{
	"id": "e7c1bf52-1aed-486e-8c6d-cb2562130452",
	"created_at": "2026-04-29T02:22:12.406945Z",
	"updated_at": "2026-04-29T08:22:28.24559Z",
	"deleted_at": null,
	"sha1_hash": "7e7b03866445cd9955472f5c4dc1a6f4e97dadde",
	"title": "Evilginx 2.2 - Jolly Winter Update",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 92219,
	"plain_text": "Evilginx 2.2 - Jolly Winter Update\r\nBy Kuba Gretzky\r\nPublished: 2018-11-22 · Archived: 2026-04-29 02:11:03 UTC\r\nTis the season to be phishing!\r\nI've finally found some free time and managed to take a break to work on preparing a treat for all of you phishing\r\nenthusiasts out there. Just in time for the upcoming holiday season, I present you the chilly Evilginx update.\r\n[Download Evilginx 2 from GitHub](https://github.com/kgretzky/evilginx2)\r\nIf you've arrived here by accident and have no idea what I'm writing about, do check the first post about Evilginx\r\n2 release.\r\nWithout further ado, let's jump straight into the changelog!\r\nChangelog - version 2.2\r\nFirst, here is a full list of changes made in this version.\r\nAdded option to capture custom POST arguments additionally to credentials. Check custom field under\r\ncredentials .\r\nAdded feature to inject custom POST arguments to requests. Useful for silently enabling \"Remember\r\nMe\" options, during authentication.\r\nRestructured phishlet YAML config file to be easier to understand (phishlets from previous versions need\r\nto be updated to new format).\r\nRemoved name field from phishlets. Phishlet name is now determined solely based on the filename.\r\nNow when any of auth_urls is triggered, the redirection will take place AFTER response cookies for\r\nthat request are captured.\r\nRegular expression groups working with sub_filters .\r\nPhishlets are now listed in a table.\r\nPhishlet fields are now selectively lowercased and validated upon loading to prevent surprises.\r\nAll search fields in the phishlet are now regular expressions by default. Remember about proper escaping!\r\nNow for the details.\r\nAdded option to capture custom POST arguments\r\nYou can now capture additional POST arguments in requests. Some people mentioned they often need to capture\r\ndata from other fields like PINs or tokens. Now you can.\r\nCaptured field values can be viewed in captured session details.\r\nhttps://breakdev.org/evilginx-2-2-jolly-winter-update\r\nPage 1 of 4\n\nFind out how to specify custom fields for capture in the official documentation.\r\nAdded feature to inject custom POST arguments to requests. Useful for silently enabling\r\n\"Remember Me\" options, during authentication\r\nAlmost all websites provide an option to login, without permanently remembering the logged in user. This results\r\nin the website storing only temporary session cookies or cookies with short lifespan, which are later invalidated\r\nboth on the server and the client.\r\nCapturing session cookies, in such scenario, does not give the attacker permanent access. This is why it is most\r\nimportant that phished user ticks the \"Remember Me\" checkbox to inform the server that persistent\r\nauthentication is requested. Till now that rested on phished user's shoulders and they could make the decision.\r\nIn this version it is now possible to inject an argument into the POST request to inform the server that the\r\n\"Remember Me\" checkbox was ticked (even though it could've been deliberately left unchecked).\r\nAs an example, this part of a phishlet will detect the login POST request, containing username and password fields\r\nand will add/replace the remember_me parameter to always have a value of 1 :\r\nforce_post:\r\n - path: '/sessions'\r\n search:\r\n - {key: 'session\\[user.*\\]', search: '.*'}\r\n - {key: 'session\\[pass[a-z]{4}\\]', search: '.*'}\r\n force:\r\n - {key: 'remember_me', value: '1'}\r\n type: 'post'\r\nPlay around with it and I'm sure this feature may have other uses that I haven't thought about yet.\r\nRemade phishlet YAML file format\r\nhttps://breakdev.org/evilginx-2-2-jolly-winter-update\r\nPage 2 of 4\n\nPreparing for a final version of the phishlet file format, I did some restructuring of it. You will need to do some\r\nminor modifications to your custom phishlets, to make them compatible with Evilginx 2.2.0.\r\nI've now also properly documented the new phishlet file format, so please get familiar with it here:\r\nPhishlet File Format 2.2.0 Documentation\r\nRemoved name field from phishlets\r\nMany of you reported proxy returning TLS errors when testing your own custom phishlets. They were caused by\r\ncustom phishlets having the same name as another loaded phishlet.\r\nThat name field caused enough confusion, so I decided to remove it altogether. Phishlet name is now solely\r\ndetermined by the phishlet filename without the .yaml suffix. This should provide full uniqueness for each\r\nphishlet name as two same filenames can't exist in same directory, from which phishlets are loaded from.\r\nNow when any of auth_urls is triggered, the redirection will take place AFTER response cookies\r\nfor that request are captured\r\nIn previous versions, whenever any of auth_urls triggered the session capture, the redirection would happen\r\nimmediately, before Evilginx could parse the response, received from the server.\r\nThis resulted in Evilginx not being able to parse and capture cookies returned in responses to that last request that\r\nwould trigger the session capture and redirection.\r\nThis is now changed and you can safely pick the trigger URL path that still returns session cookies in the\r\nresponse, as they will be captured and saved, before the redirection happens.\r\nRegular expression groups working with sub_filters\r\nI've been asked about it recently and upon checking, I figured out that it has already been implemented since\r\nEvilginx release.\r\nYou can define a regular expression group, as you'd normally do, with parenthesis in search field and later refer\r\nto it in replace field with ${1} , where 1 is the group index and you can naturally use more than one group.\r\nExample:\r\n - {triggers_on: 'www.linkedin.com', orig_sub: 'cdn', domain: 'linkedinapis.com', search: '//{hostname}/([0-9a\r\nRefer to GO language documentation to see exactly how it works (make sure to see the example section):\r\nhttps://golang.org/pkg/regexp/#Regexp.ReplaceAllString\r\nPhishlets are now listed in a table\r\nSimply said - phishlets listing was an ugly mess. Now it looks good.\r\nhttps://breakdev.org/evilginx-2-2-jolly-winter-update\r\nPage 3 of 4\n\nPhishlet fields are now selectively lowercased and validated upon loading to prevent surprises\r\nEvilginx will now validate each phishlet on loading. It will try its best to inform you about any detected issues\r\nwith an error message to make it easier to debug any accidental mistakes like typos or missing fields.\r\nAll search fields in the phishlet are now regular expressions by default\r\nThe phishlet documentation now specifies which fields are considered to be regular expressions, so do remember\r\nabout proper escaping of regular expression strings.\r\nAs a quick example, if you used to look for login.username POST key to capture its value, you need to now\r\ndefine the field as key: 'login\\.username' , because . is one of the special characters used in regular\r\nexpressions, which has a separate function.\r\nEnjoy!\r\nAs always, I wanted to thank everyone for amazing feedback and providing ideas to improve Evilginx.\r\nKeep the bug reports and feature requests incoming!\r\n[Follow me on Twitter](https://twitter.com/mrgretzky)\r\n[Download Evilginx 2 from GitHub](https://github.com/kgretzky/evilginx2)\r\nSource: https://breakdev.org/evilginx-2-2-jolly-winter-update\r\nhttps://breakdev.org/evilginx-2-2-jolly-winter-update\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://breakdev.org/evilginx-2-2-jolly-winter-update"
	],
	"report_names": [
		"evilginx-2-2-jolly-winter-update"
	],
	"threat_actors": [],
	"ts_created_at": 1777429332,
	"ts_updated_at": 1777450948,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e7b03866445cd9955472f5c4dc1a6f4e97dadde.pdf",
		"text": "https://archive.orkl.eu/7e7b03866445cd9955472f5c4dc1a6f4e97dadde.txt",
		"img": "https://archive.orkl.eu/7e7b03866445cd9955472f5c4dc1a6f4e97dadde.jpg"
	}
}