Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

EvilProxy

17
Global rank
2
Month rank
2 infographic chevron week
Week rank
0
IOCs

EvilProxy is a phishing-as-a-service (PhaaS) platform that enables cybercriminals to bypass multi-factor authentication (MFA) and hijack user sessions. It leverages reverse proxy techniques to harvest credentials and session cookies, posing a serious threat to both individuals and enterprises.

Phishingkit
Type
Unknown
Origin
1 August, 2022
First seen
3 September, 2025
Last seen

How to analyze EvilProxy with ANY.RUN

Type
Unknown
Origin
1 August, 2022
First seen
3 September, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Streamline Your SOC: All-in-One Threat Detect...
watchers 557
comments 0
post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 927
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 2260
comments 0

What is EvilProxy malware?

EvilProxy is a reverse-proxy phishing kit sold on dark-web marketplaces that has been active since mid-2022. The platform operates as a commercial service with subscription-based offerings for 10, 20, and 31 days. This advanced toolkit has fundamentally changed how cybercriminals conduct phishing attacks by providing even low-skilled threat actors with the capability to bypass multi-factor authentication (MFA) protections.

The toolkit got notorious for letting attackers create convincing replicas of legitimate websites while maintaining real-time communication with the authentic service. This reverse-proxy architecture allows EvilProxy to intercept and manipulate communications between victims and legitimate services without detection. The service targets major platforms including Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even niche platforms like PyPI.

What sets EvilProxy apart from traditional phishing kits is its sophisticated evasion capabilities. The platform incorporates advanced detection mechanisms to identify security researchers, automated analysis systems, and virtual machines. When suspicious activity is detected, EvilProxy can redirect connections to legitimate websites or completely drop connections to avoid analysis.

Similar to other phishkits like Tycoon 2FA and Sneaky2FA, EvilProxy primarily relies on phishing as its initial infection vector. Phishing emails impersonating legitimate organizations or services are the most common method. These emails often contain urgent requests, security alerts, or enticing offers to trick recipients into clicking malicious links.

The links can be disguised through URL shorteners, legitimate-looking domain names, or by embedding them within seemingly harmless attachments (e.g., HTML files). Attackers heavily leverage social engineering tactics to manipulate victims.

Once an account is compromised via EvilProxy, the attackers can use it to send out more phishing emails to the victim's contacts, leading to a chain reaction of compromises within an organization or its network.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What EvilProxy Can Do to User Device

When a user visits an EvilProxy-hosted phishing page, the malicious service:

  • Captures login credentials entered by the user in real-time.
  • Harvests session cookies and authentication tokens automatically.
  • Bypasses device-based security measures by operating at the application layer.
  • Maintains persistent access through stolen session tokens, even after the initial interaction.
  • Installs secondary malware may follow once initial access is obtained.
  • Can potentially access stored passwords and autofill data if users interact with the fraudulent interface.

The endpoint device itself may not show traditional signs of infection, making EvilProxy attacks particularly insidious. Users may notice unusual login notifications or unexpected account activity, but the device's security software typically cannot detect the attack since no malicious code is installed locally.

How EvilProxy Threatens Businesses and Organizations

EvilProxy poses severe threats to businesses and organizations across multiple dimensions:

  • Executive Targeting: Threat actors are increasingly using toolkits like EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies. This can lead to business email compromise (BEC) attacks, fraudulent financial transactions, and corporate espionage.
  • Scale of Operations: Security researchers have observed that EvilProxy facilitates over one million attacks monthly, indicating the massive scale of potential exposure for organizations worldwide.
  • Multi-Factor Authentication Bypass: The service's ability to harvest session cookies thereby bypassing non-phishing resistant MFA means that even organizations with robust security policies may be vulnerable.
  • Data Exfiltration: Once inside, attackers can access confidential files, source code, or customer records.
  • Lateral Movement: Access to one account can help escalate privileges or compromise other users.
  • Reputational Damage and Compliance Violations: Especially in industries with strict data regulations.
  • Supply Chain Risks: By targeting platforms like GitHub and PyPI, EvilProxy can potentially compromise software development pipelines and create supply chain vulnerabilities.
  • Financial Impact: Successful account takeovers can lead to direct financial losses through fraudulent transactions, regulatory compliance violations, data breach costs, and reputation damage.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How Does EvilProxy Function?

EvilProxy operates through a reverse-proxy architecture that works as an intermediary between victims and legitimate services. The operation involves several key components:

  1. Reverse Proxy Technology: Actors use the kit to proxy victim's session, which means, EvilProxy creates a transparent tunnel between the victim and the real service.
  2. Real-Time Credential Harvesting: When users enter credentials on the phishing page, EvilProxy simultaneously submits these credentials to the legitimate service, capturing the resulting authentication tokens and session cookies.
  3. Session Token Theft: The service intercepts and stores session tokens generated during the authentication process, allowing attackers to maintain access even after the initial phishing interaction concludes.
  4. Anti-Detection Measures: EvilProxy incorporates an advanced fingerprinting technology to detect security researchers, automated analysis tools, and virtual machines. The bad actors are especially diligent when it comes to detecting possible virtual machines, typically used by security analysts to research malicious content.
  5. Dynamic Content Delivery: The PhaaS can serve different content based on the victim's location, device type, and other characteristics to maximize the success rate of attacks.

EvilProxy Attack Chain Live

ANY.RUN’s Interactive Sandbox contains thousands of EvilProxy samples that can be found with the aid of ANY.RUN’s Threat Intelligence Lookup:

threatName:"evilproxy"

EvilProxy malware samples found via TI Lookup EvilProxy malware samples found via Threat Intelligence Lookup

You can choose a freshly submitted analysis session and view EvilProxy in action along with its network connections, process details, attackers’ TTPs, and IOCs extracted from the malware’s configuration.

Watch an analysis session of EvilProxy fresh sample

EvilProxy analysis in Interactive Sandbox EvilProxy attack analysis in ANY.RUN Interactive Sandbox

The execution chain of the EvilProxy phishing kit begins when a victim receives a phishing email that appears to originate from a trusted service or brand, such as DocuSign, Adobe, Concur, or another legitimate-looking website. These emails often contain a malicious link that exploits an open redirect vulnerability on a legitimate domain, allowing attackers to bypass email security filters and avoid detection.

When the victim clicks the link, they are redirected through several legitimate websites before landing on a phishing page that impersonates a genuine login portal—typically Microsoft 365 or a similar service. In one observed task, the lure involved a fake voicemail message that prompted the user to enter their email address, after which they were redirected to a counterfeit Microsoft login page. Another case involved a fake "Secure Vault" prompt.

View another analysis session of EvilProxy

EvilProxy analysis in Interactive Sandbox EvilProxy attack abusing Secure Vault

The phishing pages are powered by the EvilProxy framework, which acts as a reverse proxy. It fetches live content from the real login page and displays it to the victim, making the phishing site look legitimate. As the victim enters their username, password, and two-factor authentication (2FA) code, EvilProxy intercepts these credentials in real time. The stolen credentials and 2FA tokens are immediately used on the attacker’s side to generate a valid session cookie, effectively bypassing MFA protections.

The attacker hijacks the session by proxying the victim’s traffic, allowing them to impersonate the victim and access the legitimate service without needing to re-enter credentials or 2FA tokens. This enables persistent access to the account. To evade detection, EvilProxy employs techniques such as browser fingerprinting, IP reputation checks, and filtering out connections from security researchers, bots, VPNs, proxies, Tor nodes, and virtual machines.

ANY.RUN’s Residential Proxy feature in the Sandbox helps users mask their traffic to appear as if it originates from real consumer devices rather than hosting environments, enabling full observation of the phishing attack chain without being blocked.

EvilProxy analysis in Interactive Sandbox Set up Residential Proxy when starting a new analysis in Interactive Sandbox

Gathering Threat Intelligence on EvilProxy malware

Threat intelligence provides actionable data for proactively defending against EvilProxy and the like.

ANY.RUN’s Threat Intelligence Lookup supports quick IOC checks for immediate verdicts but also allows deep research that brings understanding of malware’s behaviors, architecture, and tactics.

Extract IOCs from Sandbox analyses and explore them further via Threat Intelligence Lookup:

domainName:"*msftdocs.com"

EvilProxy domains in TI Lookup Search for EvilProxy-associated domain IOCs by pattern

Threat intelligence empowers defenders to:

  • Identify and block EvilProxy domains and IPs in near real-time.
  • Gather IOCs related to active EvilProxy campaigns.
  • Analyze infrastructures associated with EvilProxy operators.
  • Track adversary tactics, techniques, and procedures (TTPs) to preemptively defend against evolving campaigns.
  • With TI feeds, SOC teams can enrich alerts, prioritize responses, and reduce false positives.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

EvilProxy is a powerful weapon in the phishing landscape, offering a turnkey solution for bypassing MFA and hijacking sessions. It demonstrates the growing professionalization of cybercrime and underscores the urgent need for organizations to upgrade their defenses. Traditional security measures are no longer enough—organizations must adopt phishing-resistant MFA, leverage threat intelligence, and continually train users to recognize the signs of these highly convincing attacks.

Gather actionable intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.

HAVE A LOOK AT

zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
INC Ransomware screenshot
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
Salvador Stealer screenshot
Salvador Stealer
salvador
Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.
Read More