What Is NakedPages?

NakedPages is a mature, highly evasive Phishing-as-a-Service (PhaaS) platform and Adversary-in-the-Middle (AiTM) reverse proxy phishing kit. First documented on underground forums and Telegram channels around mid-2022, it has maintained steady prevalence through 2025, consistently ranking in the top five most active AiTM kits globally. The platform is marketed as a fully automated, "plug-and-play" solution requiring minimal technical expertise.

How Does NakedPages work?

Reverse Proxy Architecture

NakedPages operates as an Adversary-in-the-Middle (AiTM) reverse proxy that intercepts traffic between the victim and the legitimate target service including Microsoft 365 and Google according to Sekoia.io and Push Security.

Multi-stage redirection evasion employs up to 9 sequential redirects in key evasion campaigns. Leverages legitimate URL shortener services like href.li to mask referrers. Generates unique alphanumeric subdomains and paths for each campaign to defeat signature-based blocking. Uses DNS redirection and domain generation techniques.

Geofencing capabilities include IP-based filtering and geolocation detection. Redirects traffic from non-target countries to legitimate service pages or decoy sites. Avoids targeting security researchers and sandbox analysis from specific geographic regions. Supports country-specific IP address validation.

Credential interception and session theft captures credentials during login phase, intercepts session tokens and authentication cookies, maintains transparent proxying to target service, and can relay user interactions in real-time. Anti-bot and anti-analysis features include bot detection and mitigation steering clear of scanning bots from 120+ countries, anti-analysis mechanisms to evade automated security tool detection, and CAPTCHA bypass integration.

Technical Architecture and Codebase

NakedPages is primarily written in Node.js with JavaScript-heavy execution and binary components for core proxy operations according to CloudSEK. The Node.js-based system uses custom binary relays, identified in analysis as "nkp.relay-proxy" or "nkp.app," that handle full traffic relaying including POST data, headers, cookies, and WebSocket connections. The platform runs on Linux systems and requires read-write-execute permissions for the user and read-execute for group and others. Setup is streamlined through a single "bash setup.sh" command, and new phishing projects can be generated with zero lines of custom code using the built-in "node generate-project.js" utility (CloudSEK, 2022).

Data Storage and Exfiltration

NakedPages uses MongoDB for database storage and automatically transmits captured results, cookies, and fingerprint data to configured Telegram channels according to CloudSEK. The platform supports auto SSL configuration and domain management through built-in scripts like "bash change-domain.sh," enabling rapid infrastructure rotation. PHP file rendering with reverse proxy data passing provides flexibility in serving phishing content, and assets can be stored inside the executable binary for enhanced portability across deployment environments.

Multi-Layered Evasion Techniques

Push Security's technical analysis (2025) documented nine distinct evasion stages used by NakedPages campaigns. Stage one uses Cloudflare Workers as an initial gateway, leveraging Cloudflare's reputable infrastructure to prevent traditional domain-reputation filtering. Stage two implements Cloudflare Turnstile, a CAPTCHA replacement, to block automated security analysis and sandbox environments, forcing defenders to use resource-intensive dynamic analysis with full browser rendering. Stage three requires specific URL parameters and custom headers for access, adding authentication barriers. Stage four mandates JavaScript execution for all redirects, blocking simple HTTP scraping tools. Stage five redirects uninvited visitors to benign sites like example.com rather than exposing malicious infrastructure. Stage six uses href.li to strip HTTP referrer headers, preventing administrators from identifying suspicious redirect sources. Stage seven distributes victims across approximately 20 rotating primary domains via JWT authentication parameters, enabling rapid domain replacement when individual domains are blocked. Stage eight randomizes HTML titles, DOM structure, and JavaScript across campaigns to prevent signature-based detection of cloned login pages. Stage nine implements B2B targeting logic that modifies behavior based on account type, redirecting personal Microsoft accounts to legitimate login.live.com while processing organizational accounts through the phishing flow (Push Security, 2025).

How Does NakedPages compare to other platforms?

Compared to Tycoon 2FA, Tycoon ranked #1 AiTM kit in 2024 with higher prevalence, while NakedPages consistently ranks #3-#5 with strong presence in 2024-2025 averaging 220 active servers monthly according to Sekoia.io. Against EvilProxy, both use AiTM reverse proxy designs. EvilProxy is more strongly associated with geofencing as an older established platform, while NakedPages represents more recent innovation from 2022 versus earlier EvilProxy origin with stronger evasion sophistication. Compared to Evilginx, Evilginx is an open-source framework requiring more technical setup, while NakedPages is commercial PhaaS with pre-built templates and automation. Against Sneaky 2FA, Sneaky is a newer market entrant from 2025 challenging NakedPages market share, while NakedPages has mature codebase with 50+ pre-built phishing templates.

Top 5 AiTM Platforms in 2024-2025 include: 1. Tycoon 2FA, 2. Storm-1167, 3. NakedPages, 4. Sneaky 2FA, 5. EvilProxy according to Sekoia.io.

Detection Evasion Compared to Competitors

NakedPages shares certain evasion patterns with competing AiTM kits while maintaining distinct approaches according to Push Security (2025). Like Tycoon 2FA, NakedPages employs Cloudflare Turnstile for bot detection. Similar to EvilProxy and Evilginx, it redirects suspected analysts to benign pages like example.com as a decoy. However, NakedPages distinguishes itself through its nine-stage redirection chain, B2B targeting logic that filters out personal accounts, and load-balanced domain rotation using JWT parameters. Push Security's analysis also noted implementation weaknesses, including instances where developers failed to properly implement their own RSA encryption function, sending encrypted user agent data in clear text despite the intended obfuscation.

Why Does NakedPages matter?

First documented mid-2022 on underground forums and Telegram. 2024-2025 activity maintained average of 220 distinct active servers monthly from January 2024 through April 2025. Ranking consistently in top 5 AiTM kits ahead of newer platforms like Mamba 2FA. Integration into hybrid campaigns with other malware and social engineering vectors.

Top 5 PhaaS Platforms Overall in 2024 include: 1. Caffeine, 2. Tycoon, 3. Greatness, 4. NakedPages, 5. Dadsec according to Trustwave and Sekoia.io analysis. Geographic distribution targets organizations across North America, Europe, and Asia Pacific with strong focus on Microsoft 365 and Google Workspace environments. Geofencing features indicate multi-region operational capability. Template and service offerings include 50+ pre-built phishing templates, rapid campaign customization support, bot detection across 120+ countries, and full PhaaS support infrastructure including hosting, domain management, and analytics.

Target Platforms and Services

NakedPages campaigns primarily target enterprise cloud platforms according to Sekoia.io and CloudSEK. Microsoft 365 and Google Workspace environments represent the most common targets, given the high value of corporate email and document access. Additional documented targets include Azure and AWS cloud platforms, VPN services used for remote corporate access, and various SaaS applications. The platform's reverse proxy architecture allows it to target virtually any web-based login page, though the 50+ pre-built templates focus on the highest-value enterprise services. The kit's ability to transparently proxy real login pages means it automatically adapts when target services update their interfaces, reducing template maintenance overhead.

Pricing and Accessibility

NakedPages is sold for approximately $1,000 USD upfront for software licenses according to CloudSEK (2022). This commercial pricing positions it as a mid-range PhaaS offering, more expensive than free open-source tools like Evilginx but significantly cheaper than premium platforms. The license includes access to the full template library, the binary relay components, and the automated setup infrastructure. The relatively low barrier to entry combined with the plug-and-play automation means even operators with minimal technical expertise can deploy sophisticated AiTM phishing campaigns.

What Are the limitations of NakedPages?

Detection signature accumulation means despite evasion, repeated use of the same phishing templates creates detectable patterns with security vendors continuing to build defenses. Redirection chain complexity creates multiple redirects increasing latency and UX friction that can trigger user suspicion or firewall scrutiny. Geofencing imperfection allows VPN and proxy use by researchers and defenders to bypass geofencing, not eliminating all researchers. Session token expiration means stolen tokens may have limited lifetime, with bot-in-the-middle interception requiring real-time attacker presence. Traffic analysis identifies heavy use of legitimate shortener services creating correlations detectable by advanced traffic analysis. Maintenance burden requires keeping 220+ active servers with continuous infrastructure management, domain renewal, and IP reputation management. Compliance pressure from law enforcement and takedowns targeting underlying infrastructure continues to force migrations.

Implementation Quality Concerns

Despite the platform's sophisticated evasion architecture, security researchers have identified coding weaknesses that may aid detection according to Push Security (2025). Analysis of active NakedPages campaigns revealed instances of sloppy implementation, including failed encryption functions where encrypted user agent data was transmitted in clear text despite intended obfuscation. At the time of one analysis, a Cloudflare Worker used as an entry point had been active for two days with only one detection on VirusTotal, demonstrating effective evasion but also indicating that security vendor detection is gradually improving. These implementation inconsistencies create potential detection opportunities for security teams conducting manual analysis.

How Can you defend against NakedPages?

Detection methods monitor for known NakedPages subdomains and C2 infrastructure, perform behavioral analysis for suspicious redirect chains with 3+ sequential redirects, track URL shortener services being abused in campaigns, analyze WebRTC and DNS exfiltration patterns, flag logins from unusual geolocations relative to user profile, and detect deviation from expected TLS certificates for legitimate services.

Email and link security implements email filtering rules for common NakedPages templates, URL sandboxing and screenshot analysis, proactive phishing URL takedown working with registrars and hosters, and SPF/DKIM/DMARC enforcement to reduce domain spoofing. Endpoint and user controls deploy multi-factor authentication on all critical accounts making stolen credentials less valuable, conditional access policies flagging impossible travel events and unfamiliar device logins, browser isolation for high-risk users and links, hardware security keys for VIP and admin accounts, session timeout enforcement, and user training on identifying multi-redirect phishing chains.

Organizational and network level measures include Zero Trust architecture with continuous re-authentication, network-based detection of AiTM proxying patterns, blocking known malicious IP ranges hosting NakedPages infrastructure, implementing ZTNA Zero Trust Network Access, monitoring API activity for anomalous patterns post-compromise, and implementing impossible travel detection for authentication events.

Behavioral Detection Over Signature Matching

Push Security's analysis (2025) emphasizes that the most effective defense against NakedPages is behavioral detection rather than signature-based or URL analysis approaches. Detecting the behavior directly, specifically the action of entering a legitimate password into the wrong site, is simpler and more effective than attempting to keep pace with the kit's constantly evolving evasion techniques. Organizations should deploy endpoint-level monitoring that can identify when users submit corporate credentials to domains outside the organization's legitimate service inventory. This approach sidesteps the cat-and-mouse detection evasion game that NakedPages' nine-stage redirection chain is specifically designed to win.

Phishing-Resistant MFA Deployment

Phishing-resistant authentication methods like WebAuthn and passkeys are essential defenses against NakedPages according to Push Security (2025). Common OTP, SMS, and push-notification MFA methods are routinely bypassed using AiTM techniques like those employed by NakedPages. However, defenders must also guard against MFA downgrade attacks where phishing pages redirect users to less-secure authentication options that can be intercepted. Disabling fallback to phishable authentication methods for high-value accounts eliminates this attack vector.

IOC-Based Blocking

Security teams can leverage indicators of compromise to block NakedPages infrastructure at network perimeters. Push Security's analysis identified patterns including malicious domains registered under .buzz TLDs and Cloudflare Workers gateway URLs used as initial access points. Organizations should integrate NakedPages IOCs from threat intelligence feeds into their firewalls, web proxies, and DNS filtering systems, while recognizing that the kit's domain rotation capabilities mean IOC-based blocking provides only a temporary defensive layer that must be continuously updated.