Phishing attacks continue to evolve, pushing even the most secure authentication methods to their limits. First advertised on cybercrime networks in late January 2025, Astaroth is a brand-new phishing kit that bypasses two-factor authentication (2FA) through session hijacking and real-time credential interception.
Astaroth utilizes an evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft. Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real time, bypassing 2FA.
What makes Astaroth unique
Astaroth distinguishes itself by intercepting login credentials and rapidly capturing 2FA authentication tokens and session cookies as they are generated. This real-time interception, enabled by a reverse proxy mechanism, allows attackers to bypass 2FA defenses with remarkable speed and precision.
In contrast, traditional phishing kits typically rely on static fake login pages that capture only primary credentials, often leaving the 2FA layer intact. By dynamically intercepting all authentication data in real time, Astaroth significantly raises the bar, rendering conventional phishing methods and their inherent security measures largely ineffective.
How Astaroth works
Having introduced Astaroth and highlighted its innovative approach to bypassing traditional security measures, let’s explore the detailed mechanics of how this phishing kit operates within the context of an attack. The attack begins when victims click a phishing URL, redirecting them to a malicious server operating as a reverse proxy. This server mirrors the target domain’s appearance and functionality while relaying traffic between the victim and the legitimate login page.
With SSL certificates issued for the phishing domain, victims see no security warnings and believe they are on the real site. Astaroth forwards user requests to the legitimate service while stealthily intercepting responses and sensitive data.
An example of what the victim would see
An example of what the victim would see
When victims enter their login credentials (username and password), user agent string, and IP address on the phishing page, Astaroth captures them before forwarding the request to the legitimate server. The user agent and IP address allow attackers to replicate the victim’s session environment and reduce detection risks during login.
An example of what the victim and attacker would see
An example of what the victim and attacker would see
Because 2FA is always involved (e.g., via SMS codes, authenticator apps, or push notifications), Astaroth automatically captures the entry of the 2FA token in real time. It also ensures that any token the victim enters is intercepted immediately—the attacker is instantly alerted through a web panel interface and Telegram notifications.
The attacker’s web panel that stores session information
The attacker’s web panel that stores session information
The final step involves capturing session cookies issued by the legitimate server after successful authentication. Astaroth intercepts and delivers them to the attacker, who can inject them into their browser using manual header modifications or tools like Burp Suite. This bypasses 2FA entirely – no further credentials are needed, as the session is already authenticated.
Beyond its primary interception methods, Astaroth includes extra functionalities to improve its durability and attractiveness to threat actors. The following section dives deeper into these features and how they fit into the larger phishing ecosystem.
Key features
Some of its other key features include custom hosting options, like bulletproof hosting, which help it resist takedown attempts by law enforcement and ensure the long-term availability of its infrastructure. This allows cybercriminals to host their operations in jurisdictions with limited cooperation from Western authorities.
For $2,000, users receive six months of continuous updates, gaining access to the latest improvements and bypass techniques. Astaroth offers testing before purchase to build trust and showcase its legitimacy on cybercrime marketplaces.
The seller sharing information on testing the phishing kit out
The seller sharing information on testing the phishing kit out
The seller is notably transparent, openly sharing details on how the phishing kit works, including techniques for bypassing reCAPTCHA and BotGuard protections. This level of openness is designed to attract both experienced attackers and newcomers by addressing common problems with manual phishing setups.
Finally, Astaroth is primarily distributed through Telegram and promoted across cybercrime forums and marketplaces. Unfortunately, the accessibility of these platforms, combined with their anonymity, makes it quite difficult for law enforcement to track and disrupt their sales.
Get protection with Varonis
Varonis Interceptor can help defend against various phishing kits, including Astaroth.
By protecting email, browsers, and mobile communications, Varonis shields businesses from financial fraud and data theft. Our cutting-edge approach protects against new phishing threats, including those that employ complex tactics.
See Varonis Interceptor in action. Schedule a personalized, 30-minute demo with one of our security experts. They'll show you how our cloud-native solution can cover all your data security needs, plus answer any questions you have.
.png)
