Skip to content

Hide Navigation Hide TOC

evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087)

evilginx2 is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. evilginx2 can be used as a reverse proxy between victims and legitimate web services to intercept and capture credentials, authentication tokens, and session cookies.(Citation: Evilginx 2 July 2018)(Citation: Breakdev Evilginx 2.1 SEP 2018)(Citation: Sophos Evilginx MAR 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool 1
evilginx2 - S9003 (1eb9627d-a661-4db6-bf53-41b7dcc63087) mitre-tool Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 1
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2