Skip to main content

Changelog

Welcome to the changelog for Evilginx Pro, the professional version of the Evilginx phishing framework. Evilginx Pro is exclusively designed for advanced red teamers and security professionals.

For a guide on how to update or downgrade to a specific version, please go here.

4.2.0 (2025-07-18)

✨ New features

  • Added support for Route53 DNS provider from AWS. Configure with command: domains config <domain> route53 region=aws access_key_id=XXX secret_access_key=XXX.
  • Added support for Gandi.net DNS provider. Configure with command: domains config <domain> gandi api_token=XXX.
  • Lures can now be configured to use custom hostnames, once again. Custom hostnames must include the hostname set up for the corresponding phishlet and must consist of the phishlet hostname or have at most one subdomain directly above the phishlet hostname (e.g. test.domain.com or domain.com).
  • Custom parameters in generated lure URLs can now be encrypted with AES-256 to better avoid detection, using a custom encryption key. Gophish fork was also updated to support that. You can set the encryption key with: config enc_key <encryption_key>
  • Gophish: Added an option to submit captured credentials to the Gophish server. Configure with command: config gophish submit_credentials <true/false>
  • Gophish: Added an option to send the SHA256 hash of the captured password to the Gophish server instead of the clear text version. Configure with command: config gophish hash_passwords <true/false>
  • You can now set up lure hostnames without subdomains (e.g. domain.com) or use subdomains, which already exist in the phishlet (e.g. www.domain.com).
  • Phishlet's enabled status can now be determined by looking at the list of lures with disabled phishlets being grayed out and enabled ones in color.
  • Phishlet's hostname is now visible when listing the configured lures.
  • Improved the speed of multi-threaded Javascript obfuscation by increasing the number of concurrent socket connections to the Evilpuppet instance.
  • Javascript obfuscation level can now be changed with command: config obfuscation javascript <off/low/medium/high/ultra>
  • Lures can now be created with a customized query (e.g. /path?one=1&two=2). Lures will now trigger only when all query parameter keys and values match (does not include encrypted custom parameters).
  • Added an option to enable debug output in the server logs for troubleshooting purposes. Configure with command: config debug <true/false>
  • Added support to deploy servers running on Ubuntu 24.10.

🛠 Fixes

  • Fixed an infinite redirect issue caused by URL path collisions with preconfigured lures. Lure URLs now trigger consistently on each access (reverting the one-time-per-session behavior introduced in v4.1.1), and redirects to lure paths are now intelligently handled to prevent unintended retriggering.
  • Fixed parsing of email addresses when adding users to registered servers. Parsing now properly handles the email address format, allowing characters such as hyphens.
  • Proxying the /favicon.ico is now always permitted to prevent browsers from caching the icon from the spoofed website and displaying it in the page's tab.

🔁 Other changes

  • Changed command format for configuring Cloudflare DNS provider to: domains config <domain> cloudflare api_token=XXX.
  • Server owners are now able to view the DNS provider configuration with domains view.
  • Removed DNS propagation checks when retrieving TLS certificates due to issues with the DNS client occasionally failing to resolve records from various DNS providers.

4.1.1 (2025-05-07)

🛠 Fixes

  • Resolved infinite redirect issue: Previously, revisiting a URL path associated with a lure would cause an infinite redirect loop. Lure URLs can now only be triggered once per active proxy session.
  • Fixed incorrect parsing of SRV records by Cloudflare DNS provider.

4.1.0 (2025-04-30)

✨ New features

  • Proxy engine rewrite: The Evilginx reverse proxy engine has been completely rewritten. Expect improved speed, stability, and reliability. Farewell, 8-year-old legacy code.
  • Added HTML body obfuscation of proxied traffic. Javascript obfuscation in <script> tags and removal of comments. This feature will be evolving over time.
  • Added full HTML obfuscation of proxied traffic. HTML content will be base64 encoded with simple randomization. It is disabled by default. Can be enabled on server with config obfuscation html true (experimental).
  • Added URL rewrite capability to phishlets. Phishlets can now obfuscate URL paths and URL queries to evade client-side protections like Google Safe Browsing phishing page detection in Google Chrome.
  • Improved how the proxy engine modifies HTML content and injects Javascript into the page body.
  • Added a new phishlet property for js_inject to determine the location where the script should be injected on the proxied page: body_top, body_bottom, head.
  • Added option to print update changelogs with update view command.

🛠️ Fixes

  • Fixed a race condition issue with having multiple phishlets enabled, which shared same hostnames within the proxy_hosts list. You can now use Outlook and MS365 phishlets alongside each other.
  • Fixed broken lure URL parameters forwarding through the lure redirector. Now when lure redirector is used, parameters will be correctly passed to your phishlet on successful redirection.
  • Fixed several stability issues, which caused Evilpuppet to crash when connection with the background browser was broken.
  • Fixed problem with TLS certificate retrieval when managing DNS for domains with TLDs having more than one section (e.g. .co.uk).
  • Phishlets will now be checked for syntax errors before being uploaded to the server when phishlets push command is issued.
  • URLs set for web spoofing unauthorized requests in unauth_url for config and phishlets are now validated server-side and all redirects are auto-followed before changing the value.

🔁 Other changes

  • Deprecated: Custom lure hostnames removed due to low utility and frequent issues.
  • Disabled: DNS management via Digital Ocean. IP resolution problems occurred when the server wasn’t hosted on a droplet.

4.0.3 (2025-02-24)

🛠 Fixes

  • Fixed crash on phishlets pull when the phishlet does not exist on the server.
  • Fixed phishlet child templates being saved even with incorrect custom parameters, preventing the phishlets from properly loading on server restart.
  • Fixed issue where /data/server.json containing server configuration would get replaced with default config on every deployment.
  • Fixed issues with improperly detecting the session, which caused improper replacement of phishing hostnames with original hostnames in POST form-data and other places.
  • Fixed auto-removal of evilginx session cookie in outbound requests.