Evilginx2
Evilginx2 is an open-source adversary-in-the-middle (AiTM) phishing framework and reverse-proxy toolkit used to intercept authentication flows between victims and legitimate websites. The provided content describes it as a reverse proxy that sits between the victim and the target service, weaponizing MITRE ATT&CK T1557-style AiTM attacks to capture login credentials, multifactor authentication material, and authenticated web session cookies. It can route traffic between a phishing victim and legitimate websites via SOCKS5 and HTTP(S) proxies.
The content directly associates Evilginx2 with MFA-bypass phishing operations by stealing credentials and session tokens in real time. It is specifically described as being used to obtain MFA credentials, login credentials, and session cookies, enabling session hijacking and account takeover even where MFA is deployed. The material also notes that AiTM frameworks such as Evilginx2 and Modlishka are used for real-time interception of session tokens, and that such attacks are only partially constrained by newer browser protections such as Device Bound Session Credentials because attackers may still use intercepted tokens within a short validity window.
Operationally, the content notes that phishing flows involving Evilginx2 may require the attacker to remain in the middle of the session so that short-lived authentication URLs or tokens do not expire during the interaction. It is referenced as a commonly cited toolkit in discussions of modern phishing infrastructure and is linked to public references including breakdev.org and the GitHub repository at github.com/kgretzky/evilginx2.
Threat-actor associations in the content include ALPHV/BlackCat affiliates, which reportedly use Evilginx2 to obtain MFA credentials, login credentials, and session cookies during intrusions. CERT Intrinsec also identified Evilginx2 as a tool used to weaponize AiTM phishing attacks observed in 2025 incidents affecting French organizations, including attacks against Microsoft/Entra ID-related authentication flows. The content further lists Evilginx2 among tools associated with the Russian espionage group IRON FRONTIER, also tracked as Callisto Group, COLDRIVER, Star Blizzard, and SEABORGIUM.
Targeting reflected in the content is broad and depends on the operator rather than the framework itself. Referenced victim environments include enterprise identity and cloud authentication workflows, legitimate websites proxied during phishing, Microsoft 365/Entra ID contexts, and campaigns tied to ransomware, espionage, and large-scale credential theft. No malware-style file hashes or standalone host-based IOCs for Evilginx2 itself are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...with the help of an Adversary-in-the-Middle (AitM) toolkit like EvilGinx2, could quickly provision most of the necessary infrastructure to perpetrate an attack..."
"...with the help of an Adversary-in-the-Middle (AitM) toolkit like EvilGinx2, could quickly provision most of the necessary infrastructure to perpetrate an attack..."
"...with the help of an Adversary-in-the-Middle (AitM) toolkit like EvilGinx2, could quickly provision most of the necessary infrastructure to perpetrate an attack..."
"...with the help of an Adversary-in-the-Middle (AitM) toolkit like EvilGinx2, could quickly provision most of the necessary infrastructure to perpetrate an attack..."
"...with the help of an Adversary-in-the-Middle (AitM) toolkit like EvilGinx2, could quickly provision most of the necessary infrastructure to perpetrate an attack..."
References https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ ... https://github.com/kgretzky/evilginx2
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueInitial Access
3 techniques...steal session cookies, then logged into the console from attacker machine while the session from victim machine was also connected.
IRON FRONTIER is a Russian threat group that conducts targeted spearphishing against military and government organizations, journalists, and think tanks in Europe, the United States, and Russia's near abroad.
"Phishing kits that use a transparent reverse proxy to present the actual target website to the victim and allow attackers to capture the username and password entered by the victims AND the session cookie."
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueCredential Access
3 techniquesVictims are lead to credential harvesting sites run by IRON FRONTIER, who likely use the stolen credentials to gain access to sensitive email communications and documents.
IdP выдаёт session cookie -> прокси перехватывает его - Steal Web Session Cookie (T1539, Credential Access)
Adversary-in-the-Middle (T1557, Credential Access / Collection) - основной вектор, который реально работает против passkeys в корпоративной среде. Хакер не пытается украсть credential - он проксирует легитимную аутентификацию через свой сервер и перехватывает сессионный cookie после успешной авторизации.
Lateral Movement
1 techniqueАтакующий импортирует cookie -> Web Session Cookie (T1550.004, Lateral Movement) -> доступ к ресурсам организации
Collection
3 techniquesVictims are lead to credential harvesting sites run by IRON FRONTIER, who likely use the stolen credentials to gain access to sensitive email communications and documents.
This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location.
Adversary-in-the-Middle (T1557, Credential Access / Collection) - основной вектор, который реально работает против passkeys в корпоративной среде. Хакер не пытается украсть credential - он проксирует легитимную аутентификацию через свой сервер и перехватывает сессионный cookie после успешной авторизации.
Command and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP, HTTPS, HTTP GET/POST, cookies in headers, WebSockets/WSS, and web APIs for command and control or related communications.
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Adversary-in-the-middle phishing framework referenced as a comparison point for handling session-based phishing flows.
Reverse-proxy framework for AiTM attacks that transparently relays authentication, captures session tokens in real time, and enables immediate session replay after MFA is completed by the victim.
A phishing and adversary-in-the-middle framework used to capture session cookies and bypass MFA, enabling browser session hijacking and unauthorized account access.
Adversary-in-the-Middle phishing framework used to capture credentials and authenticated sessions, bypassing MFA protections in Microsoft 365/Entra ID attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.