EvilGinx
Evilginx is an open-source adversary-in-the-middle (AiTM) phishing framework/toolkit used to proxy legitimate authentication flows and capture usernames, passwords, and authenticated web session cookies. By relaying the real sign-in process and harvesting the session cookie issued after MFA completion, it enables attackers to bypass MFA/2FA protections and replay authenticated sessions for account takeover. The content describes Evilginx being used to provision phishing pages and act as a reverse proxy between victims and real sites, including bogus login pages and conference/event-themed lures. Reported users include Star Blizzard/Blue Callisto/SEABORGIUM/COLDRIVER, Scattered Spider, and Void Blizzard/Laundry Bear. Observed targeting includes academia, NGOs, defense-related targets, and at least 18 U.S. universities and educational institutions in 2025. In the cited university campaign, attackers used personalized phishing messages, short-lived links, and nearly 70 associated domains to steal credentials and session cookies. The content also notes newer variants/features referred to as “Evilginx Pro,” including wildcard TLS certificates, advanced fingerprinting and bot filtering, decoy pages, DNS provider integration, multi-domain phishlets, and JavaScript obfuscation. High-confidence behavior in the content is credential harvesting, session-cookie theft, MFA bypass, and use in spearphishing/AiTM campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The setup used the open-source Evilginx kit to intercept usernames, passwords, and session cookies as users attempted to "register" for the bogus summit.
Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.
The threat actor’s tools, techniques and procedures (TTPs) contained slight shifts during 2022, such as network provider preferences and use of phishing technologies such as Evilginx.
"Scattered Spider has created bogus login pages using the Evilginx phishing kit to bypass multi-factor authentication (MFA)..."
The attackers are using the open source Evilginx framework to provision these phishing pages and to act as a reverse proxy between the victim and the real site.
“Evilginx — An attack framework used for phishing login credentials along with session cookies, which allows attackers to bypass MFA protection.”
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesBased on SEKOIA.IO EvilNgix trackers, we came across domains, known to us as aligning with past Calisto activities. Further investigations led to a larger infrastructure composed of more than 80 domains, including domains typosquatting entites.
The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
4 techniquesCalisto mainly focuses on Western countries, especially the United States, and Eastern European countries. The group was observed carrying out phishing campaigns aiming at credential theft...
"...or the actor may embed a link in a document [T1566.001] on OneDrive, Google Drive, or other file-sharing platforms."
The first page of the PDF mimics an error in the PDF renderer engine, inciting the victim to open a link leading to a malicious web page. This webpage aims at gathering the victim’s credentials by using EvilGinx.
Star Blizzard “incorporated the open-source EvilGinx framework into their spearphishing activity.”
Execution
3 techniquesStar Blizzard has used JavaScript to redirect victim traffic from an adversary controlled server to a server hosting the Evilginx phishing framework.
Pre-phish page requiring the visitor to click the download button before being redirected to the phishing page.
Annotations ID Technique Tactic T1204.003 Malicious Image Execution Default Configuration
Persistence
1 techniqueStealth
2 techniquesThe parameter name is randomly generated and its value consists of a random RC4 encryption key, checksum and a base64 encoded encrypted value of all embedded custom parameter. This ensures that the generated link is different every time, making it hard to write static detection signatures for.
Normally if you generated a phishing URL from a given lure... sometimes you may want to give it a more personalized feel to it... you can change it to whatever you want like this.is.totally.not.phishing.com.
Defense Impairment
1 techniqueCredential Access
7 techniquesThis webpage aims at gathering the victim’s credentials by using EvilGinx.
“A sophisticated credential-harvesting campaign has been targeting ScreenConnect cloud administrators… The hackers are targeting super-administrator credentials…”
AitM-компонент выхватывает этот валидный код, передает его на настоящий сервер, успешно завершает сессию и эксфильтрует долгоживущий сессионный токен (Session Cookies).
CALISTO uses Evilginx on its VPS to capture the victim’s credentials.
"...Evilginx...capture credentials and session cookies in real time, bypassing MFA."
Lateral Movement
1 technique"Okta AiTM Session Cookie Replay" ... "AiTM attacks capture session cookies via phishing proxies (e.g., Evilginx, Modlishka) and replay them... bypassing MFA."
Collection
3 techniquesThis webpage aims at gathering the victim’s credentials by using EvilGinx.
“A sophisticated credential-harvesting campaign has been targeting ScreenConnect cloud administrators… The hackers are targeting super-administrator credentials…”
Command and Control
1 techniqueYou can finally route the connection between Evilginx and targeted website through an external proxy. This may be useful if you want the connections to specific website originate from a specific IP range or specific geographical region.
IOCs tracked for this family
127 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Evilginx is an AitM phishing framework used to proxy authentication flows in real time to harvest user credentials and session cookies, enabling account takeover even when MFA is in use. The content notes newer variants (e.g., Evilginx Pro) add evasion and operational features such as wildcard TLS certificates, bot filtering/fingerprinting (e.g., JA4), decoy pages, improved DNS provider integration, multi-domain support for phishlets, and JavaScript obfuscation.
Evilginx is an open-source phishing kit that uses an Adversary-in-the-Middle (AiTM) technique to intercept credentials and session cookies, allowing attackers to bypass Multi-Factor Authentication (MFA) and fully compromise accounts.
Evilginx is a phishing toolkit that acts as a proxy between the victim and the legitimate website, capturing credentials and session cookies, including those issued after multi-factor authentication. This allows attackers to bypass MFA and impersonate users without triggering further authentication challenges.
An adversary-in-the-middle (reverse proxy) phishing framework used to capture credentials and session cookies, enabling bypass of MFA in credential-harvesting campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.