re-prompting for MFA. Effectively neutralizes standard MFA while the protection continues to operate as designed.
T1566.002	Spearphishing Link	Starkiller generates deceptive links that visually mimic trusted brands using URL masking. Exploits the browser behavior where content before the @ symbol in a URL is displayed prominently while the actual domain follows after it. Integrates URL shorteners (TinyURL) to further obscure destinations. Operators select custom keywords like "login," "verify," "security," or "account" to build convincing URLs.
T1056.001	Keylogging	Platform captures every keystroke made by the victim during the proxied session, beyond just form submissions. Logged alongside session metadata including victim location, device type, IP address, and session activity status.
T1539	Steal Web Session Cookie	Session cookies and authentication tokens intercepted during the proxied login flow are captured for direct account takeover. Attackers can use harvested session tokens to access victim accounts without requiring credentials or MFA.
T1598	Phishing for Information	Beyond credentials, Starkiller includes modules for harvesting email addresses and contact information from compromised sessions. Marketing materials indicate data is used to build target lists for follow-on phishing campaigns. Specialized modules for credit card numbers, crypto wallet seeds, and bank credentials are also advertised.
T1189	Drive-by Compromise	Fake software update templates for Chrome and Firefox are designed to trick targets into downloading malicious payloads, extending Starkiller beyond credential theft into malware delivery. An "EvilEngine Core" module is promoted as making phishing links "completely undetectable."
T1583.001	Acquire Infrastructure: Domains	BlueVoyant identified .co.com domains registered to spoof financial institutions, using multi-stage evasion chains with referrer validation, cookie-based access controls, intentional delays, and code obfuscation. VECERT identified three infrastructure domains (starkiller.su, jinkusuforum.su, jinkusu.systems) plus a Tor hidden service.

Known Campaigns

Limited campaign-level intelligence is publicly available for Jinkusu. The following reflects documented activity.

Starkiller Platform Launch & Community Building PRE-2026 (exact date unknown)

Jinkusu developed and deployed the Starkiller phishing platform, building a community forum (jinkusuforum.su) and establishing Telegram-based operator support. The platform reached version 6.2.4 by early 2026, suggesting an extended development and deployment period prior to public disclosure. Forum activity shows an active and growing user base with operators sharing techniques, requesting features (including mobile support), and troubleshooting deployments.

Financial Institution Spoofing Campaign 2026

BlueVoyant researchers identified campaigns using .co.com domains to spoof financial institution websites, attributed to Jinkusu-linked infrastructure. The attacks employed a refined multi-stage evasion chain: initial .co.com domains triggered fraudulent Cloudflare CAPTCHA pages with deliberate delays, before a Base64-encoded script redirected users to credential harvesting pages. Direct access to the spoofed domains triggered redirects to malformed URLs to prevent automated scanner analysis. Referrer validation, cookie-based access controls, and code obfuscation further complicated detection.

Abnormal AI Public Disclosure FEB 2026

Abnormal AI researchers Callie Baron and Piotr Wojtyla published the first detailed public analysis of Starkiller's architecture, capabilities, and operator panel. The disclosure brought widespread attention to the platform through coverage from Krebs on Security, The Hacker News, IT Pro, SC Media, and other outlets. Starkiller advertises a 99.7% success rate on its landing page. The disclosure identified the platform's capability to target any brand by URL, bypass MFA via real-time token forwarding, and provide SaaS-grade campaign analytics.

Tools & Malware

Jinkusu's primary product is the Starkiller platform, which bundles multiple capabilities into a single commercial offering.

Starkiller PhaaS Platform (v6.2.4+): The core product. AitM reverse proxy phishing framework using headless Chrome in Docker containers. Supports impersonation of any website by URL. Features include real-time session monitoring (live-stream target's screen), keylogger capture, cookie and session token theft, geo-tracking, automated Telegram alerts on credential capture, and campaign analytics (visit counts, conversion rates, performance graphs). Operator panel manages Docker engine status, image builds, and active containers. Monthly updates and documentation provided.
URL Masker: Generates deceptive URLs that visually resemble trusted brand domains. Exploits browser handling of @ symbols in URLs and integrates URL shorteners. Supports custom keyword selection ("login," "verify," "security," "account").
Financial Fraud Modules: Specialized modules for capturing credit card numbers, cryptocurrency wallet seeds, bank credentials, and payment information. Marketed alongside the core credential harvesting capability.
EvilEngine Core: Promoted module claimed to make phishing links "completely undetectable." Specific technical details are limited in public reporting.
Fake Software Update Templates: Templates impersonating Chrome and Firefox browser updates designed to trick victims into downloading malicious payloads, extending the platform beyond credential theft.
Contact Harvesting Module: A la carte service that extracts email addresses and contact information from compromised sessions for building target lists for follow-on campaigns.

Indicators of Compromise

IOCs sourced from VECERT infrastructure analysis and Abnormal AI research. Limited independent verification is available.

warning

Starkiller's AitM architecture generates phishing pages dynamically for each session, making traditional IOCs (domain blocklists, static page fingerprints) largely ineffective. Detection must shift toward behavioral signals: anomalous login patterns, session token reuse from unexpected locations, unexpected MFA registrations, and identity-aware session analysis. Infrastructure IOCs listed below are sourced from VECERT and should be cross-referenced with live threat feeds before operational use.

infrastructure (vecert analysis)

domain starkiller[.]su — Main credential harvesting frontend

domain jinkusuforum[.]su — Community hub and data leak distribution

domain jinkusu[.]systems — Code repository and PII sales node

ip 77[.]90[.]185[.]53 — Suspected C2 node

ip 213[.]209[.]159[.]192 — Traffic redirection and proxy services

ip 72[.]62[.]29[.]204 — Malicious hosting for tools and exploits

behavioral detection indicators

technique URLs containing @ symbol before the actual domain (e.g., https://goodcompany.com@badguys.com) — browsers resolve to the domain after @

technique .co.com domains spoofing financial institutions, with non-functional Cloudflare CAPTCHA pages and Base64-encoded redirect scripts

technique Session token reuse from locations or devices inconsistent with the authenticated user's normal behavior

technique Successful MFA authentication followed by immediate session access from a different geographic location or IP range

technique Direct domain access triggering redirect to malformed "www[.]www" URLs (evasion of automated scanners)

Mitigation & Defense

Recommended defensive measures against Starkiller and similar AitM phishing frameworks. Traditional phishing defenses (static page analysis, domain blocklisting, reputation-based URL filtering) are significantly less effective against reverse-proxy phishing platforms.

Deploy FIDO2/WebAuthn hardware security keys: Passkeys and hardware-bound credentials are the strongest defense against AitM phishing. Because FIDO2 authentication is bound to the legitimate domain's origin, reverse proxy phishing cannot relay the authentication challenge to the real site. This is the single most effective mitigation against Starkiller-class attacks. Prioritize deployment for high-value accounts and executives.
Implement identity-aware session analysis: Abnormal AI emphasizes that detection must shift from analyzing link content to analyzing the behavioral context of each login. Monitor for anomalous login patterns, session token reuse from unexpected locations, authentication from unfamiliar devices following a legitimate MFA event, and impossible travel scenarios.
Enforce conditional access policies: Configure identity providers to evaluate device compliance, location, and risk signals before granting access. Require managed devices for accessing sensitive resources. Flag sessions that authenticate successfully but originate from atypical network ranges or geolocations.
Educate users on URL verification: Starkiller exploits browser behavior where content before the @ symbol in a URL appears legitimate while the actual domain follows after it. Train users to examine the full URL in the browser address bar, be suspicious of shortened URLs in authentication contexts, and verify authentication requests were self-initiated. Note: as of early 2026, major browsers (Chrome, Edge, Firefox, Brave, Vivaldi) do not warn users about @ symbol URL manipulation.
Use password managers for credential entry: Password managers like Bitwarden or 1Password fill credentials only on the correct registered domain. On a proxied phishing site, the password manager will not auto-fill, providing an important signal to the user that something is wrong. Enforce organizational policies requiring password manager use and discourage manual credential entry.
Monitor for post-compromise account activity: Even with detection improvements, assume some AitM phishing will succeed. Monitor for indicators of account takeover following authentication: new mailbox forwarding rules, unfamiliar MFA method registrations, access from unusual locations, and bulk email access or download activity.
Report suspicious emails at the inbox level: Abnormal AI recommends analyzing emails for behavioral context rather than solely relying on link content. Implement email security that evaluates sender behavior, relationship patterns, and message context alongside traditional URL and attachment analysis.

note

Starkiller is part of a broader trend toward commoditized, SaaS-style cybercrime tooling that is fundamentally changing the phishing threat landscape. By automating infrastructure deployment, phishing page generation, session monitoring, and credential capture, platforms like Starkiller enable low-skill operators to conduct sophisticated AitM attacks that were previously the domain of advanced threat actors. The combination of real-time site proxying, MFA bypass, and enterprise-grade analytics means that traditional phishing defenses are increasingly insufficient. FIDO2/WebAuthn remains the strongest counter to this entire class of attack. Organizations that have not yet begun deploying phishing-resistant authentication should treat it as a priority.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile