Phishing Kits & PhaaS
What Is Muraena?
Muraena is an open-source, nearly-transparent reverse proxy tool for automating both phishing and post-phishing exploitation activities.
Muraena is an open-source, nearly-transparent reverse proxy tool for automating both phishing and post-phishing exploitation activities. Developed by Giuseppe Trotta, a member of the Bettercap project, and Michele Orru, a former core developer of the Browser Exploitation Framework Project (BeEF), Muraena was released in 2019 and re-implements the longstanding concept of using a custom reverse proxy to dynamically interact with target origins rather than maintaining and serving static pages (CSO Online, 2019). Written in Go and working in combination with NecroBrowser, it enables credential capture, MFA bypass, and automated post-login account abuse including password changes and data exfiltration.
How Does Muraena work?
Muraena operates as transparent reverse proxy, proxying all traffic between victim and legitimate target website with dynamic content and request replacement using Go-based implementation according to GitHub and SSTIC 2021. Because it is written in Go, Muraena can be compiled and run on any platform where Go is available, and it avoids the slow regex-based replacement operations used by older proxy tools (muraenateam, GitHub). Intelligent content replacement uses embedded Colly crawler to identify which resources need proxying, enabling targeted interception of credential submission points. This crawler-based approach determines in advance which resources should be proxied, making content replacement more reliable than purely regex-driven alternatives like Modlishka.
Credential interception sniffs traffic passing through proxy to extract login credentials from HTTP POST requests and form submissions. Session cookie capture intercepts and logs authenticated session cookies from HTTP responses, capturing the exact moment legitimate authentication succeeds. MFA bypass operates as real-time reverse proxy, relaying MFA codes to legitimate authentication server before user can act while attacker captures authenticated session token.
NecroBrowser integration automatically passes captured session cookies to companion NecroBrowser microservice for post-login exploitation. NecroBrowser is a microservice that can be controlled through an API and configured to perform actions through headless Chromium instances running inside Docker containers (CSO Online, 2019). Post-exploitation automation leverages these stolen sessions for automated actions including changing passwords, disabling Google Workspace notifications, dumping emails, changing SSH session keys in GitHub, and downloading all code repositories. Trigger-based automation uses configurable triggers monitoring for specific paths or cookie values to activate NecroBrowser modules at optimal exploitation moments. Scalable infrastructure can spawn tens or hundreds of NecroBrowser Docker containers simultaneously to process thousands of stolen sessions in parallel.
How Does Muraena differ from other tools?
Aspect | Muraena | Modlishka | Starkiller |
|---|---|---|---|
Release | 2019 (open-source) | 2019 (open-source) | 2026 (commercial) |
Architecture | Reverse proxy + automation | Reverse proxy only | Headless browser + proxy |
Post-Exploitation | Integrated (NecroBrowser) | Manual/external | Not documented |
Credential Capture | Automatic via sniffing | Manual regex | Automatic |
Session Automation | Built-in (Docker-based) | Manual | Limited |
Configuration Complexity | Medium (per-site rules) | High (regex patterns) | Low (SaaS) |
Scalability | Excellent (parallel Docker) | Limited | High (cloud-based) |
Cost | Free (open-source) | Free (open-source) | Subscription |
Why Does Muraena matter?
Open-source availability since 2019 has enabled both legitimate penetration testing and criminal use. Actively used in campaigns targeting financial institutions, SaaS platforms, and enterprise environments. By 2024-2025, Muraena became standardized tool in cybercriminal AiTM ecosystem. Often used in combination with email phishing to deliver initial victims. Part of broader trend where Proofpoint reports phishing proxies including Muraena, EvilProxy, Starkiller, and Modlishka were used in 1+ million attempted account takeovers in early 2025. Developer community muraenateam on GitHub continues to publish updates and improvements. Multiple forks and variants exist for specialized targets. Targeted primarily at high-value targets including cloud services, email providers, and enterprise SaaS applications.
What Are Muraena's limitations?
Configuration burden requires per-target configuration including request and response body replacements, with attacking new targets requiring custom rules. Crawler dependency means Colly crawler must correctly identify all resources needing proxying, with misconfigurations resulting in broken phishing pages or leaked victim data. No visual streaming means unlike Starkiller, no real-time monitoring dashboard is provided, requiring attackers to review logs after fact. Certificate pinning prevents attacks on mobile apps and modern browsers with certificate pinning because victims must accept untrusted certificate warnings. NecroBrowser overhead means post-exploitation requires Docker infrastructure with each Docker container consuming significant system resources. Skill requirements demand technical knowledge to configure reverse proxy rules, setup Docker containers, and write trigger rules. Infrastructure visibility occurs because running hundreds of Docker containers creates detectable resource consumption patterns. Session timeout limits effectiveness because captured sessions have limited validity periods, and if victim changes password during attack, session becomes worthless. Update maintenance requires monitoring target website changes and updating configuration rules accordingly.
How Can you defend against Muraena?
Certificate pinning implements certificate pinning in mobile apps and desktop applications to prevent proxy interception. Hardware security keys deploy FIDO2/U2F hardware keys that cannot be phished or relayed through proxies. Behavioral analytics monitor for sessions with anomalous behavior patterns because proxy relays often show inconsistent user behavior. TLS fingerprinting detects sessions with unusual TLS fingerprints, cipher selections, or SSL/TLS version combinations. Geolocation and velocity checks flag logins from geographically impossible locations or unusual velocity patterns. Device fingerprinting rejects sessions with unrecognized device fingerprints because proxy relays create detectable fingerprint inconsistencies. Advanced email security deploys machine learning-based phishing detection to identify suspicious sender addresses and malicious URLs. User education trains users to verify URLs, check certificate details, and recognize social engineering in phishing emails. Continuous re-authentication requires periodic re-authentication or step-up authentication for sensitive operations including password changes and financial transactions. Session anomaly detection monitors for simultaneous session activity from different IP addresses or device types. Infrastructure monitoring deploys network segmentation and proxy detection rules to identify MITM attack infrastructure.
FAQs
How is Muraena different from traditional phishing kits?
Traditional phishing requires attackers to build fake HTML pages and hope users fill in forms according to SSTIC 2021 and CSO Online. Muraena is fundamentally different: it proxies the real website. The victim sees the legitimate site with a legitimate certificate because Muraena relays the real site through its proxy. Muraena also automates the second phase: it captures the victim's session cookie and immediately uses it through NecroBrowser to change passwords, dump emails, or steal data without human intervention.
What makes Muraena particularly dangerous compared to Modlishka?
While both are reverse proxies, Muraena includes NecroBrowser for post-exploitation automation according to ReliQuest. Modlishka stops after credential and session capture, requiring attackers to manually use stolen credentials. Muraena automatically spawns Docker containers to perform actions on compromised accounts at scale: changing passwords, disabling notifications, exfiltrating data. An attacker could compromise 1,000 accounts and have NecroBrowser automatically loot all of them in minutes.
If NecroBrowser uses Docker containers, won't that be noticeable?
Yes, it's one of Muraena's weaknesses according to technical analysis. Running hundreds of Docker containers on a single server creates significant CPU, memory, and network footprint. However, if an attacker has rented a botnet node or compromised a server, that resource consumption may not raise suspicion. Legitimate defenders would need infrastructure monitoring to detect this pattern.
