What Is Evilginx?

Evilginx is a sophisticated open-source adversary-in-the-middle (AiTM) reverse proxy framework that enables attackers to position themselves between legitimate users and target websites to intercept and steal credentials, session cookies, and multi-factor authentication tokens. Evilginx represents the technological foundation underpinning modern PhaaS platforms and is widely considered the most influential AiTM framework in active use. The tool exists in both open-source (Evilginx2/3) and commercial variants (Evilginx Pro).

How Does Evilginx Work?

Evilginx operates as a standalone, self-contained application written in Go that implements its own HTTP and DNS servers, eliminating dependency on external infrastructure like nginx. This architectural decision makes deployment simpler and reduces the attack footprint according to technical documentation from GitHub and BreakDev.

The reverse proxy flow follows a predictable seven-step sequence. First, an attacker deploys Evilginx on a compromised or rented server. Second, a victim clicks a phishing link pointing to the attacker's Evilginx-powered domain. Third, Evilginx acts as a proxy between the victim's browser and the legitimate target site, creating a transparent relay.

Fourth, all traffic flows through the attacker's server in both directions: the victim sends credentials to Evilginx, which captures and forwards them to the legitimate site. Fifth, the legitimate site grants authentication and Evilginx captures the session cookie during this process. Sixth, the session cookie is returned to the victim's browser while Evilginx maintains a copy. Seventh, the attacker obtains both credentials and session cookies, enabling login without MFA re-authentication.

Session Cookie Theft

Session cookie theft represents Evilginx's most powerful capability. Captured authenticated session cookies contain full authentication state, allowing attackers to impersonate users without MFA re-authentication according to Abnormal AI and Dark Reading. This works across Microsoft 365, Google, Apple, and other major platforms. The cookies enable account access that persists until session expiration or credential changes.

MFA Bypass Mechanism

The MFA bypass occurs through real-time interception rather than cryptographic breaking. When a victim completes an MFA challenge on the Evilginx proxy, Evilginx forwards the MFA response to the legitimate site in real-time according to Microsoft Security Blog and Hypr. The legitimate site then issues an authenticated session cookie, which Evilginx captures and stores. Later, the attacker uses the stolen cookie for login because the MFA requirement has already been satisfied by the legitimate session.

Phishlet System

Customizable "phishlets" are templates for specific target websites that define how to proxy that site's traffic according to GitHub documentation. Each phishlet specifies which resources to intercept and how to handle authentication flows. Community phishlets are available for Microsoft 365, Google Workspace, Apple, GitHub, AWS, Okta, and others. Phishlets automatically handle JavaScript injection and page modification required to maintain the illusion of legitimacy.

Technical Capabilities

JavaScript injection and obfuscation inject custom JavaScript to track user interactions. Evilginx Pro includes automatic code obfuscation using the obfuscator.io engine according to BreakDev and Evilginx.com. Code changes shape with every page load to evade pattern-matching detection by security tools. The system captures every keystroke and form submission for comprehensive credential harvesting.

DNS and URL features include full DNS server implementation allowing subdomain mastery. Attackers can create convincingly-named subdomains such as login.company.evilginx-domain.com. Automatic SSL/TLS certificate generation handles encryption, and domain fronting capabilities help hide true infrastructure behind legitimate CDNs.

Evilginx Variants

Evilginx2, the original version, was written in custom nginx configuration and is still widely used despite its age according to GitHub and RiskInsight. Community phishlets remain available and the open-source codebase continues to be maintained on GitHub.

Evilginx3, the current open-source version, was rewritten fully in Go for better portability and easier deployment. It features an enhanced phishlet system with improved evasion features and more streamlined configuration according to technical documentation.

Evilginx Pro, the commercial release from 2024+, provides gated access requiring verification as a red team or penetration tester according to BreakDev. It includes automatic JavaScript obfuscation, active developer support, enhanced evasion and detection avoidance, and regular updates to maintain effectiveness against evolving defenses.

How Does Evilginx Differ From Traditional Phishing Kits?

Compared to PhaaS platforms like Tycoon 2FA and EvilProxy, Evilginx offers different trade-offs. Evilginx operates as an open-source framework or Pro paid license while PhaaS provides fully managed services. Deployment requires attacker-managed infrastructure for Evilginx versus provider-managed infrastructure for PhaaS. Skill requirements are medium-high technical for Evilginx compared to very low UI-driven for PhaaS. Support consists of community or paid with Pro versus 24/7 developer support for PhaaS. Customization is very high with full code control for Evilginx compared to low-medium templates for PhaaS. Scale is single campaign per deployment versus multi-tenant with 1M+ attacks/month for PhaaS. Cost is free or Pro subscription versus $100-$1,500/month for PhaaS.

Why Does Evilginx Matter?

Widespread Criminal Adoption

Evilginx is nominally a red team tool but is widely used by cybercriminals according to Malwarebytes and Abnormal AI. Multiple prolific phishing operators including Storm-0485 use the framework. Russian espionage actors including Star Blizzard have deployed Evilginx in campaigns. The tool is embedded in criminal PhaaS platforms, providing the technical foundation for commercial phishing services.

Recent Attack Campaigns

In April 2025, a persistent campaign targeted 18+ U.S. educational institutions according to Malwarebytes and GBHackers. Evilginx 3.0 was used to bypass MFA on higher education networks. Attackers targeted universities likely for credential harvesting and lateral movement opportunities. The campaign demonstrated sustained operational interest and continued through December 2025.

Red Team Legitimacy

Evilginx Pro was released in 2024 for legitimate red team testing, requiring verification through professional email, LinkedIn profile, and red team affiliation according to BreakDev. The growing market for "pentest-only" tools indicates the dual-use tool problem: legitimate red team use enables criminal use by providing tested, sophisticated attack frameworks.

PhaaS Infrastructure

Evilginx-based infrastructure powers multiple PhaaS platforms according to Dark Reading and GitHub documentation. Evilginx code forms the basis of platforms like EvilProxy. PhaaS providers extend Evilginx with automation, support, and multi-tenancy. This represents an intermediate layer between open-source framework and fully managed PhaaS, demonstrating Evilginx's influence on the broader threat landscape.

Attack Scale

Each Evilginx deployment can handle hundreds to thousands of concurrent victims according to technical analysis from RiskInsight. The campaign targeting 18 universities represents a single coordinated operation according to Malwarebytes. Estimated thousands of deployments globally are in active use based on threat intelligence reporting from multiple security vendors.

What Are the Limitations of Evilginx?

Infrastructure Requirements

Evilginx requires attackers to manage server and hosting infrastructure, creating operational overhead. Hosting providers can detect and remove infrastructure through abuse reporting systems. VPS and dedicated server costs add up, ranging from $50-500/month per server according to industry pricing. IP reputation systems flag known Evilginx infrastructure based on behavioral patterns. Domain reputation systems detect suspicious proxying behavior through traffic analysis.

Detection Surface

Proxy infrastructure creates network traffic signatures that security tools can identify according to Deepwatch and Microsoft Security Blog. SSL/TLS certificates issued for phishing domains are flagged by Certificate Transparency monitoring systems. DNS queries for Evilginx domains show suspicious patterns detectable by threat intelligence platforms. Outbound traffic from servers shows proxying patterns inconsistent with legitimate hosting.

Evasion Complexity

Evilginx requires constant updates to phishlets as target sites change UI elements and authentication flows. CAPTCHA defenses defeat basic bot behavior and require human solving. Advanced anti-bot detection using JavaScript challenges can block proxy traffic. Browser-based security checks detect AiTM behavior through fingerprinting and behavioral analysis according to Hypr and RiskInsight.

Authentication Hardening

Hardware security keys using FIDO2 are not vulnerable to session hijacking because credentials cannot be captured according to Hypr and Microsoft Security Blog. Passwordless authentication using Windows Hello cannot be intercepted or replayed. Windows Hello for Business resists phishing through cryptographic domain verification. Risk-based MFA can detect impossible travel and anomalous locations inconsistent with legitimate user behavior.

Detection Capabilities

Behavioral analytics detect user login patterns when session cookies are used from different IP addresses according to Deepwatch. Conditional access policies block anomalous logins based on device, location, and risk signals. Email header analysis reveals proxying artifacts that security tools can identify. HTTPS inspection and monitoring can detect proxy patterns through traffic analysis.

Victim-Side Defense

Password managers integrated with browsers refuse to auto-fill on mismatched domains, alerting users to phishing attempts. Browser extensions warn of non-legitimate domains based on reputation databases. User awareness training on AiTM attacks is becoming more effective as organizations educate employees. FIDO2 keys and passkeys are fundamentally resistant to phishing through cryptographic verification.

How Can You Defend Against Evilginx?

Authentication Architecture

Deploy FIDO2 hardware keys that cannot be phished or hijacked because they cryptographically verify the domain. Implement Windows Hello for Business using biometric or PIN-based authentication that is not transferable. Use Microsoft Entra Passwordless phone sign-in to eliminate credential theft. Deploy passkeys based on WebAuthn that are phishing-resistant through cryptographic binding. Require hardware security keys rather than SMS or app-based authenticators vulnerable to interception. Combine push-based MFA with risk detection to identify anomalous authentication attempts. Avoid token-based MFA vulnerable to AiTM interception. Implement conditional access policies to detect anomalous logins based on location, device, and behavior.

Configure short session lifetimes to reduce the cookie theft window, limiting the value of stolen sessions. Require re-authentication for sensitive operations such as password changes or financial transactions. Implement IP and location-based session restrictions to prevent use from unexpected locations. Use device-bound tokens that are not transferable to attacker machines.

Email and Phishing Prevention

Deploy URL sandboxing and detonation to identify phishing links through behavioral analysis. Implement link rewriting to inspect destinations before allowing user clicks. Use real-time link inspection before user clicks to check current threat intelligence. Enforce sender authentication using SPF, DKIM, and DMARC to prevent domain spoofing. Disable auto-redirect functionality requiring user confirmation before navigation. Deploy browser isolation technology to sandbox links in isolated environments. Implement user warning dialogs on suspicious domains based on reputation data. Use Content Disarm and Reconstruction for attachments to remove malicious payloads.

Detection and Monitoring

Monitor Microsoft Entra ID sign-in logs for anomalies including impossible travel and unusual device access. Detect impossible travel when users appear in two locations too quickly based on authentication timestamps. Alert on new authenticator app registrations that users didn't initiate. Track MFA challenges and responses to identify unusual patterns. Monitor for unusual login times outside normal working hours from unfamiliar locations. Detect access to sensitive data post-compromise through audit log analysis. Look for device changes when new devices appear from stolen sessions. Track failed login attempts before compromise indicating attacker probing.

Deploy behavioral analytics to identify unusual user activity patterns. Detect SSL/TLS certificate issuance for domain lookalikes through Certificate Transparency monitoring. Implement DNS monitoring for suspicious subdomain patterns consistent with Evilginx infrastructure. Analyze proxy traffic patterns to identify reverse proxy behavior.

Incident Response

Force password resets for compromised accounts immediately upon detection. Revoke all active sessions to terminate attacker access. Review recent login history for unauthorized access and data exfiltration. Enable hardware key MFA for the account to prevent future compromise. Audit Azure activity during the compromise window for malicious actions. Check for email forwarding rules added by the attacker to maintain access. Review cloud app permissions and consents for unauthorized OAuth grants. Investigate lateral movement from the compromised account to other systems. Revoke all OAuth tokens and application consent to terminate persistent access. Remove suspicious device registrations from the account. Audit conditional access policies for unauthorized changes. Reset backup authentication methods that attackers may have modified.

Organizational Measures

Train users on AiTM attacks and reverse proxy risks emphasizing that padlock icons don't guarantee safety. Emphasize that padlock icons and HTTPS don't guarantee legitimate sites. Teach users to verify authentication flows via expected channels such as typing URLs directly. Conduct red team simulations with Evilginx-like attacks to test defenses. Mandate FIDO2 or passwordless authentication for critical accounts including executives and IT administrators. Ban SMS-based MFA for sensitive users due to interception risk. Implement device compliance checks requiring managed devices. Enforce conditional access policies based on risk, location, and device compliance. Deploy application-layer detection of proxy patterns through traffic analysis. Prefer API-based authentication over web-based authentication when possible. Use device-bound tokens for sensitive operations. Implement out-of-band authentication for sensitive actions such as wire transfers.