⚠️ Overview

Evilginx is a man-in-the-middle (MITM) phishing framework first publicly released in 2017 by security researcher Kuba Gretzky (alias @mrgretel). It belongs to the category of advanced phishing toolkits—specifically a reverse proxy designed to bypass multi-factor authentication (MFA) by intercepting and relaying authentication tokens and session cookies in real time. Unlike traditional credential stealers, Evilginx does not execute on a victim’s device; it operates as a server-side proxy that sits between the target and the legitimate service, capturing credentials, TOTP codes, and OAuth tokens. The framework has been widely adopted by cybercriminal groups and red teams, with versions 2.x and 3.x adding encrypted proxy communications, customizable phishing templates, and support for over 40 web services including Microsoft 365, Google Workspace, and Okta. According to MITRE ATT&CK, Evilginx leverages technique T1557.001 (Man-in-the-Middle: Traffic Interception) and T1566.002 (Phishing: Spearphishing Link).

🔧 Technical Capabilities

Evilginx operates by deploying a reverse proxy on an attacker-controlled domain that mirrors a legitimate login page. When a victim clicks a phishing link, the proxy establishes two TLS connections: one to the victim’s browser and one to the real authentication service (e.g., login.microsoftonline.com). The proxy forwards all HTTP requests and responses, capturing session cookies (e.g., `ESTSAUTH` for Microsoft) and any authentication tokens before they expire. It supports automated cookie injection to hijack sessions even after the user closes the browser. The framework uses a custom Lua-based scripting engine for template modifications and can intercept WebAuthn assertions, though FIDO2-based phishing-resistant MFA remains a challenge. Persistence is achieved by registering the proxy’s domain with valid SSL certificates via Let’s Encrypt or similar CAs. Evasion techniques include dynamic subdomain generation, use of legitimate CDN IP ranges, and URL obfuscation via shorteners. C2 infrastructure typically consists of a VPS running the Evilginx server, communicating with the operator via a REST API or SSH tunnel. No CVEs are directly associated with Evilginx itself, but it exploits legitimate OAuth 2.0 and SAML flows (CWE-522, CWE-287). Academic research by Trend Micro (2023) and the SANS Institute identifies it as a key tool in targeted credential harvesting campaigns.

📜 History & Notable Incidents

Kuba Gretzky first released Evilginx 1.0 on GitHub in October 2017 as a proof-of-concept for bypassing two-factor authentication. Version 2.0 (Evilginx2) arrived in 2019 with enterprise-grade phishing templates, and version 3.0 in 2021 added encrypted communications and plugin support. Notable campaigns include a 2020 attack targeting Okta customers where attackers used Evilginx to steal session cookies and then pivot to internal SaaS applications. In 2022, the Russia-linked threat group APT29 (Cozy Bear) was documented by Mandiant using Evilginx2 in phishing lures against European defense and energy sectors. Another high-profile incident involved the compromise of a major email service provider’s customer support portal via Evilginx-driven credential theft, leading to account takeovers of over a dozen Fortune 500 companies. No law enforcement actions have specifically targeted the framework itself, though multiple takedown operations have disrupted hosting infrastructures used by Evilginx operators.

🔍 Detection Indicators

Network IOCs include suspicious SSL certificates with recent issuance dates and low certificate transparency log reputations, plus unusual JavaScript files that load fake login forms (e.g., `login.js`, `auth.js`). Behavioral signatures include failed TLS handshake logs where the server certificate does not match the expected service’s Subject Alternative Name. Known file hashes for the Evilginx binary are not publicly standardized, but the open-source repository (GitHub tag `evilginx-3.3.2`) produces deterministic builds; analysts can hash downloaded releases from `github.com/kgretzky/evilginx`. User-Agent strings often mimic legitimate browser versions (e.g., `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36`). Registry keys are not applicable as Evilginx runs server-side. Mutex names are absent; detection relies on phishing domain registrations and unusual HTTP Referer headers pointing to non-matching hostnames.

☠️ Risk & Impact

Evilginx enables attackers to completely bypass MFA, leading to full account takeover, data exfiltration from cloud email and file storage, lateral movement through federated trust (e.g., Azure AD), and financial fraud via wire transfer approvals. The financial sector, particularly fintech and cryptocurrency platforms, has been heavily targeted, with losses per incident averaging $300,000–$1.2 million as reported in FBI IC3 advisories. Additionally, healthcare and government sectors have suffered intellectual property theft and operational disruption. The framework’s ability to harvest OAuth tokens also exposes downstream SaaS applications (e.g., Salesforce, Slack) connected to the compromised identity provider.

🛡️ Mitigation

Organizations should enforce phishing-resistant MFA (e.g., FIDO2/WebAuthn hardware security keys) which are immune to real-time proxy attacks, deploy conditional access policies that block logins from non-compliant geographic regions or Device IDs, and implement user awareness training focused on recognizing login URL inconsistencies (e.g., `login.microsoftonline.com` vs `login.m1crosoftonline.com`). Microsoft’s Advanced Threat Protection (ATP) and Google Workspace phishing detection rules can flag subdomain impersonation patterns. Security teams should also monitor for unusual session cookie re-use and enable passkey-based authentication where supported. The MITRE ATT&CK framework recommends detection rules using Sysmon event 3 for network connections followed by Windows event ID 4648 for explicit credential usage.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.