A new phishing tool known as “Astaroth” has recently surfaced on cybercrime platforms, showcasing advanced techniques to bypass two-factor authentication (2FA). This tool, first introduced in January 2025, utilizes session hijacking and real-time credential interception to compromise accounts on various platforms, including Gmail, Yahoo, and Office 365.
Researchers at SlashNext have identified that Astaroth operates through an evilginx-style reverse proxy, positioning itself between users and legitimate login pages. This strategy enables the tool to capture usernames, passwords, 2FA tokens, and session cookies without raising suspicion. Once attackers obtain these session cookies, they can take control of authenticated sessions, bypassing additional security measures.
What sets Astaroth apart is its real-time interception capability, which differentiates it from conventional phishing kits. While traditional kits may capture login credentials, they often struggle to compromise 2FA-protected accounts. Astaroth, on the other hand, dynamically intercepts and forwards tokens, allowing attackers to gain access immediately upon authentication.
Jason Soroko, a senior fellow at Sectigo, explained, “Attackers now use man-in-the-middle reverse proxies to mimic legitimate sites, capturing usernames, passwords, 2FA tokens, and session cookies instantly. This method hijacks authenticated sessions before security can react, rendering 2FA ineffective.”
Key features of Astaroth highlighted by SlashNext include real-time credential and session cookie capture, the use of SSL-certified phishing domains to mimic secure sites, and compatibility with SMS-based codes, push notifications, and authenticator apps.
The attack process begins when victims click on a phishing link, redirecting them to a malicious server posing as a reverse proxy. With SSL certificates in place, victims are unaware of any security threats. Once credentials and tokens are entered, Astaroth captures the data and notifies attackers either through Telegram or a web panel interface.
“The availability of kits like Astaroth lowers the barrier to entry for cybercriminals, empowering less-experienced attackers to execute highly effective attacks,” stated Patrick Tiquet, vice president of security & architecture at Keeper Security. “By leveraging real-time credential interception and reverse proxies to hijack authenticated sessions, attackers can bypass even the strongest phishing defenses – including multi-factor authentication (MFA).”
The final phase involves using captured session cookies to replicate the victim’s login environment, bypassing 2FA altogether as the session is already authenticated. Thomas Richards, principal consultant at Black Duck, warned, “This phishing kit shows an alarming amount of sophistication. All the usual defenses and things to look out for that we train users on are harder to spot with this attack.”
In addition to its technical capabilities, Astaroth offers features such as bulletproof hosting and reCAPTCHA bypasses. Sellers on Telegram and cybercrime forums provide six-month support packages for $2000. SlashNext noted that law enforcement faces challenges in disrupting the distribution of Astaroth due to its decentralized hosting and reliance on encrypted communication platforms.
“Some of its other key features include custom hosting options, like bulletproof hosting, which help it resist takedown attempts by law enforcement and ensure the long-term availability of its infrastructure. This allows cyber-criminals to host their operations in jurisdictions with limited cooperation from Western authorities,” the firm explained.
“Finally, Astaroth is primarily distributed through Telegram and promoted across cybercrime forums and marketplaces. Unfortunately, the accessibility of these platforms, combined with the anonymity they offer, makes it quite difficult for law enforcement to track and disrupt its sales.”
Overall, Astaroth represents a significant advancement in phishing tools, posing challenges for cybersecurity professionals and law enforcement agencies in combating its sophisticated capabilities.