{ "id": "66c64e63-a843-418d-beec-a77cc38af242", "created_at": "2026-04-29T02:22:02.111254Z", "updated_at": "2026-04-29T08:21:29.238002Z", "deleted_at": null, "sha1_hash": "aa17b11a7db10fa11becdbf97a0f7d4843e85ad7", "title": "Evilginx 2.4 - Gone Phishing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 218705, "plain_text": "Evilginx 2.4 - Gone Phishing\r\nBy Kuba Gretzky\r\nPublished: 2020-09-14 ยท Archived: 2026-04-29 02:06:19 UTC\r\nWelcome back everyone! I can expect everyone being quite hungry for Evilginx updates! I am happy to announce\r\nthat the tool is still kicking.\r\nIt's been a while since I've released the last update. This blog tells me that version 2.3 was released on January\r\n18th 2019. One and a half year is enough to collect some dust.\r\nI'll make sure the wait was worth it.\r\nFirst of all, I wanted to thank all you for invaluable support over these past years. I've learned about many of you\r\nusing Evilginx on assessments and how it is providing you with results. Such feedback always warms my heart\r\nand pushes me to expand the project. It was an amazing experience to learn how you are using the tool and what\r\ndirection you would like the tool to expand in. There were some great ideas introduced in your feedback and\r\npartially this update was released to address them.\r\nI'd like to give out some honorable mentions to people who provided some quality contributions and who made\r\nthis update happen:\r\n\u003e\u003e GET EVILGINX HERE \u003c\u003c\r\nSpecial Thanks!\r\nJulio @juliocesarfort - For constantly proving to me and himself that the tool works (sometimes even too well)!\r\nOJ Reeves @TheColonial - For constant great source of Australian positive energy and feedback and also for\r\nbeing always humble and a wholesome and awesome guy! Check out OJ's live hacking streams on Twitch.tv and\r\npray you're not matched against him in Rocket League!\r\npry @pry0cc - For pouring me many cups of great ideas, which resulted in great solutions! Also check out his\r\ngreat tool axiom!\r\nJason Lang @curiousjack - For being able to bend Evilginx to his will and in turn gave me ideas on what features\r\nare missing and needed.\r\n@an0nud4y - For sending that PR with amazingly well done phishlets, which inspired me to get back to Evilginx\r\ndevelopment.\r\nPepe Berba - For his incredible research and development of custom version of LastPass harvester! I still need to\r\nimplement this incredible idea in future updates.\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 1 of 10\n\nAidan Holland @thehappydinoa - For spending his free time creating these super helpful demo videos and helping\r\nkeep things in order on Github.\r\nLuke Turvey @TurvSec - For featuring Evilginx and for creating high quality tutorial hacking videos on his\r\nYoutube channel\r\nSo, again - thank you very much and I hope this tool will stay relevant to your work for the years to come and may\r\nit bring you lots of pwnage! Just remember to let me know on Twitter via DM that you are using it and about any\r\nideas you're having on how to expand it further!\r\nHere is the list of upcoming changes:\r\n2.4.0\r\nFeature: Create and set up pre-phish HTML templates for your campaigns. Create your HTML file and\r\nplace {lure_url_html} or {lure_url_js} in code to manage redirection to the phishing page with any\r\nform of user interaction. Command: lures edit \u003cid\u003e template \u003ctemplate\u003e\r\nFeature: Create customized hostnames for every phishing lure. Command: lures edit \u003cid\u003e hostname\r\n\u003chostname\u003e .\r\nFeature: Support for routing connection via SOCKS5 and HTTP(S) proxies. Command: proxy .\r\nFeature: IP blacklist with automated IP address blacklisting and blocking on all or unauthorized requests.\r\nCommand: blacklist\r\nFeature: Custom parameters can now be embedded encrypted in the phishing url. Command: lures get-url \u003cid\u003e param1=value1 param2=\"value2 with spaces\" .\r\nFeature: Requests to phishing urls can now be rejected if User-Agent of the visitor doesn't match the\r\nwhitelist regular expression filter for given lure. Command: lures edit \u003cid\u003e ua_filter \u003cregexp\u003e\r\nList of custom parameters can now be imported directly from file (text, csv, json). Command: lures get-url \u003cid\u003e import \u003cparams_file\u003e .\r\nGenerated phishing urls can now be exported to file (text, csv, json). Command: lures get-url \u003cid\u003e\r\nimport \u003cparams_file\u003e export \u003cexport_file\u003e \u003ctext|csv|json\u003e .\r\nFixed: Requesting LetsEncrypt certificates multiple times without restarting. Subsequent requests would\r\nresult in \"No embedded JWK in JWS header\" error.\r\nRemoved setting custom parameters in lures options. Parameters will now only be sent encoded with the\r\nphishing url.\r\nAdded with_params option to sub_filter allowing to enable the sub_filter only when specific\r\nparameter was set with the phishing url.\r\nMade command help screen easier to read.\r\nImproved autofill for lures edit commands and switched positions of \u003cid\u003e and the variable name.\r\nIncreased the duration of whitelisting authorized connections for whole IP address from 15 seconds to 10\r\nminutes.\r\nI'll explain the most prominent new features coming in this update, starting with the most important feature of\r\nthem all.\r\nPre-phish HTML Templates\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 2 of 10\n\nFirst of all let's focus on what happens when Evilginx phishing link is clicked. It verifies that the URL path\r\ncorresponds to a valid existing lure and immediately shows you proxied login page of the targeted website.\r\nIf that link is sent out into the internet, every web scanner can start analyzing it right away and eventually, if they\r\ndo their job, they will identify and flag the phishing page.\r\nPre-phish HTML templates add another step in, before the redirection to phishing page takes place. You can create\r\nyour own HTML page, which will show up before anything else. On this page, you can decide how the visitor will\r\nbe redirected to the phishing page.\r\nOne idea would be to show up a \"Loading\" page with a spinner and have the page wait for 5 seconds before\r\nredirecting to the destination phishing page. Another one would be to combine it with some social engineering\r\nnarration, showing the visitor a modal dialog of a file shared with them and the redirection would happen after\r\nvisitor clicks the \"Download\" button.\r\nPre-phish page requiring the visitor to click the download button before being redirected to the\r\nphishing page.\r\nEvery HTML template supports customizable variables, which values can be delivered embedded with the\r\nphishing link (more info on that below).\r\nThere are also two variables which Evilginx will fill out on its own. These are:\r\n{lure_url} : This will be substituted with an unquoted URL of the phishing page. This one is to be used inside\r\nyour HTML code. Example output: https://your.phish.domain/path/to/phish\r\n{lure_url_js} : This will be substituted with obfuscated quoted URL of the phishing page. Obfuscation is\r\nrandomized with every page load. This one is to be used inside of your Javascript code. Example output:\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 3 of 10\n\n'h' + 't' + 'tp' + 's:/' + '/' + 'c' + 'hec' + 'k.' + 't' + 'his' + '.ou' + 't' + '.fa' + 'k' + 'e' + '.' + 'co\nThe first variable can be used with [HTML tags like so: [Click here]({lure_url}) While the second one should be used with your Javascript code: window.location.assign({lure_url_js}); If you want to use values coming from custom parameters, which will be delivered embedded with the phishing URL, put placeholders in your template with the parameter name surrounded by curly brackets: {parameter_name} You can check out one of the sample HTML templates I released, here: download_example.html HTML source code of example template Once you create your HTML template, you need to set it for any lure of your choosing. Remember to put your template file in /templates directory in the root Evilginx directory or somewhere else and run Evilginx by specifying the templates directory location with -t command line argument. Set up templates for your lures using this command in Evilginx: lures edit templates Custom Parameters in Phishing Links https://breakdev.org/evilginx-2-4-gone-phishing/ Page 4 of 10](...)\n\nIn previous versions of Evilginx, you could set up custom parameters for every created lure. This didn't work well\r\nat all as you could only provide custom parameters hardcoded for one specific lure, since the parameter values\r\nwere stored in database assigned to lure ID and were not dynamically delivered.\r\nThis is changing with this version. Storing custom parameter values in lures has been removed and it's been\r\nreplaced with attaching custom parameters during phishing link generation. This allows for dynamic\r\ncustomization of parameters depending on who will receive the generated phishing link.\r\nIn the example template, mentioned above, there are two custom parameter placeholders used. You can specify\r\n{from_name} and {filename} to display a message who shared a file and the name of the file itself, which will\r\nbe visible on the download button.\r\nTo generate a phishing link using these custom parameters, you'd do the following:\r\nlures get-url 0 from_name=\"Ronald Rump\" filename=\"Annual Salary Report.xlsx\"\r\nRemember - quoting values is only required if you want to include spaces in parameter values. You can also\r\nescape quotes with \\ e.g. variable1=with\\\"quote .\r\nThis will generate a link, which may look like this:\r\nhttps://onedrive.live.fake.com/download/912381236/Annual_Salary_Report.xlsx?vLT=hvQzgP8bXoSOWvfYKkd5aMsvRgsLEXq\r\nAs you can see both custom parameter values were embedded into a single GET parameter. The parameter name is\r\nrandomly generated and its value consists of a random RC4 encryption key, checksum and a base64 encoded\r\nencrypted value of all embedded custom parameter. This ensures that the generated link is different every time,\r\nmaking it hard to write static detection signatures for. There is also a simple checksum mechanism implemented,\r\nwhich invalidates the delivered custom parameters if the link ever gets corrupted in transit.\r\nDon't forget that custom parameters specified during phishing link generation will also apply to variable\r\nplaceholders in your js_inject injected Javascript scripts in your phishlets.\r\nIt is important to note that you can change the name of the GET parameter, which holds the encrypted custom\r\nparameters. You can also add your own GET parameters to make the URL look how you want it. Evilginx is smart\r\nenough to go through all GET parameters and find the one which it can decrypt and load custom parameters from.\r\nFor example if you wanted to modify the URL generated above, it could look like this:\r\nhttps://onedrive.live.fake.com/download/912381236/Annual_Salary_Report.xlsx?token=hvQzgP8bXoSOWvfYKkd5aMsvRgsLE\r\nGenerating phishing links one by one is all fun until you need 200 of them, with each requiring different sets of\r\ncustom parameters. Thankfully this update also got you covered.\r\nYou can now import custom parameters from file in text, CSV and JSON format and also export the generated\r\nlinks to text, CSV or JSON. You can also just print them on the screen if you want.\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 5 of 10\n\nImporting custom parameters from file to generate three phishing links\r\nCustom parameters to be imported in text format would look the same way as you would type in the parameters\r\nafter lures get-url command in Evilginx interface:\r\nemail=honeybunny@gmail.com name=\"Katelyn Wells\"\r\nemail=muchdork@yahoo.com name=\"George Doh\" delay=5000\r\nemail=i.r.john@hotmail.com name=\"John Cena\"\r\nparams.txt\r\nIf you wanted to use CSV format:\r\nemail,name,delay\r\nhoneybunny@gmail.com,\"Katelyn Wells\",\r\nmuchdork@yahoo.com,\"George Doh\",5000\r\ni.r.john@hotmail.com,\"John Cena\",\r\nparams.csv\r\nAnd lastly JSON:\r\n[\r\n{\r\n\"email\":\"honeybunny@gmail.com\",\r\n\"name\":\"Katelyn Wells\"\r\n},\r\n{\r\n\"email\":\"muchdork@yahoo.com\",\r\n\"name\":\"George Doh\",\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 6 of 10\n\n\"delay\":\"5000\"\r\n},\r\n{\r\n\"email\":\"i.r.john@hotmail.com\",\r\n\"name\":\"John Cena\"\r\n}\r\n]\r\nparams.json\r\nFor import files, make sure to suffix a filename with file extension according to the data format you've decided to\r\nuse, so .txt for text format, .csv for CSV format and .json for JSON.\r\nGenerating phishing links by importing custom parameters from file can be done as easily as:\r\nlures get-url \u003cid\u003e import \u003cimport_file\u003e\r\nNow if you also want to export the generated phishing links, you can do it with export parameter:\r\nlures get-url \u003cid\u003e import \u003cimport_file\u003e export \u003cexport_file\u003e \u003ctext|csv|json\u003e\r\nLast command parameter selects the output file format.\r\nCustom Hostnames for Phishing Links\r\nNormally if you generated a phishing URL from a given lure, it would use a hostname which would be a\r\ncombination of your phishlet hostname and a primary subdomain assigned to your phishlet. During assessments,\r\nmost of the time hostname doesn't matter much, but sometimes you may want to give it a more personalized feel\r\nto it.\r\nThat's why I wanted to do something about it and make the phishing hostname, for any lure, fully customizable.\r\nSince Evilginx is running its own DNS, it can successfully respond to any DNS A request coming its way.\r\nSo now instead of being forced to use a phishing hostname of e.g. www.linkedin.phishing.com , you can change\r\nit to whatever you want like this.is.totally.not.phishing.com . Of course this is a bad example, but it shows\r\nthat you can go totally wild with the hostname customization and you're no longer constrained by pre-defined\r\nphishlet hostnames. Just remember that every custom hostname must end with the domain you set in the config.\r\nYou can change lure's hostname with a following command:\r\nlures edit \u003cid\u003e hostname \u003cyour_hostname\u003e\r\nAfter the change, you will notice that links generated with get-url will use the new hostname.\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 7 of 10\n\nUser-Agent Filtering\r\nThis is a feature some of you requested. It allows you to filter requests to your phishing link based on the\r\noriginating User-Agent header. Just set an ua_filter option for any of your lures, as a whitelist regular\r\nexpression, and only requests with matching User-Agent header will be authorized.\r\nAs an example, if you'd like only requests from iPhone or Android to go through, you'd set a filter like so:\r\nlures edit \u003cid\u003e ua_filter \".*(Android|iPhone).*\"\r\nHTTP \u0026 SOCKS5 Proxy Support\r\nYou can finally route the connection between Evilginx and targeted website through an external proxy.\r\nThis may be useful if you want the connections to specific website originate from a specific IP range or specific\r\ngeographical region. It may also prove useful if you want to debug your Evilginx connection and inspect packets\r\nusing Burp proxy.\r\nYou can check all available commands on how to set up your proxy by typing in:\r\nhelp proxy\r\nMake sure to always restart Evilginx after you enable proxy mode, since it is the only surefire way to reset all\r\nalready established connections.\r\nIP Blacklist\r\nIf you don't want your Evilginx instance to be accessed from unwanted sources on the internet, you may want to\r\nadd specific IPs or IP ranges to blacklist. You can always find the current blacklist file in:\r\n~/.evilginx/blacklist.txt\r\nBy default automatic blacklist creation is disabled, but you can easily enable it using one of the following options:\r\nblacklist unauth\r\nThis will automatically blacklist IPs of unauthorized requests. This includes all requests, which did not point to a\r\nvalid URL specified by any of the created lures.\r\nblacklist on\r\nThis will blacklist IP of EVERY incoming request, despite it being authorized or not, so use caution. This will\r\neffectively block access to any of your phishing links. You can use this option if you want to send out your\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 8 of 10\n\nphishing link and want to see if any online scanners pick it up.\r\nIf you want to add IP ranges manually to your blacklist file, you can do so by editing blacklist.txt file in any\r\ntext editor and add the netmask to the IP:\r\n134.123.0.0/16\r\nYou can also freely add comments prepending them with semicolon:\r\n; this is a comment\r\n18.123.445.0/24 ;another comment\r\nNew with_params Option for Phishlets\r\nYou can now make any of your phishlet's sub_filter entries optional and have them kick in only if a specific\r\ncustom parameter is delivered with the phishing link.\r\nYou may for example want to remove or replace some HTML content only if a custom parameter target_name is\r\nsupplied with the phishing link. This may allow you to add some unique behavior to proxied websites. All\r\nsub_filters with that option will be ignored if specified custom parameter is not found.\r\nYou can add it like this:\r\nsub_filters:\r\n- {triggers_on: 'auth.website.com', orig_sub: 'auth', domain: 'website.com', search: '\u003cbody\\s', replace: '\u003cbody\r\nThis will hide the page's body only if target_name is specified. Later the added style can be removed\r\nthrough injected Javascript in js_inject at any point.\r\nQuality of Life Updates\r\nI've also included some minor updates. There are some improvements to Evilginx UI making it a bit more visually\r\nappealing. Fixed some bugs I found on the way and did some refactoring. All the changes are listed in the\r\nCHANGELOG above.\r\nEpilogue\r\nI'm glad Evilginx has become a go-to offensive software for red teamers to simulate phishing attacks. It shows that\r\nit is not being just a proof-of-concept toy, but a full-fledged tool, which brings reliability and results during\r\npentests.\r\nI hope some of you will start using the new templates feature. I welcome all quality HTML templates\r\ncontributions to Evilginx repository!\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 9 of 10\n\nIf you have any ideas/feedback regarding Evilginx or you just want to say \"Hi\" and tell me what you think about\r\nit, do not hesitate to send me a DM on Twitter.\r\nAlso please don't ask me about phishlets targeting XYZ website as I will not provide you with any or help you\r\ncreate them. Evilginx is a framework and I leave the creation of phishlets to you. There are already plenty of\r\nexamples available, which you can use to learn how to create your own.\r\nHappy phishing!\r\n\u003e\u003e GET EVILGINX HERE \u003c\u003c\r\nFind me on Twitter: @mrgretzky\r\nEmail: kuba@breakdev.org\r\nSource: https://breakdev.org/evilginx-2-4-gone-phishing/\r\nhttps://breakdev.org/evilginx-2-4-gone-phishing/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://breakdev.org/evilginx-2-4-gone-phishing/" ], "report_names": [ "evilginx-2-4-gone-phishing" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-29T06:58:57.828576Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-29T06:58:57.944337Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-29T06:58:57.777996Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429322, "ts_updated_at": 1777450889, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa17b11a7db10fa11becdbf97a0f7d4843e85ad7.pdf", "text": "https://archive.orkl.eu/aa17b11a7db10fa11becdbf97a0f7d4843e85ad7.txt", "img": "https://archive.orkl.eu/aa17b11a7db10fa11becdbf97a0f7d4843e85ad7.jpg" } }