Changelog
Welcome to the changelog for Evilginx Pro, the professional version of the Evilginx phishing framework. Evilginx Pro is exclusively designed for advanced red teamers and security professionals.
For a guide on how to update or downgrade to a specific version, please go here.
4.3.0 (2025-11-26)
✨ New features
- Added event notifications with support for HTTP webhooks, Pushover and Slack. You can create and manage multiple notifiers with the
notifycommand. - Added notifier triggers for multiple events:
lure_clicked,lure_landed,credential_capturedandsession_captured. - Configure HTTP webhooks to receive phishing session data in real-time to develop custom tooling integrated with Evilginx Pro.
- Configure Pushover and Slack notifications to quickly get updates on your phishing campaign with fully customizable message content.
- Added a new config option to set the internal server name, which is used for server identification in event notifications:
config server_name <server_name> - Added a new tunnelling proxy manager. Create, configure or delete proxies using the
proxycommand. No server restarts are necessary when changing proxy configuration. - Added an option to set a global tunnelling proxy on the server with the
config global_proxy <proxy>command. - Added an option to set a custom proxy for specific phishlets with
phishlets set <phishlet> proxy <proxy>(overrides theglobal_proxysetting). - Added an option to set a custom proxy for specific lures with
lures set <id> proxy <proxy>(overrides theglobal_proxysetting and phishlet proxy setting). - Added command to test the connection with a selected tunnelling proxy:
proxy test <proxy> - Added an option to uninstall the deployed server and delete all evilginx files with the
servers uninstallcommand. - Added an option to define the
portforproxy_hostsitems allowing reverse proxying connections to ports other than the standard443. - The
proxy_hostsconfiguration for phishlets now supports an explicitportdefinition, which allows reverse proxying connections to endpoints that don't use the standard port443. - Added further evasion against CSS canary tokens. These tokens previously used escaped strings within CSS
url(...)declarations to bypasssub_filterspattern matching in phishlets. The proxy now matches all URL strings insideurl(...)blocks, unescaping them before applying thesub_filterspattern matching. - Created lures will now store the username of the user who created them.
- Added more detailed log output to help troubleshoot the loading of custom TLS certificates. The logs now include the file paths of the loaded public and private keys, along with indicators showing whether the loading process was successful.
- The client will now notify you if the server version it connects to is either older or newer than the client's version.
🛠 Fixes
- Fixed a bug in the
importoption oflures get-url, where importing lure parameters from a file caused the generated lure URLs to grow longer each time. The bug happened because parameters from previously generated URLs were not being cleared properly. - Fixed a bug where JA4 client signature spoofing would stop working when using a SOCKS5 proxy on the server.
- Server license will now be updated from the license server on every
servers deployto make sure the server is never deployed with an expired server license. - Fixed server deployment for latest OS versions, which load
sysctlconfig files from/etc/sysctl.d/directory instead of the/etc/sysctl.conffile. - The Gophish click event no longer triggers on URL clicks. Instead, it triggers once Botguard validates the connection and after the redirector redirects to the phishing page.
🔁 Other changes
- The session list and session view now include the ID of the lure from which each session originated.
4.2.0 (2025-07-18)
✨ New features
- Added support for Route53 DNS provider from AWS. Configure with command:
domains config <domain> route53 region=aws access_key_id=XXX secret_access_key=XXX. - Added support for Gandi.net DNS provider. Configure with command:
domains config <domain> gandi api_token=XXX. - Lures can now be configured to use custom hostnames, once again. Custom hostnames must include the hostname set up for the corresponding phishlet and must consist of the phishlet hostname or have at most one subdomain directly above the phishlet hostname (e.g.
test.domain.comordomain.com). - Custom parameters in generated lure URLs can now be encrypted with AES-256 to better avoid detection, using a custom encryption key. Gophish fork was also updated to support that. You can set the encryption key with:
config enc_key <encryption_key> - Gophish: Added an option to submit captured credentials to the Gophish server. Configure with command:
config gophish submit_credentials <true/false> - Gophish: Added an option to send the SHA256 hash of the captured password to the Gophish server instead of the clear text version. Configure with command:
config gophish hash_passwords <true/false> - You can now set up lure hostnames without subdomains (e.g.
domain.com) or use subdomains, which already exist in the phishlet (e.g.www.domain.com). - Phishlet's enabled status can now be determined by looking at the list of
lureswith disabled phishlets being grayed out and enabled ones in color. - Phishlet's hostname is now visible when listing the configured
lures. - Improved the speed of multi-threaded Javascript obfuscation by increasing the number of concurrent socket connections to the Evilpuppet instance.
- Javascript obfuscation level can now be changed with command:
config obfuscation javascript <off/low/medium/high/ultra> - Lures can now be created with a customized query (e.g.
/path?one=1&two=2). Lures will now trigger only when all query parameter keys and values match (does not include encrypted custom parameters). - Added an option to enable debug output in the server logs for troubleshooting purposes. Configure with command:
config debug <true/false> - Added support to deploy servers running on Ubuntu 24.10.
🛠 Fixes
- Fixed an infinite redirect issue caused by URL path collisions with preconfigured lures. Lure URLs now trigger consistently on each access (reverting the one-time-per-session behavior introduced in
v4.1.1), and redirects to lure paths are now intelligently handled to prevent unintended retriggering. - Fixed parsing of email addresses when adding users to registered servers. Parsing now properly handles the email address format, allowing characters such as hyphens.
- Proxying the
/favicon.icois now always permitted to prevent browsers from caching the icon from the spoofed website and displaying it in the page's tab.
🔁 Other changes
- Changed command format for configuring Cloudflare DNS provider to:
domains config <domain> cloudflare api_token=XXX. - Server owners are now able to view the DNS provider configuration with
domains view. - Removed DNS propagation checks when retrieving TLS certificates due to issues with the DNS client occasionally failing to resolve records from various DNS providers.
4.1.1 (2025-05-07)
🛠 Fixes
- Resolved infinite redirect issue: Previously, revisiting a URL path associated with a lure would cause an infinite redirect loop. Lure URLs can now only be triggered once per active proxy session.
- Fixed incorrect parsing of SRV records by Cloudflare DNS provider.
4.1.0 (2025-04-30)
✨ New features
- Proxy engine rewrite: The Evilginx reverse proxy engine has been completely rewritten. Expect improved speed, stability, and reliability. Farewell, 8-year-old legacy code.
- Added HTML body obfuscation of proxied traffic. Javascript obfuscation in
<script>tags and removal of comments. This feature will be evolving over time. - Added full HTML obfuscation of proxied traffic. HTML content will be base64 encoded with simple randomization. It is disabled by default. Can be enabled on server with
config obfuscation html true(experimental). - Added URL rewrite capability to phishlets. Phishlets can now obfuscate URL paths and URL queries to evade client-side protections like Google Safe Browsing phishing page detection in Google Chrome.
- Improved how the proxy engine modifies HTML content and injects Javascript into the page body.
- Added a new phishlet property for
js_injectto determine thelocationwhere the script should be injected on the proxied page:body_top,body_bottom,head. - Added option to print update changelogs with
update viewcommand.
🛠️ Fixes
- Fixed a race condition issue with having multiple phishlets enabled, which shared same hostnames within the
proxy_hostslist. You can now use Outlook and MS365 phishlets alongside each other. - Fixed broken lure URL parameters forwarding through the lure redirector. Now when lure redirector is used, parameters will be correctly passed to your phishlet on successful redirection.
- Fixed several stability issues, which caused Evilpuppet to crash when connection with the background browser was broken.
- Fixed problem with TLS certificate retrieval when managing DNS for domains with TLDs having more than one section (e.g.
.co.uk). - Phishlets will now be checked for syntax errors before being uploaded to the server when
phishlets pushcommand is issued. - URLs set for web spoofing unauthorized requests in
unauth_urlforconfigandphishletsare now validated server-side and all redirects are auto-followed before changing the value.
🔁 Other changes
- Deprecated: Custom lure hostnames removed due to low utility and frequent issues.
- Disabled: DNS management via Digital Ocean. IP resolution problems occurred when the server wasn’t hosted on a droplet.
4.0.3 (2025-02-24)
🛠 Fixes
- Fixed crash on
phishlets pullwhen the phishlet does not exist on the server. - Fixed phishlet child templates being saved even with incorrect custom parameters, preventing the phishlets from properly loading on server restart.
- Fixed issue where
/data/server.jsoncontaining server configuration would get replaced with default config on every deployment. - Fixed issues with improperly detecting the session, which caused improper replacement of phishing hostnames with original hostnames in POST form-data and other places.
- Fixed auto-removal of evilginx session cookie in outbound requests.