Phishlets 2.0

Phishlets are the configuration files that drive the Evilginx reverse proxy. Each phishlet targets one or more websites and describes — in a single declarative file — every transformation the proxy must perform to deliver a transparent phishing simulation: which hosts to proxy, which URLs to rewrite, what data to capture, what to inject, and what to block.

Phishlets 2.0 is the upgraded format introduced with Evilginx Pro 5.0.0. It replaces the legacy YAML format from Phishlets 1.0 and provides a single, structured way to express request and response transformations, multi-step rewrite chains, and resource interception.

Availability

Phishlets 2.0 currently runs on Evilginx Pro 5.0.0 and later. Support for Evilginx Community Edition (CE) is planned for 2026.

File layout

A Phishlet 2.0 lives in its own directory on disk:

my-phishlet/
├── config.hjson          # The phishlet configuration (this format)
├── static/               # Files referenced from rewrite/inject/intercept via the @ prefix
│   ├── signin.js
│   └── index.html
└── evilpuppet/           # Evilpuppet plugin scripts referenced via the @ prefix
    └── plugin.js

The main configuration file is config.hjson. The format is HJSON — a relaxed superset of JSON that allows comments, omits commas at line ends, and does not require quoting around keys. Anywhere this documentation shows a code block tagged jsonc, the same content is valid HJSON.

Any string value in config.hjson may reference a file from the static/ directory by prefixing it with @. For example, data: "@signin.js" loads the contents of static/signin.js. The evilpuppet.plugin field uses the same @ convention but resolves against the evilpuppet/ directory instead. To use a literal @ at the start of a string, escape it: "\\@literal".

Root fields

The top level of config.hjson contains these fields:

Field	Type	Required	Default	Description
`landing_url`	string	yes	—	The URL that is opened in the visitor's browser when they click the phishing lure. Should point to the sign-in page of the targeted website.
`redirect_url`	string	no	`""`	URL the visitor is redirected to after the session is fully captured. Overridden by the lure's own `redirect_url` if set. If empty, the proxy keeps serving the session.
`required_ver`	string	no	—	Minimum Evilginx version required to load the phishlet, in semver form (e.g. `"5.0.0"`). The phishlet fails to load on older binaries.

The remaining root-level keys are entire configuration sections. Each is documented on its own page:

Section	Page	Purpose
`params`	Params	Declare `${...}` placeholders the user can override per phishlet or per lure
`proxy`	Proxy	List the real hostnames the reverse proxy will serve
`options`	Options	Toggle automatic URL detection and rewriting
`rewrite`	Rewrite	Rewrite URLs, request data, and response data
`capture`	Capture	Capture session cookies and tokens (including credentials)
`intercept`	Intercept	Short-circuit requests with a custom response (block / serve / redirect)
`inject`	Inject	Inject JavaScript into proxied HTML pages
`evilpuppet`	Evilpuppet	Attach an Evilpuppet automation plugin to the phishlet

Two shared building blocks are referenced throughout these sections:

Trigger — the filter that decides which requests or responses a rule applies to.
Locator — the descriptor that pinpoints a specific value inside a request or response.

And two value-format references:

String Matcher — the syntax used by match_value, hostname, path, header, method, and other "search or value" fields. Supports glob, regex, parameter placeholders, and capture groups.
JSON Path — the syntax used by match_key when locating values inside JSON bodies.

Reserved placeholders

Anywhere this format accepts a string, the following placeholder syntaxes are recognised:

Placeholder	Where	Replaced with
`${param-name}`	Any string	The value of a parameter declared in `params`, set on the lure, or captured from the session.
`${0}`, `${1}`, …, `${N}`	`rewrite.value`, `rewrite.chained_value`, `token.value`, `cookie.value`	Capture groups from the regex in the rule's `match_value`. `${0}` is the full match.
`${rewrite_id}`	`rewrite.urls[].rewrite.path` / `.query.*`	A random session-scoped integer used to disguise URL paths (see Rewrite → URLs).

For details on quoting, escaping, value modifiers (e.g. ${name:regexp}), and parameter resolution order, see the String Matcher reference.

A minimal phishlet

The smallest valid phishlet just defines a landing URL and a single proxied host:

{
    landing_url: "https://example.com/"
    proxy: {
        hosts: [
            { hostname: "example.com" }
        ]
    }
}

For a complete, real-world example, walk through the M365 phishlet line by line.

Official phishlets

The following phishlets are officially maintained and tested with Evilginx Pro:

Microsoft 365 (after April 2025 update)
Microsoft Outlook (after April 2025 update)
Okta (2025)
Google

warning

We do our best to keep these phishlets up to date, but we cannot guarantee they will work at all times. Authentication flows change frequently and may break phishlet functionality without notice.

Community phishlets

In addition to the official list, many more phishlets are shared and regularly updated by users in our private BREAKDEV RED Discord community. To join, follow the registration link.

File layout​

Root fields​

Reserved placeholders​

A minimal phishlet​

Official phishlets​

Community phishlets​