Evilginx 3 flips the script on traditional phishing tools by embedding a full HTTP and DNS server stack written entirely in Go. This standalone man-in-the-middle framework runs as a transparent reverse proxy that intercepts user traffic, captures login credentials, and crucially, session cookies — effectively bypassing multi-factor authentication (MFA) without raising suspicion.
What Evilginx 3 does and how it works under the hood
Evilginx 3 is the successor to the original Evilginx tool released in 2017, which relied on a custom build of nginx to proxy traffic for phishing attacks. The new version rewrites the entire networking stack from scratch in Go, implementing both an HTTP and a DNS server internally. This removes external dependencies and simplifies deployment.
The core technique is reverse proxy phishing: Evilginx positions itself between a victim and a target service, transparently forwarding requests while modifying responses in real-time. This lets it inject JavaScript, rewrite URLs, and intercept authentication flows.
Unlike simple credential harvesters, Evilginx 3 captures session cookies after the victim logs in. By stealing these cookies, it can replay authenticated sessions without needing the user’s password or second-factor code, effectively bypassing MFA protections.
Targets are defined using “phishlets” — configuration files that describe how to intercept and transform traffic for specific services. These phishlets include domain names, URL rewrite rules, and JavaScript injection points tailored to each target.
The architecture relies on Go’s concurrency features to handle both HTTP and DNS requests efficiently. The DNS server is crucial for redirecting domain requests to Evilginx’s proxy, making the attack seamless from the victim’s perspective.
Technical strengths and tradeoffs
The move from nginx to a fully Go-based HTTP and DNS server is a significant engineering choice. It provides zero external dependencies, easier cross-platform builds, and tighter integration between DNS and HTTP handling.
The codebase is surprisingly clean for a security research tool of this scope, with clear separation of concerns between the proxy engine, phishlet parsing, and networking layers. This makes it easier to extend or adapt phishlets for new targets.
However, implementing your own HTTP and DNS servers also comes with tradeoffs. The performance may not match battle-hardened web servers like nginx under heavy loads, and edge cases in HTTP/2 or DNS protocols might not be fully covered.
Security-wise, running a man-in-the-middle proxy for phishing is inherently risky and requires careful environment controls. The tool is BSD-3 licensed, but its offensive capabilities mean it’s primarily useful for security researchers and penetration testers.
The phishlet architecture is flexible but requires manual crafting and maintenance. Unlike generic proxies, each target service needs a custom phishlet to handle its specific login flows and session mechanics. This means keeping up with changes in target services is an ongoing effort.
Here’s a simplified snippet showing how a phishlet might specify domains and rewrite rules:
phishlet:
name: example
domain:
- login.example.com
proxy_rules:
- path: /login
rewrite: /auth
inject_js: true
This structure lets you tailor the proxy behavior precisely to the target, which is essential for capturing session cookies without breaking the user experience.
Explore the project
The repository’s README is the best starting point for understanding how to use Evilginx 3. While there isn’t a quickstart section with explicit commands, the README outlines the overall setup, phishlet usage, and operational guidance.
The core directories include:
phishlets/: Contains predefined configurations for popular services.cmd/: Holds the main application entry points.internal/: Implements the HTTP and DNS server logic, proxy engine, and session management.
The documentation also points to a commercial Pro variant offering advanced evasion, bot protection, and automated deployment features, but the open-source edition remains a robust base for manual phishing campaigns.
Verdict
Evilginx 3 is a specialized tool built for security professionals who need to test the resilience of MFA and session protections in real-world scenarios. Its fully Go-based implementation of HTTP and DNS servers sets it apart from older tools that rely on external proxies.
That said, the tool demands a solid understanding of networking, proxy behavior, and phishlet crafting. It’s not a turnkey phishing kit but rather a framework that requires active maintenance and customization.
The tradeoffs in implementing custom servers mean it’s best suited for targeted engagements rather than high-scale phishing campaigns. If you’re looking to explore MFA bypass techniques or session hijacking in depth, Evilginx 3 is worth studying.
For everyday developers or sysadmins, the tool’s offensive nature and complexity mean it’s more of an educational resource than a practical tool to deploy. But for penetration testers and red teamers, it’s a clear example of how far you can go with Go’s networking capabilities to build transparent man-in-the-middle proxies.
Related Articles
- Crawlee: a TypeScript library for stealthy web scraping and browser automation — Crawlee is a TypeScript library for web scraping and browser automation with human-like stealth. Supports Playwright, Pu
- Camoufox: a stealthy Firefox fork for AI agents and web scraping — Camoufox is a Firefox fork optimized for AI agents and web scraping with stealth fingerprint injection at the C++ level
- Gin: a zero-allocation, high-performance Go web framework for REST APIs — Gin is a Go HTTP web framework known for its zero-allocation router and up to 40x faster performance. It balances speed
→ GitHub Repo: kgretzky/evilginx2 ⭐ 15,028 · Go