VPS Management
Manage your VPS servers and installations
| Name | IP Address | Domain | Status | Actions |
|---|
DNS Challenges & SSL
Generate ACME DNS challenges and SSL certificates
Active Installations
View all active installations with web panel access
Admin Panel
Manage users and view all VPS
User Management
| ID | Username | Role | Status | Created | Actions |
|---|
All VPS (All Users)
| ID | Name | IP | Domain | Status | User | Actions |
|---|
BigBear Control
Start, stop, restart, and monitor BigBear instances
Control Actions
Evilginx Logs
Configuration
Manage Evilginx configuration settings
Quick Guide
- Domain: Root domain your server listens on
- External IPv4: Public IP of your VPS
- Unauthorized URL: Redirect for invalid lure visits
- Webhook Verbosity: 0=off, 1=final auth, 2=all
Phishlets
Manage your phishing templates
Quick Guide
- Enable: Activates the phishlet and generates SSL
- Disable: Stops the phishlet
- Hide/Unhide: Returns 404 unless valid Lure ID present
| Name | Status | Domain | Hostname | Unauth URL | Actions |
|---|
Lures
Manage your phishing lures
Quick Guide
- Main URL: Link you send to targets with unique Lure ID
- Redirectors: Fake loading page before phishing page
| ID | Phishlet | Hostname | Path | Main URL | Success URL | Actions |
|---|
Proxy Configuration
Geo-adaptive proxy routing for upstream connections
How Proxy Pool Works
- Geo-Matching: Visitor country is detected via IP intel. If a proxy with a matching country exists, it is used automatically.
- Fallback: If no country match, the first available enabled proxy is used.
- Sync: Click "Sync Pool to VPS" to push your proxy pool from this panel to the VPS config.
Proxy Pool (0 proxies)
| Name | Country | Address | Port | Type | Enabled |
|---|
Legacy Single Proxy (optional fallback)
Blacklist
Manage automatic IP blacklisting
Blacklist Modes
- Off: Ignore blacklist
- Unauth: Block only unauthorized requests
- All: Block all requests from blacklisted IPs
- NoAdd: Block existing, don't add new IPs
Help & Guide
Learn how to use every part of the panel
VPS Management
This is your starting point. Add your VPS servers here, and the panel will connect to them over SSH to manage everything remotely.
Adding a VPS
- Click + Add VPS and fill in the Name, IP, SSH port (default 22), username, and password.
- Set the Domain you will use for phishing (e.g.
example.com). - BigBear Path is where evilginx is installed on the VPS (default:
$HOME/evilginx3). - Telegram Webhook (optional) sends captured credentials to your Telegram. Format:
bot_token/chat_id.
VPS Actions
- Install: Runs the full automated setup (Go, evilginx, certificates) on a fresh VPS.
- Edit: Update IP, credentials, domain, or webhook settings.
- Delete: Removes the VPS from the panel (does not touch the remote server).
Installation Process
When you click Install on a VPS, the panel runs an 8-step automated setup:
- System Update — Updates OS packages and installs dependencies.
- Go Installation — Installs the Go programming language.
- Repository Clone — Clones the evilginx3 source code.
- Building — Compiles the evilginx3 binary.
- ACME Setup — Installs acme.sh for certificate management.
- DNS Challenges — Generates ACME DNS TXT records you must add to your DNS provider.
- Certificate Issuance — After DNS propagation, SSL certificates are issued automatically.
- Final Configuration — Writes config files and starts evilginx.
DNS & SSL Certificates
Manage ACME DNS challenges and SSL certificate generation for your phishing domains.
- Select a VPS to view its pending DNS challenges.
- Each challenge shows a TXT record name and value you need to add at your DNS provider.
- Use the Check Propagation button to verify DNS records have propagated globally.
- Once all records are verified, the installation continues automatically.
BigBear Control
Start, stop, restart, and monitor evilginx instances running on your VPS servers.
- Start: Launches evilginx in a detached screen session. Automatically resolves port conflicts on 53 and 443.
- Stop: Kills all evilginx processes and frees ports 53/443.
- Restart: Stops then starts evilginx cleanly.
- Setup: Runs setup.sh with your domain to configure evilginx (domains, phishlets, certificates).
- Logs: View the live evilginx console output from the screen session.
Configuration
Edit the core evilginx configuration on the selected VPS.
- Domain: The base domain used for phishing (e.g.
example.com). - External IP: Your VPS's public IP address (must match DNS A records).
- Redirect URL: Where unauthorized/blocked visitors are sent (e.g. the real Microsoft login).
- Webhook URL: Telegram bot webhook for real-time credential notifications.
Phishlets
Phishlets define how evilginx impersonates a target website. They control domain mapping, cookie capture, and credential interception.
Status Meanings
- Enabled — Active and intercepting traffic. Requires valid SSL certificates.
- Disabled — Loaded but not intercepting. No DNS/certs needed.
- Hidden — Invisible in listings but can be re-enabled.
Lures & Email Pre-fill
Lures are the phishing URLs you send to targets. When a victim visits a lure URL, evilginx creates a session and redirects them to the phishing login page.
How Lures Work
- Create a lure tied to a phishlet with a custom URL path (e.g.
/meeting). - The full lure URL becomes
https://yourdomain.com/meeting. - When visited, the target gets redirected to the login subdomain (e.g.
login.yourdomain.com) — this is normal and expected. - Set a Redirect URL on the lure to control where the target goes after credentials are captured.
Email Pre-fill Parameters
Append any of these query parameters to your lure URL to pre-fill the victim's email on the login page:
| Plain text | ?email= ?username= ?login_hint= ?user= ?u= |
| Base64 (standard) | ?email_b64= ?username_b64= ?login_hint_b64= ?user_b64= ?u_b64= ?e_b64= |
| Base64 (custom names) | ?coordinate= ?addition= ?location= ?presence= ?dashboard= |
Example
To send a lure with pre-filled email victim@company.com:
https://yourdomain.com/meeting?email=victim@company.com
# Base64 encoded (dmljdGltQGNvbXBhbnkuY29t):
https://yourdomain.com/meeting?coordinate=dmljdGltQGNvbXBhbnkuY29t
Base64 variants are checked first. The decoded email is passed as login_hint to the real login page.
Sessions (Captured Credentials)
Every visitor who interacts with a phishing page creates a session. Sessions capture usernames, passwords, and authentication cookies.
- Tokens = "Yes": Full session cookies were captured. These bypass 2FA and can be imported into a browser to hijack the session.
- Tokens = "No": The visitor landed but did not complete authentication, or cookies were not captured.
- View: Shows full session details including username, password, landing URL, user-agent, and the raw JSON cookie tokens.
Proxy Configuration
Route evilginx upstream traffic through a residential proxy to hide your VPS IP from security systems like Microsoft and Google.
- Type: HTTPS proxy (most common for residential proxies).
- Address/Port: Your proxy provider's hostname and port.
- Username/Password: Proxy authentication credentials.
- Enabled: Toggle the proxy on/off without removing the configuration.
Blacklist & Anti-Bot
Controls how evilginx handles suspicious visitors like bots, scanners, and security researchers.
| Off | Blacklist is completely disabled. All visitors can access phishing pages. |
| Unauth | Block only unauthorized requests (no valid session). New IPs from bots/scanners are automatically added to the blacklist. |
| All | Block ALL requests. Use this to shut down the phishing page after you've captured what you need. |
| NoAdd | Block existing blacklisted IPs but don't automatically add new ones. Good for manual control. |