Astaroth: A Sophisticated 2FA Phishing Kit Targeting Major Email and Third Party Logins
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
SlashNext recently published a blog detailing Astaroth, a newly emerged phishing kit that takes 2FA bypassing to the next level. First advertised on cybercrime forums in late January 2025, Astaroth leverages session hijacking and real-time credential interception to compromise accounts protected by multi-factor authentication (MFA). Unlike traditional phishing kits that rely on static credential-harvesting pages, Astaroth employs an evilginx-style reverse proxy to intercept authentication traffic between victims and legitimate services such as Gmail, Yahoo, Microsoft, and third-party logins. This man-in-the-middle (MITM) attack enables cybercriminals to steal not just usernames and passwords but also session cookies and 2FA authentication tokens in real-time, allowing them to bypass MFA protections effortlessly. By dynamically capturing session data as it is generated, Astaroth outperforms conventional phishing tools that typically leave MFA intact. Its ability to replicate legitimate authentication flows makes detection and mitigation significantly more challenging, reinforcing the need for phishing resistant authentication mechanisms such as hardware security keys and FIDO2-based MFA.
Techinal Details
The attack starts when a victim clicks on a phishing link, which directs them to a malicious server functioning as a reverse proxy. This server clones the legitimate login page’s design and behavior, creating a nearly indistinguishable replica while silently intercepting the communication between the user and the real authentication service. To maintain legitimacy, SSL certificates are issued for the phishing domain, ensuring that victims see a secure connection without triggering browser security warnings. As the victim enters their credentials, Astaroth forwards these inputs to the legitimate service while simultaneously capturing and storing authentication details, including session cookies and 2FA tokens. This seamless man in-the-middle attack allows attackers to hijack active sessions and bypass multi-factor authentication without raising suspicion.
When victims input their login credentials (username and password) on the phishing page, Astaroth intercepts and records this information before passing the request to the legitimate authentication server. In addition to credentials, it also captures the user agent string and IP address, which are crucial for attackers to mimic the victim’s session environment. By replicating the victim’s device type, browser, and location, attackers can avoid triggering security alerts and reduce the likelihood of detection when they attempt to log in using the stolen session data. This strategy helps bypass security mechanisms that rely on device fingerprinting or geographic anomalies to detect suspicious login attempts. Since 2FA is always required (via SMS codes, authenticator apps, or push notifications), Astaroth is designed to capture 2FA tokens in real-time. As soon as a victim enters their authentication code, the phishing kit instantly intercepts it and alerts the attacker via a web panel interface and Telegram notifications.
Additional Features Enhancing Astaroth’s Appeal Beyond its real-time interception capabilities, Astaroth includes features that make it more resilient and attractive to cybercriminals: • Custom Hosting Solutions – Offers bulletproof hosting, making it resistant to takedown efforts and ensuring long-term operational stability. Hosting is often set up in jurisdictions with minimal cooperation with law enforcement. • Subscription Model – Priced at $2,000 for six months, Astaroth provides ongoing updates, including new bypass techniques. Buyers can even test the phishing kit before purchase to confirm its effectiveness. • Bypassing Security Measures – The seller is highly transparent, openly sharing how the kit defeats reCAPTCHA and BotGuard protections, making it appealing to both experienced hackers and less-skilled cybercriminals. • Distribution & Promotion – Astaroth is primarily distributed via Telegram and advertised on cybercrime forums and dark web marketplaces. These platforms provide anonymity, making it challenging for law enforcement to track and disrupt sales. Astaroth’s ease of use, adaptability, and anti-detection mechanisms highlight the growing sophistication of modern phishing kits, further complicating efforts to defend against these evolving threats.
Conclusion
Astaroth represents a significant evolution in phishing tactics, demonstrating how cybercriminals are adapting to overcome modern authentication defenses. By leveraging real-time credential interception, session hijacking, and advanced evasion techniques, it renders traditional phishing protections—including two-factor authentication (2FA)—ineffective. Its accessibility via Telegram and cybercrime forums, combined with bulletproof hosting and continuous updates, makes it an attractive tool for attackers at all skill levels. The ability to bypass security measures like reCAPTCHA and BotGuard further enhances its effectiveness, making detection and mitigation even more challenging. As phishing kits like Astaroth become more sophisticated, organizations and individuals must adopt stronger security measures, such as hardware-based authentication (FIDO2 security keys), behavioral analytics, and continuous monitoring. The rise of such tools highlights the ongoing need for phishing-resistant authentication methods and enhanced awareness training to defend against emerging threats.
