Ultimate Comprehensive Guide to the EvilProxy Phishing Kit

[Student]

EvilProxy (internally codenamed Moloch in some developer communications) is a long-standing, highly resilient Phishing-as-a-Service (PhaaS) platform and Adversary-in-the-Middle (AiTM) reverse proxy phishing kit. First discovered and publicized by Resecurity in August–September 2022, EvilProxy has maintained a dominant position in the underground ecosystem through continuous development and adaptation. In 2025, it remains one of the top-tier PhaaS offerings alongside Tycoon 2FA and NakedPages, responsible for a significant portion of MFA bypass attacks targeting Microsoft 365, Google Workspace, Apple iCloud, GitHub, PyPI, Facebook, Instagram, and numerous other cloud and social media services.

EvilProxy is distributed primarily through exclusive Telegram channels and dark web marketplaces. Access is subscription-based, with pricing tiers typically ranging from $150–$300 for 10-day licenses to $500–$600 for monthly access (paid in Bitcoin or Monero). Premium add-ons include custom templates, dedicated proxy infrastructure, and priority support. Its longevity and reliability have made it a preferred choice for both opportunistic cybercriminals and more sophisticated groups engaging in business email compromise (BEC), account takeovers, and initial access sales.

Detailed Technical Architecture​

EvilProxy operates as a sophisticated reverse proxy framework that transparently relays traffic between the victim and the legitimate target service while capturing all authentication artifacts in real time.

Core Components:

1. Reverse Proxy Engine:
   • Built on Node.js with Nginx or Apache front-ends.
   • Man-in-the-middle interception of all requests/responses, including POST data, headers, and cookies.
2. Session Cookie and Token Theft:
   • Primary mechanism for MFA bypass: Captures authenticated session cookies (e.g., ESTAUTH, FedAuth for Microsoft; SID for Google) immediately after successful authentication.
   • Also steals OAuth access/refresh tokens when applicable.
3. Real-Time MFA Relaying:
   • Dynamically forwards any 2FA challenge (SMS codes, TOTP prompts, push notifications, WebAuthn) to the legitimate service.
   • Victim completes MFA on the phishing page → response relayed → attacker receives fully authenticated session.
4. Dynamic Page Cloning:
   • Fetches live CSS, JavaScript, images, and fonts from the target domain to generate indistinguishable phishing pages.
   • Adapts prompts based on real-time error messages from the backend service.
5. Admin Control Panel:
   • Web-based dashboard for managing campaigns, viewing live victim sessions, exporting captured data (credentials, cookies, tokens), and configuring targeting rules.

Advanced Features and 2025 Evolutions​

EvilProxy developers maintain an aggressive update cycle, frequently releasing new evasion modules via Telegram announcements.

Key Features Observed and Enhanced Through 2025:

• Geofencing and Targeting Filters:
  • Restrict phishing pages to specific countries, ISPs, or IP ranges.
  • Victim-specific customization (e.g., pre-filling username from lure data).
• Anti-Analysis Protections:
  • Browser fingerprinting to detect sandboxes, virtual machines, or researcher tools.
  • Debugger and inspector blocking (disables dev tools, right-click, clipboard).
  • Code obfuscation and dynamic script loading.
• CAPTCHA Integration:
  • Heavy use of Cloudflare Turnstile (introduced mid-2025) and other services to bypass automated scanners while appearing legitimate.
• Open Redirect Exploitation:
  • Leverages vulnerabilities in third-party sites (e.g., Indeed.com, Upwork) to chain redirects to phishing pages, masking malicious domains.
• Template Library:
  • Hundreds of pre-built, regularly updated templates for high-value services.
  • 2025 additions: Spoofed employment platforms (Upwork freelancer notifications), cryptocurrency exchanges, and developer portals (PyPI, npm).
• Traffic Distribution:
  • Built-in load balancing across multiple proxy servers to handle scale and avoid rate-limiting.

Typical Attack Lifecycle Using EvilProxy​

1. Infrastructure Deployment: Subscriber rents kit access, deploys on VPS cluster with valid SSL certificates.
2. Campaign Configuration: Selects template, defines targeting (e.g., executives via LinkedIn scraping), crafts lure.
3. Lure Distribution:
   • Common 2025 themes: DocuSign/Adobe signatures, Microsoft security alerts, voicemail notifications, job payment updates.
   • Often delivered via compromised legitimate accounts or bulk services.
4. Victim Engagement:
   • Click → Optional geofence/CAPTCHA check → Reverse proxy activates.
   • Victim enters credentials and completes MFA on cloned page.
5. Data Capture:
   • Credentials, MFA responses, session cookies, and tokens harvested in real time.
6. Session Hijack:
   • Attacker imports cookies into browser or tool (e.g., EvilProxy’s session player) for persistent access.
7. Post-Exploitation:
   • Inbox rule creation for stealth.
   • Data exfiltration, BEC fraud, lateral movement.

Comparison to Competitors (2025 Context)​

• vs. Tycoon 2FA: Tycoon holds larger market share (~89% of early 2025 PhaaS per Barracuda) with superior obfuscation and anti-debugger features. EvilProxy differentiates with stronger geofencing, open redirect chaining, and broader non-Microsoft templates.
• vs. NakedPages/Other Kits: EvilProxy offers more mature proxy stability and customer support.

Threat Impact and Attribution​

• Responsible for tens of thousands of compromises annually, including high-profile C-level targets (Resecurity noted 39% executive victims in 2023 waves; trend continued).
• Frequently used by Nigerian BEC actors, initial access brokers, and Eastern European groups.
• Enables ransomware preparation, espionage, and credential resale.

Detection Indicators​

• Traffic to domains with random strings or known EvilProxy patterns (historical IOCs from Resecurity, Sekoia, urlhaus).
• Unusual User-Agent strings or header anomalies in proxy traffic.
• Sessions originating from proxy IPs without corresponding login events.
• Emails containing open redirect chains or Turnstile challenges.

Comprehensive Mitigation Recommendations​

1. Deploy Phishing-Resistant Authentication:
   • FIDO2 hardware security keys, passkeys, or certificate-based authentication — these are immune to AiTM relaying.
2. Strengthen Conditional Access:
   • Block legacy authentication protocols.
   • Require managed/compliant devices for sensitive actions.
   • Enforce sign-in frequency to invalidate stolen cookies quickly.
3. Advanced Threat Detection:
   • Use solutions capable of identifying session replay (Microsoft Defender for Cloud Apps, Proofpoint TAP).
   • Monitor for impossible travel or anomalous token usage.
4. Email and Web Security Layers:
   • Implement DMARC, SPF, DKIM rigorously.
   • Filter known PhaaS infrastructure and open redirect abuse.
5. Employee Awareness:
   • Train on avoiding unsolicited authentication prompts.
   • Promote use of official apps and bookmarked URLs.

EvilProxy’s longevity — spanning over three years with consistent innovation — demonstrates the maturity and profitability of the PhaaS model. While not the volume leader in 2025, its reliability and feature set ensure continued relevance. The definitive countermeasure remains migration to authentication methods that cannot be relayed or replayed. Organizations should assess their MFA posture urgently and prioritize phishing-resistant solutions to neutralize this class of threat entirely.