STARKILLER , a phishing-as-a-service tool described this week by researchers at Abnormal AI, is marketed as enterprise‑grade phishing infrastructure for campaigns that bypass modern security systems, and it even allows users to log in with two-factor authentication. The kit is designed to proxy the actual login pages victims intend to visit, routing them through the attacker’s cloud infrastructure, and it can capture credentials and session tokens granted after MFA.
In practice, victims enter their details on the real site, but Starkiller serves the page through a Docker container running a headless Chrome instance, automating the process via an easy‑to‑use GUI. Its developers claim an extremely high success rate, though that 99.7% figure is described as almost certainly fictional by researchers.
The tool reduces the technical barrier to high‑end phishing by centralising container lifecycle, builds, and active infrastructure alongside phishing deployment and session monitoring, enabling the attacker to monitor infections in real time. This approach underscores the shift toward real‑time, session‑aware compromises and challenges defenders to focus on anomalous session behaviour rather than just whether MFA was completed. 19 February 2026.