June 6, 2023

A new Phishing-as-a-Service (PhaaS) named EvilProxy that uses reverse proxy and cookie injection that bypasses security mechanisms was seen for sale in dark web forums

The analysis warns that such methods have been seen in targeted campaigns of advanced persistent threats and cyber-espionage groups.


Based on the detailed research, the substantial knowledge about EvilProxy, including its structure, modules, functions and the network infrastructure used has been obtained by the researchers.

EvilProxy malware was first spotted in early May 2022, when the threat actors behind it released a demonstration video describing how it could be used to deliver advanced phishing links.

EvilProxy also supports phishing attacks against Python Package Index. Several PyPi software repository project contributors were subject to a phishing attack aimed at tricking them into divulging their account login credentials last week.

JuiceStealer payload, was now connected to EvilProxy actors, in which the Threat actors would have added this function shortly before the attack was performed.

The analysis also suggests it is highly likely these threat actors target software developers and IT engineers in order to gain access to their repositories with the end goal of hacking “downstream” targets. 

This research was conducted and documented by researchers from ReSecurity


Indicators of Compromise

  • 147[.]78[.]47[.]250
  • 185[.]158[.]251[.]169
  • 194[.]76[.]226[.]166
  • msdnmail[.]net
  • evilproxy[.]pro
  • top-cyber[.]club
  • rproxy[.]io
  • login-live.rproxy[.]io
  • gw1.usd0182738s80[.]click:9000
  • gw2.usd0182738s80[.]click:9000
  • cpanel.evilproxy[.]pro
  • cpanel.pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd[.]onion

Leave a Reply

%d bloggers like this: