Traditional phishing techniques are no longer enough; modern authentication systems now rely on Multi-Factor Authentication (MFA) for added security. However, attackers are evolving with new methods like Evil-noVNC, a powerful Browser-in-the-Browser (BitB) attack that uses noVNC to launch highly convincing phishing campaigns.

Evil-noVNC allows cybercriminals to replicate real login environments directly inside the victim’s browser, presenting legitimate authentication pages from services like Gmail, Microsoft 365, and Okta. This advanced Adversary-in-the-Middle (AiTM) attack captures not only usernames and passwords but also MFA tokens and active session cookies; enabling full account compromise even with MFA protection enabled.

Learn how Evil-noVNC works, why it’s a growing threat in 2025, and how to defend against this next gen phishing technique.

Table of Content

• Overview
• Prerequisites
• Setup
• Execution
• Mitigation
• Conclusion

Overview

EvilnoVNC is an advanced Adversary-in-the-Middle (AiTM) phishing method that enables attackers to fully bypass Multi-Factor Authentication (MFA) by capturing live session data.

Here’s how it works:

• The attacker sets up a browser session inside a VNC/X11 virtual desktop environment.
• Then, this session is made accessible over the internet using noVNC, allowing remote browser interaction.
• Within this virtual browser, the attacker loads a real login page (e.g., Gmail, Microsoft 365).
• A phishing link to this session is delivered to the victim via email, QR code, or other social engineering tactics.
• As the victim interacts with the authentic login interface, the attacker silently captures user credentials, MFA codes, and active session cookies, enabling full account takeover

This technique presents a legitimate looking login flow, making it nearly indistinguishable from the real thing; making EvilnoVNC a powerful tool in the modern phishing arsenal.

Prerequisite

• Kali Linux or any Linux distro with Python & Docker installed
• EvilnoVNC repository cloned (GitHub)
• Python3
• chromium

Setup

Clone and Setup the Tool

Firstly, Start by cloning the EvilnoVNC repository and installing all required dependencies (Python3, Flask, noVNC packages, and X11 support).

git clone https://github.com/JoelGMSec/EvilnoVNC
cd EvilnoVNC
sudo chown -R 103 Downloads

To ensure Docker has the proper access to build context files. The ownership of the Downloads directory is first changed to match the container’s internal user.

Then, the Evil-noVNC phishing environment is packaged into a Docker image, preparing it for containerized deployment.

Execution

Launching Evil-noVNC with Targeted Phishing Page

sudo chmod +x *
sudo ./start.sh 1920x1080x24 https://mail.google.com

This step makes all scripts executable. It then launches a virtual desktop inside a Docker container at the specified resolution and opens the real Gmail login page in a browser, exposing it interactively via noVNC over WebSockets.

Victim View – The Deceptive Link

We receives a phishing link (email, text, QR).Once opened, we see the real Google login page, but it’s being rendered through the attacker’s noVNC session in their browser; this is the core of the deception.

From there, we move through a familiar login flow:

Firstly, we enter our email address.

Next, our password.

Finally, we complete Multi-Factor Authentication (MFA).

Unknowingly, every step we take is visible to the attacker in real time; including our credentials, MFA codes, and session cookies; giving them full access to our account.

Note: The core idea is that the noVNC session displays the real login page in a way that’s visually identical to a native browser tab, making this Browser-in-the-Browser (BitB) technique far more convincing than traditional fake pages or HTML clones.

We accessed a link at http://192.168.1.39, unknowingly entering a phishing session where we interacted with the real Gmail interface running inside the attacker’s VNC browser; while all our input was silently captured in their environment.

Note:The Gmail login page seen here is not a fake clone, but the real Gmail interface loaded inside the attacker’s VNC-based browser. Because it’s accessed over noVNC, all victim input is rendered inside the attacker’s environment.

Attacker View – The Controlled Browser

Gmail stays open on our(attacker’s) localhost, giving us a real time view of the victim’s actions within the Dockerized VNC session. Demonstrating Evil-noVNC’s power to provide full interactive control without any code injection or HTTP proxying.

Key Advantage:

This setup allows attackers to capture credentials in real time. Attackers can also bypass MFA prompts, retrieve session tokens immediately after login, and maintain full control of the victim’s session.

All this confirms the victim is using Gmail within an attacker-hosted VNC session. The attacker monitors and controls the session locally, bypassing traditional phishing detection and stealing full authenticated sessions in real time.

Next, extracts session cookies from our(attacker’s) own browser since the session runs in our environment. Imports them into Chromium for full access without needing phishing artifacts, code injection, or traffic proxying.

Visiting chrome://history in Chromium shows the victim’s browsing history, since the session originated and ran entirely within the attacker’s Evil-noVNC-controlled browser.

Evil-noVNC often logs keystrokes during the victim’s session. By accessing the /novnc/download/ directory, we can find keylogger output files (e.g., .txt logs) containing captured inputs. Such as the victim’s Gmail username and password; typed during login. This provides a clear text record of credentials alongside session access.

Inside the /novnc/download/ directory, we can also retrieve a cookies.txt file containing exported session cookies from the VNC browser.

You can import these cookies into another browser like Chromium to instantly hijack the victim’s authenticated session without needing their credentials or MFA.

Mitigation

• Use phishing resistant MFA (WebAuthn, Passkeys)
• Monitor suspicious noVNC sessions or tunneling tools
• Deploy browser side detection (look for noVNC canvas patterns)
• Train users to detect BitB phishing attacks (UI anomalies, pop-out windows)
• Use device bound tokens for authentication (OAuth device binding)

Conclusion

Evil-noVNC is not just a phishing page; it’s a live, adversary in the middle environment. It convincingly defeats MFA by making victims interact with real websites while attackers siphon off credentials and sessions in real time.

Knowing how this works is the first step toward building defense.

To learn more about Red Teaming. Follow this Link.

Author: MD Aslam drives security excellence and mentors teams to strengthen security across products, networks, and organizations as a dynamic Information Security leader. Contact here