What Is EvilnoVNC?

EvilnoVNC is an open-source "ready-to-go" phishing platform that uses noVNC (HTML5 VNC client) to stream a real browser session to victims, enabling Browser-in-the-Browser (BitB) attacks that capture credentials, MFA codes, and session cookies in real-time. Developed by Joel Gamez Molina with GNU 3.0 license and multiple community forks, EvilnoVNC represents next-generation phishing through browser session streaming. Unlike reverse proxy phishing tools such as Evilginx or Modlishka, EvilnoVNC streams an entire real browser desktop to the victim as an HTML5 canvas element, making the attack fundamentally harder for target websites to detect because the original website cannot technically distinguish between a real user and a streamed VNC session (turingpoint, 2024).

How Does EvilnoVNC Work?

Virtual browser setup involves attacker setting up browser instance inside VNC/X11 virtual desktop environment, typically Ubuntu or Linux server according to GitHub and HackingArticles. Real login page loading occurs within the virtual browser where attacker loads the legitimate login page for Gmail, Microsoft 365, banking portals, and other services.

noVNC web interface exposes virtual browser session via noVNC HTML5 VNC client, creating web-based remote desktop interface accessible through any modern browser without plugins or software installation. The underlying technology is noVNC, a JavaScript-based VNC client that renders the remote desktop as an HTML canvas element, effectively streaming the browser session like a video to the victim (Adepts of 0xCC, 2023). Phishing delivery sends victim phishing email, QR code, or SMS linking to noVNC session appearing to be the real website. Browser-in-the-Browser illusion shows victim what appears to be normal browser tab or window, but is actually viewing remote browser through HTML5 canvas. Because the entire page is rendered as a canvas element rather than standard HTML DOM elements, the underlying page structure is completely different from what the victim perceives, making traditional DOM-based phishing detection ineffective (Push Security, 2024).

Credential interception captures all input as victim types username, password, and MFA codes in real-time. Session cookie access stores victim's authenticated session cookies in virtual browser profile accessible to attacker via /novnc/download/ directory. Keystroke logging logs all keystrokes to files stored in download directory. Real-time session monitoring allows attacker to watch victim interactions live, seeing downloads, browsing history, and saved passwords in browser profile. Session hijacking enables downloaded cookies.txt file to be imported directly into attacker's browser for instant authenticated access.

How Does EvilnoVNC Differ From Other Tools?

Why Does EvilnoVNC Matter?

Open-source availability since approximately 2022 with earliest GitHub archive entry September 2022. Multiple active forks and variants indicate adoption including MultiEvilnoVNC by wanetty, EvilKnievelnoVNC by ms101, and redteamsecurity2023 variant. EvilKnievelnoVNC is particularly notable as a weaponized variant offering scalable and semi-automated MFA phishing through concurrent EvilnoVNC instances, with features including auto-blocking of users after successful authentication with a custom message and the ability to manipulate target sites via Chromium extensions to hide alternative login methods such as hardware tokens (GitHub, 2023). 1.1k+ GitHub stars and 195+ forks show community interest and adoption. Described as "next-generation phishing technique" and "growing threat" as of 2025 according to SecurityOnline and Push Security. Part of broader shift from simple HTML cloning to browser-based exploitation techniques. A key advantage over reverse proxy phishing is that the original website could theoretically detect a reverse proxy through server-side checks, but cannot detect streamed content delivered through EvilnoVNC since the browser interaction occurs on the attacker's server (turingpoint, 2024). Growing mention in threat intelligence reports and security advisories in 2024-2025. Used alongside other AiTM kits in sophisticated phishing campaigns. Featured in security conferences and red team demonstrations with DEF CON references. Deployed by both legitimate penetration testers and criminal actors.

What Are EvilnoVNC's Limitations?

Network latency means user experiences lag depending on network quality, with noticeable delay between keystrokes and cursor movement potentially alerting suspicious users. Browser inconsistencies occur because virtual browser may render differently than victim's native browser, revealing BitB attack if victim looks closely at rendering artifacts. Resource consumption requires full browser instance per victim session, with scaling to hundreds of concurrent sessions requiring significant server resources. Infrastructure visibility exposes web interface running noVNC server that may be detected by network monitoring if not properly secured. File system access requires attacker to maintain access to /novnc/download/ directory, and if server is compromised, these files could be discovered by incident responders. Certificate handling includes SSL/TLS certificate mismatch between self-signed and legitimate that could raise suspicion on sophisticated victim systems. Performance impact means real-time streaming of entire desktop consumes significant bandwidth, with slow networks making the experience unusable. No automation unlike Muraena/NecroBrowser means attacker must manually use stolen cookies. Keyboard layout issues occur because virtual browser may have different keyboard layout than victim, making typing appear inconsistent. Clipboard isolation means victim's clipboard is not accessible to virtual browser, limiting seamless copy-paste operations.

How Can You Defend Against EvilnoVNC?

Browser-in-the-Browser detection educates users on BitB attacks, training them to look for rendering inconsistencies, lag, or unusual browser behavior. Browser-based security agents represent a growing defense category, with platforms like Push Security offering preconfigured detections for phishing tools like EvilnoVNC that check for the fingerprints of these toolkits as end users visit websites (Push Security, 2024). Bringing detection and response capabilities directly into the browser provides security teams with visibility into identity attacks that endpoint-based tools cannot offer. Session anomaly detection monitors for sessions accessing unusual resources, multiple simultaneous logins from different IPs, or sessions from VPN or proxy endpoints. Network-level controls deploy proxies and firewalls that block noVNC port 6080 and VNC port 5900 from external access. Hardware security keys implement FIDO2/U2F hardware keys that cannot be captured through any phishing or MITM technique. Behavioral analytics monitor for impossible user behavior including simultaneous logins, access from multiple countries, and rapid-fire API calls. Email security deploys advanced phishing detection to identify suspicious sender addresses and noVNC-hosting infrastructure URLs. Re-authentication requires step-up authentication for sensitive operations including password changes, security settings, and data access. Device fingerprinting detects sessions with unusual device fingerprints or TLS patterns inconsistent with user's normal devices. Geolocation verification blocks or requires additional verification for logins from unexpected geographic locations. Credential Guard on Windows isolates credentials from browser and other applications to prevent credential theft. User behavior monitoring flags unusual patterns like session access followed immediately by automated actions including password changes and forwarding rules.