- How to find your BitLocker recovery key - and save a secure backup copy before it's too late
- The OnePlus Open 2 is a no-go for 2025: Is this the end of an era?
- Maximizing Impact with the Cisco 360 Partner Program Value Index
- Juniper unveils EX4000 access switches to simplify enterprise network operations
- Cisco financials catch AI demand, enterprise networking growth
Astaroth Phishing Kit Bypasses 2FA Using Reverse Proxy Techniques
A sophisticated new phishing tool dubbed “Astaroth” has emerged on cybercrime platforms, boasting advanced methods to bypass two-factor authentication (2FA).
First advertised in January 2025, the kit employs session hijacking and real-time credential interception to compromise accounts on Gmail, Yahoo, Office 365 and other platforms.
According to SlashNext researchers, Astaroth operates through an evilginx-style reverse proxy, placing itself between users and legitimate login pages.
This allows it to capture usernames, passwords, 2FA tokens and session cookies without raising suspicion. Once attackers possess these session cookies, they can hijack authenticated sessions, bypassing additional security checks.
Why Astaroth Stands Out
Astaroth’s real-time interception capability differentiates it from traditional phishing kits. Conventional kits capture login credentials but often fail to compromise 2FA-protected accounts. Astaroth, however, dynamically intercepts and forwards tokens, enabling attackers to gain access as soon as authentication occurs.
“Attackers now use man-in-the-middle reverse proxies to mimic legitimate sites, capturing usernames, passwords, 2FA tokens and session cookies instantly,” explained Jason Soroko, a senior fellow at Sectigo. “This method hijacks authenticated sessions before security can react, rendering 2FA ineffective.”
The key features of Astaroth highlighted by SlashNext include:
- Real-time credential and session cookie capture
- The use of SSL-certified phishing domains to mimic secure sites
- Its compatibility with SMS-based codes, push notifications and authenticator apps
How the Attack Works
The attack begins when victims click on a phishing link, redirecting them to a malicious server acting as a reverse proxy.
With SSL certificates in place, victims perceive no security threats. Once credentials and tokens are entered, Astaroth captures the data and alerts attackers via Telegram or a web panel interface.
“The availability of kits like Astaroth lowers the barrier to entry for cybercriminals, empowering less-experienced attackers to execute highly effective attacks,” said Patrick Tiquet, vice president of security & architecture at Keeper Security.
“By leveraging real-time credential interception and reverse proxies to hijack authenticated sessions, attackers can bypass even the strongest phishing defenses – including multi-factor authentication (MFA).”
The final phase involves using captured session cookies to replicate the victim’s login environment. This bypasses 2FA altogether, as the session is already authenticated.
“This phishing kit shows an alarming amount of sophistication,” warned Thomas Richards, principal consultant at Black Duck. “All the usual defenses and things to look out for that we train users on are harder to spot with this attack.”
Law Enforcement Challenges
Beyond its technical prowess, Astaroth includes features like bulletproof hosting and reCAPTCHA bypasses. Sellers on Telegram and cybercrime forums offer six-month support packages for $2000.
SlashNext said law enforcement faces challenges in disrupting Astaroth’s distribution due to its decentralized hosting and reliance on encrypted communication platforms.
“Some of its other key features include custom hosting options, like bulletproof hosting, which help it resist takedown attempts by law enforcement and ensure the long-term availability of its infrastructure. This allows cyber-criminals to host their operations in jurisdictions with limited cooperation from Western authorities,” the firm said.
“Finally, Astaroth is primarily distributed through Telegram and promoted across cybercrime forums and marketplaces. Unfortunately, the accessibility of these platforms, combined with the anonymity they offer, makes it quite difficult for law enforcement to track and disrupt its sales.”
Image credit: JarTee / Shutterstock.com
