Threat Research

EvilProxy Phishing-as-a-Service with MFA Bypass Emerged in Dark Web

Securonix

EvilProxy is a productized phishing service on the dark web that enables MFA bypass via reverse proxy and session cookie theft, expanding attacks against mainstream online services and software supply chains. It targets developers and end-users with campaigns across PyPI, GitHub, npmjs, and major brands, sold as a subscription on TOR with admin oversight. #EvilProxy #Moloch #PhishingAsAService #MFABypass #ReverseProxy #CookieInjection #SupplyChain

Keypoints

  • EvilProxy is a new Phishing-as-a-Service (PhaaS) advertised on Dark Web marketplaces, sometimes called Moloch, linked to prior phishing kits targeting financial institutions and e-commerce.
  • It uses Reverse Proxy and Cookie Injection to bypass 2FA, effectively proxying the victim’s session and bypassing MFA requirements.
  • Early activity tied to attacks against Google and Microsoft customers with MFA enabled (SMS or app-based tokens).
  • The platform supports supply-chain phishing against PyPI, GitHub, and npmjs to reach downstream targets and developers.
  • It’s sold on a subscription model (10, 20, or 31 days) for about $400/month, with a TOR-hosted portal and Telegram for payments; admin “John_Malkovich” vets new customers.
  • Activation involves SSH credentials to deploy a Docker container and scripts; the installer references a GitLab-based control agent and upstream traffic routing.
  • Actors employ anti-detection methods (domain masquerading, VPNs/Proxies/TOR, VM-detection, and victim redirection) to evade researchers and defenses.

MITRE Techniques

  • [T1566.002] Spearphishing Link – “the actors running it released a demonstration video detailing how it could be used to deliver advanced phishing links with the intention to compromise consumer accounts belonging to major brands…”
  • [T1195] Supply Chain Compromise – “The functionality of EvilProxy also supports GitHub and npmjs … enabling supply chain attacks via advanced phishing campaigns.”
  • [T1539] Steal Web Session Cookie – “videos released by EvilProxy actors demonstrating how it can be used to steal the victim’s session and successfully go through Microsoft 2FA and Google e-mail services…”
  • [T1090] Proxy – “EvilProxy uses the ‘Reverse Proxy’ principle… the reverse proxy concept is simple: the bad actors lead victims into a phishing page, use the reverse proxy to fetch all the legitimate content … it sniffs their traffic as it passes through the proxy.”
  • [T1036] Masquerading – “The bad actors register similar (by spelling) domains with the intention of masking them under legitimate online-services.”
  • [T1497] Virtualization/Sandbox Evasion – “The bad actors are especially diligent when it comes to detecting possible virtual machines…”
  • [T1105] Ingress Tool Transfer – “After activation, the operator will be asked to provide SSH credentials to further deploy a Docker container and a set of scripts.”

Indicators of Compromise

  • [IP] context – 147.78.47.250, 185.158.251.169
  • [Domain] context – msdnmail.net, evilproxy.pro
  • [URL] context – gw1.usd0182738s80.click:9000, gw2.usd0182738s80.click:9000
  • [Domain] context – cpanel.evilproxy.pro
  • [Domain] context – login-live.rproxy.io
  • [Domain] context – top-cyber.club
  • [Domain] context – rproxy.io
  • [Domain] context – cpanel.pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd.onion

Read more: https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web