Params
The params section declares the custom parameters a phishlet can use. Once declared, a parameter is referenced anywhere in config.hjson as ${name} and is replaced at runtime with its current value. Parameters make a phishlet portable across deployments — domain names, tenant identifiers, target IDs, and other per-engagement values can be set without editing the phishlet itself.
Shape
params is an array of parameter objects:
params: [
{ name: "lab-domain", value: "lab.evilginx.com", required: true }
{ name: "tenant", value: "", required: false }
]
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | string | yes | — | The parameter name. Referenced as ${name}. Allowed characters: alphanumerics, -, _, :. |
value | string | no | "" | The default value, used when nothing more specific is provided. |
required | bool | no | false | When true, the phishlet refuses to enable until the user provides a non-empty value. |
A required parameter without a user-supplied value blocks the phishlet from being enabled; an optional parameter falls back to value (or empty string).
Setting a parameter
From the Evilginx console:
phishlets set <phishlet> params <name>=<value>
A parameter may also be supplied via a lure's custom parameters — useful when the same phishlet drives multiple lures with different per-target values.
Resolution order
When ${name} is encountered in the configuration, Evilginx resolves it from the highest-priority source available:
- Captured tokens — values captured during the live proxy session.
- Lure custom parameters — values bound to the lure that delivered the visitor.
- Phishlet parameters — defaults declared in
params.
The first source that defines the name wins. If none does, the placeholder remains unsubstituted (and the rule that referenced it will not match the data you expected).
See String Matcher → Parameters & placeholders for naming rules, escaping, and the :regexp modifier.
Where parameters can be used
${...} placeholders are valid in any string value of the phishlet — including the landing_url, every field of a Trigger, every match_key / match_value in a Locator, and every replacement value in a rewrite or capture rule.
A common pattern is to factor out the deployment-specific domain:
{
landing_url: "https://akira.${lab-domain}/"
params: [
{ name: "lab-domain", value: "lab.evilginx.com", required: true }
]
proxy: {
hosts: [
{ hostname: "${lab-domain}", proxy_subdomain: "root" }
{ hostname: "akira.${lab-domain}" }
{ hostname: "bladerunner.${lab-domain}" }
]
}
}
Changing lab-domain once retargets the entire phishlet.