EvilPanel: The New Face of Automated AiTM Phishing

Phishing attacks have grown far more sophisticated, evolving into adversary-in-the-middle (AiTM) threats capable of bypassing even strong multi-factor authentication (MFA). Instead of simply stealing credentials, attackers now intercept entire login sessions in real time.

Tools like Evilginx2 make this possible by acting as reverse proxies—relaying login pages to targets, capturing credentials and session tokens, and tricking users into authenticating directly through malicious infrastructure.

These phishing sites often appear indistinguishable from the real service, complete with valid TLS certificates and legitimate-looking URLs. With no obvious red flags, users have little reason to suspect anything is wrong.

Now, a newly observed toolkit called EvilPanel takes things a step further. EvilPanel wraps all of Evilginx’s powerful AiTM capabilities into a sleek, user-friendly web interface, eliminating the need for manual configuration and lowering the barrier to entry for would-be attackers.

The EvilPanel interface is built on top of Evilginx, offering a live dashboard of the phishing infrastructure. At the top, it displays the configured phishing domain, TLS settings, and active network stats.

For example, the screenshot below shows “Current Domain” and confirms AutoCert is enabled to fetch Let’s Encrypt certificates, automatically enabling HTTPS for all phishing pages.

A menu bar (Home, Logs, Traffic, Proxy, Domains, Config) gives quick access to each function. This unified view replaces command-line commands and even shows when settings are applied (e.g., a “Config reloaded” message). By consolidating all system information in one place—including internal DNS port, external IP, certificate status, and more—the dashboard helps the attacker verify that the phishing site is resolving correctly and secured with valid encryption.

EvilPanel enumerates all available phishlets in a single table. Each row corresponds to a service (e.g., AIRBNB, AMAZON, FACEBOOK, GOOGLE, etc.), reflecting the standard Evilginx phishlet names. A phishlet is a predefined template that mimics the login page of a specific service, used to deceive targets into entering their credentials. The user can toggle a phishlet on or off and specify a subdomain for it on the chosen domain via the “Hostname” and “Set” fields.

For example, a threat actor could type login.airbnb.<domain> or facebook.<domain> and click “Set” to activate that phishlet. A dedicated “Lures” link in each row generates or displays the phishing URLs (lures) for that template, allowing for custom parameters.

These URLs embed encrypted parameters, such as names or email placeholders, as supported by Evilginx. In this way, EvilPanel turns each phishlet into a configurable campaign entry. The attacker selects the target site, assigns a realistic login subdomain, and crafts personalized lure links—all via the UI.

This mirrors how Evilginx typically uses phishlets as dynamic phishing pages for specific brands. By centralizing the process, EvilPanel allows an attacker to launch and manage dozens of campaigns at once, without the need to manually edit config files.

EvilPanel’s core phishing functionality follows the Evilginx model—i.e., it maintains the login flow by acting as a transparent proxy. When a target visits a lure URL, Evilginx fetches and displays the legitimate login page, providing the target with an experience that appears entirely authentic. In practice, this means only valid credentials will allow the session to proceed, and the target will be immediately prompted with the expected MFA challenge for their account.

The result is a clever illusion. Users enter their username, password, and one-time code as usual, and receive the expected “logged in” response. Behind the scenes, however, Evilginx (and thus EvilPanel) quietly captures the session token issued after authentication. This token—typically stored as a cookie—is the attacker’s real prize.

In short, EvilPanel ensures that valid credentials are passed to the real service for login and MFA, while secretly extracting the session token so the attacker can later re-enter the account without needing the credentials again.

All stolen data is displayed live in the “Logs” tab. In the image below, we see a captured credential entry with a sample email/username, the victim’s IP address, and its geolocation (city, region, country, ZIP code, and ISP).

EvilPanel records both the credentials and the associated session token for each login. Even deleted or filtered entries remain recoverable; the UI includes an “Active/Deleted” filter and a “Re-add All” button to restore purged records.

This rich log view makes it easy for the attacker to review every interaction. Behind this interface, Evilginx stores each session’s cookie, which the attacker can extract from the log for reuse. With a single action, the attacker could copy the stolen cookie from the panel, paste it into a browser, and instantly be authenticated as the user.

By integrating credential logging, cookie capture, and target IP metadata into one dashboard, EvilPanel gives attackers real-time situational awareness of the phish, showing who logged in, from where, and what tokens were obtained.

EvilPanel provides a “Traffic” section to monitor and control incoming connections. As shown below, it can display all connection attempts as well as a list of blocked IPs. In this example, a built-in blocklist file (blacklist.txt) contains a dozen IP addresses that have been barred.

Evilginx 2.4 introduced this exact capability: an automated IP blocklist to block unwanted scanners or defenders. EvilPanel exposes it visually so the operator can toggle blocking without needing to use the command-line interface. Additional traffic filters (e.g., “All,” “Unauthorized,” etc.) let the attacker categorize and sort incoming hits.

Together, these features enable the attacker to track how many targets are engaging and silently drop any connections from security researchers or blocklisted regions.

EvilPanel also includes a “Proxy” tab (one of the dashboard modules) to configure HTTP and SOCKS5 proxies for phishing traffic. Evilginx supports routing requests through external proxies, which helps hide the attacker’s true infrastructure and rotate exit IPs. The UI likely allows the operator to add multiple proxy endpoints and test their functionality.

In tandem, EvilPanel’s logging and traffic views provide geolocation tagging for each target IP (e.g., city, country, ISP, etc.). This geo-IP data can inform the attacker’s targeting strategy—for example, focusing on or excluding users from specific regions.

Successful Evilginx attacks rely on a properly registered domain and valid DNS records. EvilPanel’s “Domains” section simplifies this setup.

The dashboard shows the current domain in use (e.g., example.com) and the listening ports (DNS:53, HTTPS:443). Under the hood, Evilginx runs its own DNS server to resolve phishlet hostnames to the attacker’s IP address. EvilPanel likely provides a point-and-click option to assign each phishlet a subdomain, as we saw in the phishlet manager.

EvilPanel also automates TLS certificate issuance. Enabling the “AutoCert” toggle in the UI prompts the system to obtain a Let’s Encrypt certificate for the domain and all associated phishlet subdomains. Prior analyses confirm that Evilginx can request free certificates, ensuring the phishing site shows a valid padlock.

With EvilPanel, this entire DNS/SSL chain is managed behind the scenes. As a result, defenders who rely on HTTPS indicators for trust signals will be fooled, as the phishing pages look indistinguishable from the real site in terms of certificates.

EvilPanel makes it much easier for criminals to launch advanced phishing attacks. By combining the powerful AiTM proxy tool Evilginx with an easy-to-use interface, even less-skilled attackers can carry out sophisticated scams that used to require expert knowledge.

Features like built-in logging, geo-IP filtering, and blacklisting give attackers tools to track their campaigns and avoid detection. Automated handling of DNS and SSL ensures phishing pages look completely legitimate to victims, with valid HTTPS and correct domain names.

Legacy security tools that rely on rules- and signature-based detection lack the functionality to stop sophisticated, targeted campaigns. Stopping attacks enabled by tools like EvilPanel demands an AI-driven solution—one that understands user behavior, detects subtle anomalies, and intercepts advanced phishing attempts before they ever reach employees.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.