A dangerous new phishing tool called Astaroth has begun circulating in cybercrime environments, noted for its ability to circumvent two-factor authentication (2FA) with alarming accuracy. Discovered in early 2025, this threat employs techniques such as session hijacking and real-time credential interception to compromise accounts on widely used services such as Gmail, Yahoo and Microsoft 365.
Astaroth operates using an evilginx-style reverse proxy, silently placing itself between the user and the legitimate login site. It can thus steal usernames, passwords, 2FA codes and session cookies, allowing attackers to access authenticated accounts without going through additional checks. Far from being a distant or extremely technical threat, this phishing kit represents a tangible evolution of digital fraud, capable of evading measures hitherto considered secure.
Why is Astaroth so worrisome?
What really makes Astaroth stand out from other phishing kits is its ability to act in real time. While most traditional kits are limited to stealing usernames and passwords (which is bad enough), they tend to fall short when they come across accounts protected with two-factor authentication (2FA). Astaroth, on the other hand, goes a step further: it can intercept those 2FA codes at the exact moment the user enters them and forward them directly to the attacker.
According to a security researcher, attackers are using reverse proxies to impersonate legitimate sites. They manage to capture everything: username, password, authentication code and even session cookies. With that in their hands, they basically take control of the account as if they were the real user, before security systems can do anything about it.
Among the most dangerous points of Astaroth are:
-
Instant capture of credentials and session cookies
-
Use of phishing sites with SSL certificates, which at first glance appear secure
-
And their ability to steal authentication codes regardless of the method: be it SMS, push notifications or apps like Google Authenticator.
Read more: New Outlook Requirements for High Volume Senders
How does the attack work?
It all starts when the victim clicks on a phishing link that looks legitimate (nothing out of the ordinary) and ends up being redirected to a server controlled by the attackers. This server acts as a reverse proxy, i.e. it puts itself between the user and the real website, without anyone noticing.
As the site is protected with SSL certificates, the browser displays the typical little security padlock. At first glance, everything looks secure. But in reality, the user is handing over his credentials and 2FA codes directly to the attackers. As soon as the data is entered, Astaroth captures it and sends a real-time alert to the attacker, either via a web dashboard or messaging services such as Telegram.
The worrying thing about all of this is that you don't need to be an expert hacker to execute this type of attack. Kits like Astaroth are designed so that anyone with a little technical know-how can launch an effective campaign.
By leveraging this real-time interception and session hijacking system, attackers can bypass even the most advanced defenses, including the highly recommended multi-factor authentication.
In the final phase of the attack, they use the stolen session cookies to clone the user's session. Since it is already authenticated, the system does not ask for further verification. The attacker logs in directly, unhindered, as if he were the real owner of the account.
As one cybersecurity expert explained, the most disturbing thing about Astaroth is its level of sophistication: it makes many of the security tips we usually give (such as verifying the domain or relying on the browser lock) much less effective against this type of threat.
Why are traditional methods of protection no longer enough?
In addition to being technically very advanced, Astaroth comes with some pretty annoying extras: servers designed to resist shutdown attempts, circumvention of systems like reCAPTCHA, and even custom hosting options that make it much harder to remove.
On cybercrime forums and Telegram groups, it's sold as if it were premium software, with technical support included for six months for about $2000. That's how organized the market is.
The problem for the authorities is that they are not dealing with a single server that is easy to take down. Astaroth is distributed through a decentralized network, using encrypted platforms that offer a lot of anonymity. That makes tracking down the perpetrators or stopping the sale of the kit a herculean task in practice.
In addition, cybercriminals often host their infrastructure in countries where laws are more permissive or where there is no cooperation with international authorities. This gives them the freedom to continue operating without being easily stopped.
In short: Astaroth is not only difficult to detect and stop on a technical level, but it is also protected by a digital environment that makes it very difficult for law enforcement. And in the meantime, it continues to be sold and used without too many barriers.
