0/100

medium Risk

starkiller.su

https://starkiller.su/

172.94.9.232 · Secure Internet LLC

Location

City of London, United Kingdom

Domain Age

—

HTTP

200 · 16.3s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "STARKILLER // SYSTEM ACCESS"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

STARKILLER

Vendors

30/30

Status

completed

✓ phishtank✓ openphish✓ isitphish✓ sophos✓ yandex✓ eset✓ bitdefender✓ avg✓ polyswarm✓ kaspersky✓ avast✓ brightcloud✓ microsoft✓ apple✓ apwg✓ spamhaus✓ netcraft✓ phishreport✓ cisa✓ emsisoft✓ urlscan✓ norton✓ urlabuse✓ drweb✓ threatyeti✓ urlquery✓ virustotal✓ google✓ mcafee✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Starkiller

Credential Phishing

technology | finance | ecommerce | other · 4/5/2026

Summary

The page at starkiller.su presents a brand-nicking interface claiming to be STARKILLER SYSTEM ACCESS with a credential harvesting flow. Visuals mimic a professional service and load assets (logo.png, fonts) to resemble a branding style, but the domain starkiller.su is not the legitimate Starkiller service. Endpoints such as /api/order/request and /api/payment/status appear to be designed to capture input or exfiltrate data, indicating credential collection activity. The SSL cert is recently issued by Let's Encrypt, which is common for phishing domains, and the site uses a conspicuously styled landing page to deceive visitors into entering data.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Distinctive asset clues: css2, logo.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 9

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://starkiller[.]su/

hxxps://starkiller[.]su/api/order/request

hxxps://starkiller[.]su/api/payment/status/$%7BorderId%7D

Attack Techniques (5)

Brand impersonation on a non-official domain (domain mismatch: starkiller.su versus potential legitimate Starkiller service)Cloned UI with brand-like typography and assets loaded from the site (logo.png, custom fonts) to resemble a legitimate portalJavaScript-driven capture endpoints (e.g., /api/order/request, /api/payment/status) suggesting data exfiltration of credentials or paymentsSSL certificate issued very recently (Let’s Encrypt) on a new domain, increasing risk of fraudSPA-like behavior indicated by late-rendered content and asset loading patterns

Indicators of Compromise (7)

▸Domain: starkiller.su (new, untrusted)

▸Endpoints: https://starkiller.su/api/order/request, https://starkiller.su/api/payment/status/$%7BorderId%7D

▸Assets: /img/logo.png, fonts.googleapis.com fonts loaded to mimic branding

▸Page title: STARKILLER // SYSTEM ACCESS

▸SSL cert: Let's Encrypt issued Mar 9 2026, valid through Jun 7 2026

▸Page shows credential capture-like elements and a prominent call-to-action to access

▸IP address 172.94.9.232 in UK/City of London block used for hosting

Risk AssessmentUsed in abuse reports

This site is actively impersonating a named brand (Starkiller) and hosts a suspicious credential/payment capture flow at the domain starkiller.su. The page title and visuals present a legitimate system access portal, while network endpoints indicate data exfiltration from user inputs. The domain is new and not associated with the known Starkiller service, and the SSL certificate is recently issued, which is common for phishing operations attempting to appear legitimate. Immediate action is warranted: suspend_domain and block_url to prevent credential collection, and monitor for similar clones from the same actor.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence