A new phishing kit named Astaroth has emerged as a significant threat to online account security, targeting platforms such as Gmail, Yahoo, AOL, Office 365, and other third-party login services.
First advertised on cybercrime forums in January 2025, Astaroth employs sophisticated techniques to bypass two-factor authentication (2FA) by leveraging session hijacking and real-time credential interception.
This development underscores the growing sophistication of phishing attacks aimed at undermining even the most robust authentication systems.
New Phishing Tool Bypasses Two-Factor Authentication with Advanced Techniques
At the core of Astaroth’s operation is an evilginx-style reverse proxy mechanism that acts as a man-in-the-middle between victims and legitimate authentication servers.
By intercepting traffic in real time, the kit captures login credentials, 2FA tokens, and session cookies without alerting the user.
Unlike traditional phishing kits that rely on static fake login pages to harvest primary credentials, Astaroth dynamically intercepts all authentication data as it is generated.
According to the Slashnext Report, this allows attackers to bypass 2FA protections with unprecedented speed and precision.
How Astaroth Operates
The attack begins when victims click on a phishing link that redirects them to a malicious server mimicking the appearance and functionality of legitimate login pages.
These phishing domains often use SSL certificates to avoid raising security warnings, making it difficult for users to distinguish between fake and authentic sites.
When users enter their credentials and 2FA tokens on these pages, Astaroth captures the data before forwarding it to the legitimate server.
A critical feature of Astaroth is its ability to intercept session cookies issued after successful authentication.
These cookies allow attackers to replicate authenticated sessions in their browsers using tools like Burp Suite or manual header modifications.
This effectively bypasses the need for further credentials or 2FA verification, granting attackers full access to the victim’s account.
To enhance its appeal among cybercriminals, Astaroth offers additional features such as bulletproof hosting options that resist takedown attempts by law enforcement.
The kit is sold for $2,000 with six months of updates and includes testing options to demonstrate its effectiveness.
It also boasts capabilities for bypassing common protections like reCAPTCHA and BotGuard.
Distributed primarily through Telegram and promoted on cybercrime marketplaces, Astaroth’s accessibility poses significant challenges for law enforcement efforts to disrupt its operations.
The emergence of Astaroth highlights a troubling evolution in phishing tactics that render conventional security measures increasingly ineffective.
Its ability to bypass 2FA a cornerstone of modern account security demonstrates the need for more advanced defenses.
Organizations are urged to adopt comprehensive anti-phishing solutions capable of detecting such sophisticated attacks in real time.
