EvilGinx
Evilginx is an open-source adversary-in-the-middle (AiTM) phishing framework built on top of nginx and used to proxy legitimate authentication flows in real time. It is used to harvest usernames, passwords, MFA artifacts, authenticated session cookies, and related login data, enabling attackers to bypass MFA by replaying stolen session cookies and hijacking authenticated sessions. The framework is commonly used to provision phishing pages that act as reverse proxies between victims and legitimate services, including Microsoft and Okta-style login portals, and can present live mirrored login pages with valid TLS. Reported delivery methods include phishing links sent by email, SMS, OAuth consent requests, QR-code lures, PDFs, HTML attachments, and spoofed login-alert messages.
The content links Evilginx to multiple threat actors and campaigns. It has been assessed as used by Scattered Spider in phishing operations and bogus login pages to bypass MFA, including infrastructure similarities noted by Silent Push. Star Blizzard, a Russia-linked espionage actor also tracked as SEABORGIUM/Callisto Group/BlueCharlie, has incorporated EvilGinx into spearphishing to steal credentials and session cookies from phishing domains and bypass two-factor authentication. Blue Callisto/SEABORGIUM reporting also notes use of phishing technologies such as Evilginx. Sophos attributed a January 2025 MSP intrusion to Qilin affiliate STAC4365, which used evilginx with spoofed ScreenConnect domains and Amazon SES redirects to steal ScreenConnect administrator credentials and a time-based one-time password, leading to super-admin access and subsequent ransomware deployment.
Evilginx is also described as part of the broader proliferation of advanced AiTM phishing kits alongside EvilProxy and Tycoon. Proofpoint reported a dedicated Evilginx phishlet used to force authentication downgrade against Microsoft Entra ID users by spoofing an unsupported browser environment, causing fallback to weaker authentication methods that can then be intercepted. Infoblox reported Evilginx-based campaigns targeting at least 18 U.S. universities and educational institutions since April 12, 2025, using nearly 70 linked domains, short-lived links, and Cloudflare-obscured infrastructure to steal credentials and session cookies and achieve account takeover. Reported newer variants or feature sets include references to 'Evilginx Pro' with wildcard TLS certificates, advanced fingerprinting and bot filtering, decoy pages, DNS-provider integration, multi-domain phishlets, and JavaScript obfuscation.
High-confidence behaviors and indicators in the content include use as a reverse proxy for credential harvesting, theft of session cookies for MFA bypass, phishing domains impersonating legitimate services, and campaign infrastructure such as cloud.screenconnect[.]com.ms and related redirect infrastructure in the Sophos case. The content consistently characterizes Evilginx as a dual-use phishing framework widely adopted across cybercrime and espionage operations for credential theft and session hijacking.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Evilginx Phishing infrastructure assessed with high confidence as very likely linked to Scattered Spider, this assessment is done by infrastructure similarities on previously attributed domains by Silent Push.
Those attempts leveraged phishing sites built with the evilginx open-source adversary-in-the-middle attack framework to collect credentials and session cookies and bypass multi-factor authentication (MFA).
The setup used the open-source Evilginx kit to intercept usernames, passwords, and session cookies as users attempted to "register" for the bogus summit.
Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.
The threat actor’s tools, techniques and procedures (TTPs) contained slight shifts during 2022, such as network provider preferences and use of phishing technologies such as Evilginx.
The attackers are using the open source Evilginx framework to provision these phishing pages and to act as a reverse proxy between the victim and the real site.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniques
Resource Development
Based on SEKOIA.IO EvilNgix trackers, we came across domains, known to us as aligning with past Calisto activities. Further investigations led to a larger infrastructure composed of more than 80 domains, including domains typosquatting entites.
Initial Access
3 techniques
Initial Access
These personas are typically used to trick the target into visiting a malicious link, leading to the theft of their credentials, the bypassing of 2FA, and access to the target’s information.
The URL to which the target is redirected is typically a webpage crafted by the attacker to look like a genuine login page for the target’s email service (e.g. Gmail or ProtonMail)... If the target enters their password and two-factor code into the form, these items will be sent to the attacker who will use them to complete the login and obtain a session cookie for the target’s account.
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
The parameter name is randomly generated and its value consists of a random RC4 encryption key, checksum and a base64 encoded encrypted value of all embedded custom parameter. This ensures that the generated link is different every time, making it hard to write static detection signatures for.
Credential Access
5 techniques
Credential Access
Credential harvesting panel – A modified phishing framework for username and password collection, possibly derived from Evilginx...
MitM для развития атаки: DNS spoofing, перехват cookies, инъекция вредоносного кода в HTTP-ответы, перехват MFA-токенов (T1111) через Evilginx-прокси.
If the target enters their password and two-factor code into the form, these items will be sent to the attacker who will use them to complete the login and obtain a session cookie for the target’s account. This cookie allows the attacker to access the target’s email account as if they were the target themselves.
IOCs tracked for this family
127 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Evilginx is an adversary-in-the-middle framework built on nginx that proxies real login pages through attacker-controlled infrastructure to capture credentials, MFA approvals, and authenticated session cookies, enabling account takeover by replaying stolen sessions.
A phishing framework referenced as a possible basis for the credential harvesting panel used in the operation for collecting usernames and passwords.
Evilginx is an AitM phishing framework used to proxy authentication flows in real time to harvest user credentials and session cookies, enabling account takeover even when MFA is in use. The content notes newer variants (e.g., Evilginx Pro) add evasion and operational features such as wildcard TLS certificates, bot filtering/fingerprinting (e.g., JA4), decoy pages, improved DNS provider integration, multi-domain support for phishlets, and JavaScript obfuscation.
Open-source adversary-in-the-middle phishing framework used to proxy legitimate login flows, harvest credentials and session cookies, relay MFA/TOTP, and selectively redirect traffic to evade detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.