Evilginx Pro is finally here!

Kuba Gretzky -

This is it! After over two years of development, countless delays, and hundreds of manual company verifications, concluded with multiple hurdles related to export regulations, Evilginx Pro is finally live!

To celebrate, the Evilginx Mastery course is having a 30% OFF sale. Use this coupon to redeem a discount: EVILGINX

Evilginx Pro is out!

The idea to release a professional version of the Evilginx phishing framework originated several years ago when I developed the first version of Evilpuppet to use a background browser to bypass the latest anti-phishing protections implemented by Google. I strongly wanted to share what I've implemented, but I knew releasing this to the public would probably do more harm than good.

Since then, I've met a large number of red teamers. Once I've learned what issues they've been facing at work, it became clear how hard red teaming has become when relying only on open-source tools, which do not always work as reliably as one would wish. Marc Smeets from Outflank gave a great talk about this subject at x33fcon last year.

It has become my top priority to reinvent Evilginx and create a phishing framework which is reliable, easy to use and fast to deploy while solving most of the issues red teams struggled with worldwide.

At its core, I also wanted the Pro version to drive innovation in anti-phishing defense development by inventing and implementing the most advanced anti-phishing evasions I could to bypass the majority of commonly used protections.

Evilginx Pro I'm releasing today is the fruit of passion I've had for a long time in developing offensive security tools for cybersecurity enthusiasts. The journey has just begun, and now that the product is officially released, I can focus on making it even better by implementing all the ideas I've planned for it.

Evilginx Pro Quickstart Guide

How to buy Evilginx Pro?

Since Evilginx Pro can cause harm when used with malicious intent, my priority has always been to make it only available to vetted red teamers or penetration testers who can prove they work in cybersecurity companies which perform offensive operations with legitimate intent.

That is why in 2023, I've launched the BREAKDEV RED community for red teamers. The community hangs out on a Discord server where every single member is vetted by hand. Every member of the community gains access to the shop where you can purchase Evilginx Pro.

BREAKDEV RED cybersecurity software shop

We currently have over 1500 members from over 260 companies around the world! Joining the community is and will always be completely free!

If you haven't joined yet, please do so by clicking the button below and filling out the application form:

Get Access to Evilginx Pro

After sending your application, please allow some time for us to process your requests. Since 2023, I've significantly improved the speed of the approval process, but it is still being improved to be up to speed with the demand.

Once you get approved and gain access to the community, before you can purchase Evilginx Pro, several requirements will need to be met to comply with the export regulations of dual-use goods.

I've outlined them in the next paragraph.

Reason for Delayed Launch

The official release date was supposed to be February 25th 2025, but as you may've witnessed two weeks ago, I had to pull an emergency break after I've been informed by my legal team that the worldwide release of a tool, being a phishing framework, may be not as straight-forward as I expected.

As some of you may've guessed, the primary issue was the export regulations. I was under the impression that if my tool did not "install itself on external device without user's consent", it cannot be considered dual-use and fall under export regulations under the Wassenaar Arrangement. Since I have already been doing the extra verification of all potential buyers with the screening process to join the BREAKDEV RED community, I thought it was enough. I was wrong, and I take full responsibility for the delay.

Now the good news is, after two weeks of hard work, the top-notch legal team handling the matter has figured out a solution. I now have all the guidelines on how to properly release Evilginx Pro while being compliant with all the necessary export regulations for exporting the dual-use goods from Poland. The funny part (or scary, depending on how you look at it) is that I will need to follow the same procedure as if I were selling "live ammunition".

The downside is that there will be a bit more paperwork involved regarding additional company verification, but on the positive note, you can now be 100% sure that the tool you are purchasing is doing absolutely everything possible to stay on the 100% legal side.

Countries Eligible for Export

Due to the additional restrictions and the requirement to obtain valid export licenses from the Ministry of Economic Development and Technology, unfortunately, not all countries are currently eligible for export.

Evilginx Pro sales are currently permitted in the following countries:

No export license required for:

  • Poland

Since my company is registered in Poland, the export regulations to Poland do not apply, as nothing crosses the border. Registered companies from Poland with verified company details can already purchase the product.

Export license required for:

  • European Union (without Cyprus & Romania)
  • United Kingdom
  • United States of America
  • Canada
  • Commonwealth of Australia
  • Japan
  • Kingdom of Norway
  • New Zealand
  • Swiss Confederation, including the Principality of Liechtenstein

Full list of countries eligible to apply for the export license

  • Australia
  • Austria
  • Belgium
  • Bulgaria
  • Canada
  • Croatia
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Japan
  • Latvia
  • Liechtenstein
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • New Zealand
  • Norway
  • Poland
  • Portugal
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • United Kingdom
  • United States

I am aware that the list does not include several countries from which companies have already expressed a willingness to purchase Evilginx Pro, like India or Israel, for example. I'm very sorry about that. The process of obtaining an export license to countries not on the list above is currently very complicated.

I am actively looking for a solution to solve this with our legal team. Companies from such regions will need to be processed on a case-by-case basis when a higher volume of licenses is requested or when cooperation with a local reseller is achieved.

If your country is not on the list above, please let me know by sending an email to sales@breakdev.org with details on how many licenses of Evilginx Pro your company needs, and I will notify you once a solution is found.

Company Verification Changes

Until now, the verification consisted of two steps:

  1. Verification that you are working in a cybersecurity company as a red teamer or pentester with a fairly decent public profile.
  2. Verification of company details, such as the name, website, address, and tax identification number.

Here are the additional steps required to green-light your BREAKDEV RED account and make it eligible to make a purchase:

Current Extract from Commercial Register

I will need a certified extract from the official governmental institution, which is described as the following:

Current Extract from the Commercial Register provides the most recent available information about the company. This includes basic details such as the company name, legal address, information about the management, share capital, and current status. This extract is up-to-date at the time of the request and is used to obtain information about the current status of the company.

You will need to look up how you can extract your current company information in your country and which institution provides such data. Here are a few examples of commercial register institutions in different countries:

  • Germany - Handelsregisterauszug
  • France - Extrait Kbis
  • UK - Certificate of Incorporation or Company Profile from Companies House
  • USA - Business Entity Report (varies by state)

Signed End-user Statement

An official company representative will need to fill out and sign an end-user statement with a handwritten signature and send it back to us. The contents of the statement state the nature of the product and importer commitments.

You can find the PDF with the end-user statement available for download on the company page in your BREAKDEV RED account panel.

Both the signed statement and the current extract from the commercial register are instrumental in obtaining the export license from the Ministry of Economic Development and Technology.

Export License Processing Time

Once all required documents are received, the processing time for an export license request may take up to one month.

Once the export license is granted, all members of the company eligible to make purchases will receive the notification email. From that moment, the ability to order Evilginx Pro licenses will be unlocked in the BREAKDEV RED account panel.

What is new in Evilginx Pro?

Since you're here, you may be asking how the Pro version differs from the already available open-source community version of Evilginx. Here is the list of changes and improvements. The latest version of this list can be found in the official online documentation.

Client-Server Architecture

Evilginx has always worked as both the client and the server. You would deploy the application to an external server and control the server from the terminal while using SSH to connect to the remote server.

Evilginx Pro allows you to deploy dedicated Evilginx servers, which work as background daemons and start automatically on every server reboot. You can control and deploy multiple Evilginx servers straight from a single Evilginx client instance, running in the terminal on your local PC no matter if you're on Windows, Linux or Mac.

Evilginx API

One of the most requested features of Evilginx was the ability to extract captured data from the server remotely. With the client-server architecture of Evilginx Pro, anyone can now write their own tool instrumentation using the exposed API on every Evilginx server instance.

The API is exposed via HTTPS, listening on the same TCP 443 as the main Evilginx HTTPS server. Evilginx Pro implements a stealth channel, which cannot be interacted with without knowing the internal secret hostname of the API request handler. The connection is additionally protected with a client certificate, allowing only legitimate and whitelisted Evilginx Pro users to connect to the Evilginx API server.

Wildcard TLS Certificates

The biggest issue most red teams struggled with was the fact that once Evilginx obtained the TLS certificate, the phishing hostname would immediately get listed in the public TLS transparency report database. This resulted in dozens of security products immediately performing scans of the Evilginx server, looking for malicious activity. This often resulted in the phishing server getting blacklisted before it could've been used for the engagement.

Evilginx Pro will now obtain wildcard TLS certificates by default, which prevents the hostname of the phishing server from being fully exposed. Security products will be unable to scan the phishing server by looking at the registered TLS certificate since the subdomain in the wildcard TLS certificate is an asterisk. The full hostname of phishing pages is not disclosed in clear text.

Botguard

Additionally, Evilginx Pro implements Botguard, which prevents security products from accessing the phishing website even if the hostname and full phishing URL are known to them.

Botguard uses multiple techniques combining JA4 signature fingerprinting and telemetry analysis retrieved from the client browser using Javascript. These methods are used to determine if the phishing server was accessed by bots through automated means.

If bot-like behaviour is detected, Evilginx Pro will display a spoofed website reverse proxied from an external URL predefined by the red team operator. You can learn more about how it works in the x33fcon keynote I gave in 2024.

Community Phishlets Database

Evilginx has always been considered to be the phishing framework, which can be extended with "phishlets" to target specific websites. The open-source version of the framework was made available without the ready-to-use phishlets. This decision was made due to ethical reasons to not make it too easy to use out of the box to wreak havoc by malicious actors. Since Evilginx Pro is now made available only to vetted red team professionals, the risk of phishing framework misuse is much lower.

Evilginx Pro now lets you access the community-curated database of ready-to-use phishlets to use for your next phishing engagement. Keep in mind, though, that there is no guarantee that the phishlets will be constantly updated to work with the most recent version of the target websites.

Evilpuppet (background browser)

With the increasing number of defenses against phishing implemented by industry leaders, Evilginx had to innovate to keep up with the changing ecosystem. Websites will often gather telemetry metadata from the user's web browser to determine if the user is not in the middle of getting phished by a malicious actor.

Evilpuppet implements a web browser, running on the Evilginx server in the background, to generate legitimate web browser telemetry, which can be extracted and injected into Evilginx Pro phishing sessions in real time during the phishing attack.

External DNS Management

By default, apart from acting as an HTTP server, Evilginx also acted as a nameserver, listening on port UDP 53 for DNS requests. This allowed Evilginx to be flexible in managing an unlimited number of phishing hostnames required by various phishlets. This, however, made Evilginx fairly easy to detect, since if anyone investigated the nameservers set up in the phishing domain's registrar, they would notice that the phishing server is hosted on the same IP as the nameservers, tied to the domain.

Red teams were able to mitigate that issue by using external DNS providers, but in doing so, they lost flexibility since all DNS records had to be managed manually and not through Evilginx automation.

Evilginx Pro now retains that flexibility even when using external DNS providers. Evilginx can now be configured to manage DNS records externally through the API of supported third-party DNS providers, making it more stealthy and easier to use.

Multi-domain Support

Evilginx Pro, unlike its community version counterpart, can now be configured to use more than one domain to run phishing campaigns. You can now set different base domains for each phishlet you want to use without the need to change your DNS settings.

Each domain can be set up with a different third-party DNS provider, be it internal or external, like Cloudflare or Digital Ocean.

Javascript Obfuscation

Evilginx will often inject its own Javascript code into the reverse proxied websites to manage redirects, gather botguard telemetry or provide additional interaction with the viewed website through Javascript injected from phishlets. The injected code could have been easily fingerprinted through static signatures, potentially resulting in reverse proxied websites being flagged as phishing.

Evilginx Pro will now automatically perform code obfuscation of all injected Javascript code, using the obfuscator.io engine running locally. This results in Javascript code taking different shapes with every page load, making the code impossible to fingerprint with pattern detection logic.

Automated Server Deployment

The days of deploying Evilginx servers by hand are over. Evilginx Pro provides a straightforward way of deploying a new phishing server by issuing a single command. You only need to provide the server's IP address and root credentials (password or authorized private key) to access the server. Evilginx client will do the rest.

Website Spoofing

When the Evilginx Pro server detects either a client requesting a URL which is not a valid phishing lure URL or determines the connection is made by automation software, it will not redirect the visitor to an external website anymore but render another website's content in the context of the current one.

This provides better phishing anti-detection capabilities and gives the impression that a legitimate website is hosted under the phishing URL.

SQLite Database

Data storage for Evilginx data has been completely revamped. Evilginx Pro no longer uses BuntDB text-file storage, and it now uses SQLite database for speed and ease of access.

Conclusion

I have high hopes for Evilginx Pro, and I'm very excited to see what it's going to become.

If you have any questions about Evilginx Pro, you can contact us at sales@breakdev.org. Don't forget to check out the online documentation and the official Evilginx Pro website.

You can find me on the following platforms:

LinkedIn: Kuba Gretzky

Bsky: @mrgretzky.breakdev.org

Twitter: @mrgretzky

I wish you all the best, and hopefully, I willy see you at the BREAKDEV RED Discord server!