evilginx2
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | Adversary-in-the-Middle |
evilginx2 has the ability to act as an adversary-in-the-middle (AiTM) relay between a legitimate website and a phished user to capture all transmitted data including usernames, passwords, authentication tokens, and session cookies and tokens.[1][4][5][3] |
|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
evilginx2 can proxy HTTPS connections between victims and destination websites.[1][6][7] |
| Enterprise | T1185 | Browser Session Hijacking |
evilginx2 can inject custom POST arguments into requests to silently enable "Remember Me" options during authentication to stay logged in across browser sessions.[8] |
|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
evilginx2 can inject JavaScript code into HTML content to customize phishing attacks.[9] |
| Enterprise | T1132 | Data Encoding |
evilginx2 can randomly generate and Base64 encode parameters in phishing links to defeat static detection.[6] |
|
| Enterprise | T1001 | Data Obfuscation |
evilginx2 can modify the Origin and Referrer fields in HTTPS headers it relays between intended victims and legitimate websites to comply with cross-origin resource sharing (CORS) restrictions.[1] |
|
| Enterprise | T1480 | Execution Guardrails |
evilginx2 can reject requests to phishing URLs if the User-Agent of the visitor doesn't match the allowlist REGEX filter for a specific lure.[6] |
|
| Enterprise | T1111 | Multi-Factor Authentication Interception |
evilginx2 can intercept authentication tokens to enable bypass of non-phishing resistant forms of MFA.[1] |
|
| Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
evilginx2 can generate and display phishing URLs including hidden tracking pixels and can also embed URLs within iframes for browser-in-the-browser phishing.[9][7][3] |
| Enterprise | T1090 | .002 | Proxy: External Proxy |
evilginx2 can route traffic via SOCKS5 and HTTP(S) proxies between an intended phishing victim's machine and legitimate websites.[1][6][3] |
| Enterprise | T1539 | Steal Web Session Cookie |
evilginx2 can collect information on each session with a victim including the session cookie.[1][3] |
|
| Enterprise | T1553 | .004 | Subvert Trust Controls: Install Root Certificate |
evilginx2 has obtained a valid SSL/TLS certificate from LetsEncrypt to provide responses to Automatic Certificate Management Environment (ACME) challenges.[1] |
| Enterprise | T1016 | System Network Configuration Discovery |
evilginx2 can capture information from each session with a victim including the public IP used to access the server and the user agent.[3] |
|
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Checks |
evilginx2 has the ability to hide phishing lures for a set time to avoid scanning by sandboxes.[5] |
References
- Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019.
- Gretzky, K. (2018, September 10). Evilginx 2.1 - The First Post-Release Update. Retrieved January 27, 2026.
- Everts, M. (2025, March 28). Stealing user credentials with evilginx. Retrieved January 27, 2026.
- Gretzky, K. (2023, May 10). Evilginx 3.0 + Evilginx Mastery. Retrieved January 27, 2026.
- Gretzky, K. (2023, August 24). Evilginx 3.2 - Swimming With The Phishes. Retrieved January 27, 2026.
- Gretzky, K. (2020, September 14). Evilginx 2.4 - Gone Phishing. Retrieved January 27, 2026.
- Gretzky, K. (2024, April 2). Evilginx 3.3 - Go & Phish. Retrieved January 27, 2026.
- Gretzky, K. (2018, November 22). Evilginx 2.2 - Jolly Winter Update. Retrieved January 27, 2026.
- Gretzky, K. (2019, January 18). Evilginx 2.3 - Phisherman's Dream. Retrieved January 27, 2026.