{
	"id": "3ecf34e2-747b-4595-92a4-869c69968c5c",
	"created_at": "2026-04-29T02:20:35.777636Z",
	"updated_at": "2026-04-29T08:21:45.265456Z",
	"deleted_at": null,
	"sha1_hash": "84de018330e5155973d8fbaeac4aab9e0a7e4d94",
	"title": "Evilginx 2.3 - Phisherman's Dream",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 122943,
	"plain_text": "Evilginx 2.3 - Phisherman's Dream\r\nBy Kuba Gretzky\r\nPublished: 2019-01-18 · Archived: 2026-04-29 02:09:15 UTC\r\nWelcome to 2019!\r\nAs was noted, this will be the year of phishing automation. We've already seen a release of new reverse-proxy tool\r\nModlishka and it is only January.\r\nThis release would not have happened without the inspiration I received from Michele Orru (@antisnatchor),\r\nGiuseppe Trotta (@Giutro) and Piotr Duszyński (@drk1wi). Thank you!\r\nThis is by far the most significant update since the release of Evilginx. The 2.3 update makes it unnecessary to\r\nmanually create your own sub_filters . I talked to many professional red teamers (hello @_RastaMouse) who\r\nhave struggled with creating their own phishlets, because of the unfair, steep learning curve of figuring out what\r\nstrings to replace and where, in the proxied HTTP content. I can proudly say that these days are over and it should\r\nnow be much easier to create phishlets from scratch.\r\nIf you arrived here by accident and you have no idea what I'm talking about, check out the first post on Evilginx.\r\nIt is a phishing framework acting as a reverse proxy, allowing to bypass 2FA authentication.\r\nLet's jump straight into the changes.\r\nChangelog - version 2.3\r\nHere is a full list of changes in this version:\r\nProxy can now create most of required sub_filters on its own, making it much easier to create new\r\nphishlets.\r\nAdded lures, with which you can prepare custom phishing URLs, each having its own set of unique\r\noptions ( help lures for more info).\r\nAdded OpenGraph settings for lures, allowing to create enticing content for link previews.\r\nAdded ability to inject custom Javascript into proxied pages.\r\nInjected Javascript can be customized with attacker-defined data, specified in lure options.\r\nDeprecated landing_path and replaced it with a login section, which contains the domain and path for\r\nwebsite's login page.\r\nDiving into more detail now.\r\nAutomatic handling of sub_filters\r\nIn order for Evilginx to properly proxy a website, it must not stray off its path and it should make sure that all\r\nproxied links and redirections are converted from original URLs to the phishing URLs. If the browser navigates to\r\nhttps://breakdev.org/evilginx-2-3-phishermans-dream/\r\nPage 1 of 5\n\nthe original URL, the user will no longer be proxied through Evilginx and the phishing will simply fail.\r\nI am aware it was super hard to manually figure out what strings to replace and it took considerable amounts of\r\ntime to analyze HTML content of every page to manage substitutions, using trial and error method.\r\nInitially I thought that doing the automatic URL substitution, in page body, will just not work well. The guys I\r\nmentioned at the top of this post, proved me wrong and I was amazed how well it can work when properly\r\nexecuted. When I saw this method successfully implemented and demonstrated in Modlishka, I was blown away. I\r\nknew I had to try and do the same for Evilginx.\r\nIt took me a whole weekend to implement the required changes and I'm very happy with the outcome. You can\r\nnow start creating your phishlet without any sub_filters at all. Just define the proxy_hosts for the domains\r\nand subdomains that you want to proxy through and it should work out-of-the-box. You may need to create your\r\nown sub_filters only if there is some unusual substitution required to bypass security checks or you just want\r\nto modify some HTML to make the phishing scenario look better.\r\nBest thing with automated sub_filters generation is the fact that the whole website's functionality may fully\r\nwork, through the proxy, even after the user is authenticated (e.g. Gmail's inbox).\r\nPhishing with lures\r\nThe tokenized phishing link with redirection URL, encoded in base64 format, was pretty ugly and definitely not\r\nperfect for carefully planned phishing attacks. As an improvement, I thought of creating custom URLs with\r\nattacker-defined path. Each assigned with a different redirection URL, which would be navigated to on successful\r\nauthentication through the phishing proxy. This idea eventually surfaced in form of lures.\r\nYou can now create as many lures as you want for specific phishlets and you are able to give each of them\r\nfollowing options:\r\nCustom path to make your phishing URLs look more inviting to be clicked.\r\nRedirection URL to navigate the user to, after they successfully authenticate.\r\nhttps://breakdev.org/evilginx-2-3-phishermans-dream/\r\nPage 2 of 5\n\nOpenGraph features, which will inject \u003cog:...\u003e meta tags into proxied website to make the phishing\r\nlinks generate enticing previews when sent in messengers or posted to social media.\r\nCustomized script content, which will be embedded into your injected Javascript code (e.g. for pre-filling\r\nthe user's email address).\r\nDescription for your own eyes to not forget what the lure was for.\r\nHere is how OpenGraph lure configuration can be used to generate an enticing preview for WhatsApp:\r\nOn clicking the link, the user will be taken to the attacker-controlled proxied Google login page and on successful\r\nauthentication, he can be redirected to any document hosted on Google Drive.\r\nThe command for generating tokenized phishing links through phishlets get-url still works, although I'd\r\nconsider it obsolete now. You should now generate phishing URLs with pre-created lures instead: lures get-url\r\n0\r\nTo get more information on how to use lures, type in help lures and you will get a list of all sub-commands\r\nyou can use.\r\nJavascript injection\r\nNow you can inject any javascript code into the proxied HTML content, based on URL path or domain. This gives\r\nincredible capabilities for customizing your phishing attack. You could for example make the website pre-fill the\r\nemail of your target in the authentication form and display their profile photo.\r\nHere is the example of injected javascript that pre-fills the target's email on LinkedIn login page:\r\njs_inject:\r\n - trigger_domains: [\"www.linkedin.com\"]\r\n trigger_paths: [\"/uas/login\"]\r\n trigger_params: [\"email\"]\r\n script: |\r\n function lp(){\r\n var email = document.querySelector(\"#username\");\r\n var password = document.querySelector(\"#password\");\r\n if (email != null \u0026\u0026 password != null) {\r\n email.value = \"{email}\";\r\n password.focus();\r\n return;\r\nhttps://breakdev.org/evilginx-2-3-phishermans-dream/\r\nPage 3 of 5\n\n}\r\n setTimeout(function(){lp();}, 100);\r\n }\r\n setTimeout(function(){lp();}, 100);\r\nYou can notice that the email value is set to {email} , which lets Evilginx know that this will be replaced with\r\nthe value set in the created lure. Setting the email value would be done the following way.\r\n: lures edit params 0 email=target@domain.com\r\nSee that the trigger_params variable contains the email value, which means that this javascript will ONLY be\r\ninjected if the email parameter is configured in the lure used in the phishing attack.\r\nHere is a demo of what a creative attacker could do with Javascript injection on Google, pre-filling his target's\r\ndetails for him:\r\nRemoval of landing_url section\r\nTo upgrade your phishlets to version 2.3, you have to remove landing_url section and replace it with a login\r\nsection.\r\nhttps://breakdev.org/evilginx-2-3-phishermans-dream/\r\nPage 4 of 5\n\nI figured you may want to use a different domain for your phishing URL than the one, which is used to display the\r\nlogin page. For example Google's login page is always at domain accounts.google.com , but you may want the\r\nphishing link to point to a different sub-domain like docs.phished-google.com . That way you can add\r\ndocs.google.com to proxy_hosts and set the option to is_landing: true .\r\nThe login section should contain:\r\nlogin:\r\n domain: 'accounts.google.com'\r\n path: '/signin/v2/identifier'\r\nIMPORTANT! The login section always defines where the login page resides on the targeted website.\r\nThat way the user will be automatically redirected to the login page domain even when the phishing link\r\noriginated on a different domain.\r\nRefer to the official phishlets 2.3.0 documentation for more information.\r\nHave fun!\r\nI can proudly say that now the phishlet format is close to being perfect and, since the difficulty of creating one\r\nfrom scratch significantly dropped, I will be starting a series of blog posts teaching how to create a phishlet from\r\nscratch, including how to configure everything.\r\nThe series will start very soon and posts will be written in hands-on step by step format, showing the whole\r\nprocess of phishlet creation from start to finish, for the website that I pick.\r\nMake sure to follow me on Twitter if you want up-to-date information on Evilginx development.\r\n[Follow me on Twitter](https://twitter.com/mrgretzky)\r\n[Download Evilginx 2 from GitHub](https://github.com/kgretzky/evilginx2)\r\nSource: https://breakdev.org/evilginx-2-3-phishermans-dream/\r\nhttps://breakdev.org/evilginx-2-3-phishermans-dream/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://breakdev.org/evilginx-2-3-phishermans-dream/"
	],
	"report_names": [
		"evilginx-2-3-phishermans-dream"
	],
	"threat_actors": [],
	"ts_created_at": 1777429235,
	"ts_updated_at": 1777450905,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84de018330e5155973d8fbaeac4aab9e0a7e4d94.pdf",
		"text": "https://archive.orkl.eu/84de018330e5155973d8fbaeac4aab9e0a7e4d94.txt",
		"img": "https://archive.orkl.eu/84de018330e5155973d8fbaeac4aab9e0a7e4d94.jpg"
	}
}