{
	"id": "2fc8176c-d13e-495a-ac2c-dc6d916be032",
	"created_at": "2026-04-29T02:20:45.561194Z",
	"updated_at": "2026-04-29T08:23:08.487642Z",
	"deleted_at": null,
	"sha1_hash": "b5d12492eb5c44cdc8f11d91479cba08b050e634",
	"title": "Evilginx 3.3 - Go \u0026 Phish",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 199086,
	"plain_text": "Evilginx 3.3 - Go \u0026 Phish\r\nBy Kuba Gretzky\r\nPublished: 2024-04-02 · Archived: 2026-04-29 02:06:42 UTC\r\nLong time no hear in terms of Evilginx updates. While I'm still working on the release of Evilginx Pro, I've\r\ndecided to fix a few issues and add new features to the public version of Evilginx, in the meantime.\r\nFirst of all, I wanted to thank everyone for the great feedback and insightful discussions in the BREAKDEV RED\r\ncommunity Discord. All of the reported issues and suggestions led to the improvement of Evilginx and this update\r\nis the fruit of such great community feedback.\r\nAdditionally, I wanted to use this opportunity to thank everyone for sending their applications to access\r\nBREAKDEV RED. We've gathered an incredible number of security professionals (almost 850 at the time of\r\nwriting) and every day I'm learning something new from you guys, which I'm super grateful for. Hell, I've even\r\nfinally fully understood how to properly configure the SPF/DKIM/DMARC combo thanks to all the discussion on\r\nthe subject.\r\nVetting the applications takes a lot of time and before I open the registrations again, to the public, I'd like to\r\nautomate the verification process a bit. Once I do this, requesting access to the community should be more\r\naccessible to everyone.\r\nAllowing access only to red teamers with a clean conscience is still of utmost importance to me and it is the base\r\nfor creating a friendly atmosphere, which fuels guilt-free information sharing.\r\nThis time I have something special for you. Never before have I had a request so popular that it was mentioned in\r\n90% of all BREAKDEV RED application forms. Let it be known that your pleas have been heard.\r\nEvilginx has an official integration with GoPhish by Jordan Wright from now on!\r\nThat's right - you will finally be able to create phishing campaigns for sending emails with valid Evilginx lure\r\nURLs and enjoy all the benefits of GoPhish's lovely UI, seeing which emails were opened, which lure URLs were\r\nclicked and which clicks resulted in successful session capture.\r\nHere is the full list of changes coming in Evilginx 3.3 together with a full guide on how to use all the new\r\nfeatures.\r\nGoPhish Support\r\nI've forked GoPhish and added the integration with Evilginx in the cleanest way possible. If you were using your\r\ncustom version of GoPhish, merging Evilginx integration with your own fork should be relatively easy.\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 1 of 9\n\nI have made the integration in such a way that Evilginx will be notifying GoPhish of the following events, which\r\noccur:\r\nA hidden image tracker is triggered when the email is opened. The tracker image is just a lure URL\r\nwith specific parameters to let Evilginx know it should be used as a tracker.\r\nA phishing link is clicked within the email message. The phishing link within the email message sent\r\nthrough GoPhish is just the lure URL with embedded parameters.\r\nThe session is successfully captured with Evilginx. Once Evilginx gathers the credentials and logs the\r\ncookies, it will notify GoPhish that the data has been submitted.\r\nI've exposed additional API endpoints in GoPhish to make it possible to change the results status for every sent\r\nemail.\r\nNow, when you create a new campaign in GoPhish, you do not have a \"Landing Page\" to select. Instead, you will\r\ngenerate a lure URL in Evilginx and paste it into the \"Evilginx Lure URL\" text box.\r\nWhat's more, GoPhish will automatically generate the encrypted custom parameters with personalized content,\r\nretrievable by Evilginx, for each embedded link. The personalized values embedded with every phishing link\r\nembedded within the generated email message are the following:\r\nFirst Name ( fname )\r\nLast Name ( lname )\r\nEmail ( email )\r\nThis is super useful as you can use the custom parameters further to customize the content on your phishing pages\r\nwithin your js_inject scripts.\r\nLet's say you wanted to pre-fill the email in the sign-in text box on the phishing page. Now you can just use the\r\n{email} placeholder within your injected script and you can be sure that GoPhish will deliver the right value for\r\nyou. The same goes for {fname} and {lname} .\r\nGoPhish will also embed the rid (Result ID) in the phishing link's parameters, so that Evilginx will know for\r\nwhich result it should update the status.\r\nYou can monitor the status of your mailing campaigns and check email deliverability, straight from GoPhish, but\r\nEvilginx will be the only side storing the credentials and authentication cookies.\r\nHow to set up GoPhish with Evilginx?\r\nFirst of all, you need to get GoPhish from my forked GoPhish repository. You can either grab clone the source\r\ncode and build it yourself or you can grab the binaries from releases.\r\nDeploy GoPhish on the external server. It doesn't have to be the same server Evilginx is running on, but it will\r\nhave to be reachable by your Evilginx instances. You can find out how to install GoPhish in its official\r\ndocumentation.\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 2 of 9\n\nOnce you have GoPhish running on a remote server and you also have Evilginx deployed and ready for action,\r\nyou will need to tell Evilginx how it can communicate with your GoPhish server.\r\nConfiguring Evilginx\r\nFor this, you will need the Admin URL of your GoPhish instance and the API key. You can find the API key\r\nwithin the Account Settings in your GoPhish admin panel. To figure out the IP and port of your GoPhish instance,\r\nrefer to the official documentation.\r\nYou can find the GoPhish API key in the Account Settings\r\nFor example, if your GoPhish admin server is running on an IP 1.2.3.4 listening on port 3333 , with TLS\r\nenabled, you can set it up as follows:\r\nconfig gophish admin_url https://1.2.3.4:3333\r\nconfig gophish api_key c60e5bce24856c2c473c4560772\r\nIf you do not use a valid TLS certificate for the exposed GoPhish instance, you may need to allow insecure TLS\r\nconnections as well (such connections can be man-in-the-middled, so tread carefully):\r\nconfig gophish insecure true\r\nOnce all this is configured, your Evilginx instance is ready to go. You can test if the communication with GoPhish\r\nworks properly by issuing the command:\r\nconfig gophish test\r\nConfiguring GoPhish\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 3 of 9\n\nHere I am assuming you are familiar with how to use GoPhish. If not, feel free to check out the documentation on\r\nhow to get started.\r\nMake sure GoPhish is running either in a tmux session or you set it up to run as a daemon. You can find more\r\ninformation on how to do it in this GitHub issue.\r\nOnce you have everything properly set up, it is time to set up your Campaign. Create the new campaign and then\r\nselect the Email Template, Sending Profile and the group of recipients. You may notice that instead of being asked\r\nfor the Landing Page profile you need to provide the Evilginx Lure URL.\r\nOpen your Evilginx instance, create the lure and grab the lure URL you want to send out in your phishing\r\ncampaign, using the command:\r\nlures get-url \u003cid\u003e\r\nCopy this URL and paste it into the Evilginx Lure URL text field of the campaign creation panel.\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 4 of 9\n\nThat's it! You can now send out the campaign emails while enjoying the full overview of your campaign progress\r\nwithin the GoPhish UI.\r\nCustom TLS Certificates\r\nSince the release of Evilginx 3.0, the tool has been using certmagic library for TLS certificate management with\r\nautomated LetsEncrypt TLS certificate registration. Having to use only LetsEncrypt certificates is often not ideal\r\nas it may mark your phishing server, on an engagement, as suspicious.\r\nMany people have requested support to use their own TLS certificates with Evilginx, including the wildcard\r\ncertificates. This feature has finally been implemented.\r\nTo add your own TLS certificates, first, create a new directory under ~/.evilginx/crt/sites/ with the name of\r\nyour website or hostname. The name does not matter and it can be anything you choose.\r\nEvilginx will scan these directories looking for the public X509 certificate and the private key used to sign the\r\ncertificate. The X509 certificate should have either the .pem or .crt extension, while the private key should\r\nhave the .key extension.\r\nFor convenience, Evilginx will also recognize the keypair generated by CertBot, where the public certificate is\r\nnamed fullchain.pem and the private key is privkey.pem . You can copy both files into the same directory to\r\nadd such a TLS certificate generated by CertBot.\r\nOnce you put your custom TLS certificates in the right place, don't forget to disable automated LetsEncrypt\r\ncertificate retrieval with:\r\nconfig autocert off\r\nIMPORTANT! Make sure the private key files are not password-protected or otherwise Evilginx may fail to load\r\nthem.\r\nExample 1:\r\n~/.evilginx/crt/sites/wildcard.domain.com/fullchain.pem\r\n~/.evilginx/crt/sites/wildcard.domain.com/privkey.pem\r\nExample 2:\r\n~/.evilginx/crt/sites/my_certificate/public.crt\r\n~/.evilginx/crt/sites/my_certificate/private.key\r\nCertMagic library will automatically add the TLS certificates to the managed pool and it will automatically\r\nrespond with a valid TLS certificate.\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 5 of 9\n\nHTTP Proxy IP Detection\r\nI know some of you use Caddy, Apache or Nginx as an additional proxy layer, sitting in front of the Evilginx\r\ninstance. This created an issue for Evilginx to properly detect the origin IP address of incoming requests. Since all\r\nrequests were proxied through a local web server, the origin IP would default to 127.0.0.1 , completely ignoring\r\nthe additional HTTP headers added by the proxies, with the correct origin IP addresses as values.\r\nSince this update, Evilginx will properly recognize the origin IP address of all proxied HTTP requests. The list of\r\nmonitored HTTP headers is as follows:\r\nX-Forwarded-For\r\nX-Real-IP\r\nX-Client-IP\r\nConnecting-IP\r\nTrue-Client-IP\r\nClient-IP\r\nJSON support in force_post\r\nThanks to @yudasm_ contribution, you can now enjoy injecting your custom POST parameters within body\r\ncontents transmitted in JSON format.\r\nCheck out Yehuda's recent blog post on how he used this feature to evade FIDO2 authentication when phishing\r\nMS365 accounts.\r\nFixed a bug used to detect Evilginx\r\nKeanu Nys reported an issue, in the BREAKDEV RED channel, where he found that one of the online URL\r\nscanners he used was able to open the phishing page by visiting the URL with just a hostname, without a valid\r\nlure URL path.\r\nThere was a bug in Evilginx, which would only enforce valid lure URLs for phishing hostnames, which were\r\ndefined with session: true in the proxy_hosts section of the phishlet file.\r\nUpon closer inspection, I've decided that the session parameter never made sense and it is now obsolete. Every\r\nproxy_hosts entry is treated as if session was set to true .\r\nKeanu wrote a great post-mortem post about the bug he found, so if you're interested in learning more about it,\r\nyou can find it here.\r\nFixed the infinite redirection loop\r\nEvilginx, since forever, had a very annoying bug, which would trigger the infinite redirection loop, whenever the\r\nlure URL path was set to be the same as the login path of the targeted website.\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 6 of 9\n\nThis has now been fixed and Evilginx will also make an additional check to compare if the lure URL contains the\r\nvalid phishing domain used by the landing phishing page.\r\nAdded support for more TLDs\r\nOver the years, there have been multiple new TLDs launched for registering domains. Evilginx will try hard to\r\ndetect all URLs in proxied packets and convert them either from phishing domains to original domains or from\r\noriginal domains to phishing domains.\r\nTo be more efficient, it relies on the detection of URLs ending with known TLDs. Some of the newer TLDs have\r\nnot been supported and this update changes that.\r\nHere is the new list of all supported TLDs:\r\naero\r\narpa\r\nart\r\nbiz\r\nbot\r\ncat\r\nclick\r\ncloud\r\nclub\r\ncom\r\ncoop\r\nedu\r\ngame\r\ngov\r\ninc\r\ninfo\r\nink\r\nint\r\njobs\r\nlive\r\nlol\r\nmil\r\nmobi\r\nmuseum\r\nname\r\nnet\r\nonline\r\norg\r\npro\r\nroot\r\nshop\r\nsite\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 7 of 9\n\ntech\r\ntel\r\ntoday\r\ntravel\r\nvip\r\nwiki\r\nxyz\r\n[all known 2 character TLDs]\r\nChangelog\r\nHere is the whole Evilginx 3.3 changelog with some additional changes and fixes I did not mention in this post:\r\n3.3.0\r\nFeature: Official GoPhish integration, using the fork: https://github.com/kgretzky/gophish\r\nFeature: Added support to load custom TLS certificates from a public certificate file and a private key file\r\nstored in ~/.evilginx/crt/sites/\u003chostname\u003e/ . Will load fullchain.pem and privkey.pem pair or a\r\ncombination of a .pem / .crt (public certificate) and a .key (private key) file. Make sure to run\r\nwithout -developer flag and disable autocert retrieval with config autocert off .\r\nFeature: Added ability to inject force_post POST parameters into JSON content body (by @yudasm_).\r\nFeature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with config\r\nautocert \u003con/off\u003e .\r\nFeature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy\r\n(nginx/apache2/cloudflare/azure).\r\nFixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.\r\nFixed: Added support for exported cookies with names prefixed with __Host- and __Secure- .\r\nFixed: Global unauth_url can now be set to an empty string to have the server return 403 on\r\nunauthorized requests.\r\nFixed: Unauthorized redirects and blacklisting would be ignored for proxy_hosts with session: false\r\n(default) making it easy to detect evilginx by external scanners.\r\nFixed: IP address 127.0.0.1 is now ignored from being added to the IP blacklist.\r\nFixed: Added support for more TLDs to use with phishing domains (e.g. xyz , art , tech , wiki ,\r\nlol \u0026 more)\r\nFixed: Credentials will now be captured also from intercepted requests.\r\nConclusion\r\nI'm happy to have finally been able to include the most requested features, together with some quality-of-life\r\nimprovements, before the Evilginx Pro release this year.\r\nPlease let me know your feedback about the update, either on Twitter @mrgretzky or in BREAKDEV RED\r\nDiscord.\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 8 of 9\n\nLooking forward to your opinion!\r\nIf you're reading this before 3rd April 2024, you can still get a 30% discount for the Evilginx Mastery course,\r\nwhich I am constantly updating and you get access for a lifetime. Expect to see the GoPhish integration guide\r\nadded sometime in the future.\r\nHappy phishing!\r\n-- Kuba Gretzky\r\nSource: https://breakdev.org/evilginx-3-3-go-phish/\r\nhttps://breakdev.org/evilginx-3-3-go-phish/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://breakdev.org/evilginx-3-3-go-phish/"
	],
	"report_names": [
		"evilginx-3-3-go-phish"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-29T06:58:58.283088Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-29T06:58:56.71798Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1777429245,
	"ts_updated_at": 1777450988,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5d12492eb5c44cdc8f11d91479cba08b050e634.pdf",
		"text": "https://archive.orkl.eu/b5d12492eb5c44cdc8f11d91479cba08b050e634.txt",
		"img": "https://archive.orkl.eu/b5d12492eb5c44cdc8f11d91479cba08b050e634.jpg"
	}
}