Simulation AiTM Proxy Remote Browser Evasion

The complete open source phishing framework.

Simulation, AiTM proxy, remote browser phishing and much more. Built for red teams and security providers.

GitHub Read the docs
Phishing Club in action
Simulation

Build phishing simulations that actually convince.

Define the email lure, before page, landing page, after page and attachments in a single reusable template. Write pages and emails in a code editor with live split screen preview. Template variables inject name, position, department, city and country into every element. QR code support, randomized values and per recipient tracking links built in. Copy link or print per recipient for physical delivery simulations.

Campaign guide →
GIF with images of different pages of Phishing Club related to phishing simulation
AiTM Proxy

Capture credentials, session cookies and tokens. Bypasses MFA.

Configure via YAML or the visual builder. Define domain mappings, capture rules, rewrite rules and URL rewrites. Regex, DOM and header rewrite engines apply on every request. Captures credentials, session cookies and tokens from every proxied request.

Proxy guide →
GIF with images of AiTM related functionality, mainly the visual editor
Remote Browser Phishing

The real browser runs on your server.
The victim sees a page you design.

A Chromium instance runs server side and executes a script over CDP. Events pass between the phishing page and the remote browser over WebSocket. Stream real browser content into the phishing page. After authentication the browser stays live. Connect to the session from the operator panel and take over the authenticated browser directly.

Remote browser guide →
GIF running with images of remote browser editor and remote control.
Evasion and Filtering

Bots and scanners see clean content. Real recipients see the phishing page.

IP/CIDR filters block crawlers, scanners and entire countries for geo IP filtering. JA4 TLS fingerprint filters with wildcard patterns identify automated clients. HTTP header rules match by name and value. Evasion pages serve clean content to automated visitors while real recipients proceed normally. HTML obfuscation dynamically rewrites page output on each request. Custom deny pages per campaign.

Filtering guide →
GIF with evasion features such as filters and obfuscation

Campaign platform

All techniques share the same campaign management, scheduling, recipient tracking, analytics and multi-tenant layer.

Delivery

SMTP or API senders over any HTTP endpoint. OAuth-backed delivery via any OAuth 2.0 provider. Self-managed campaigns with copy HTML, copy URL per recipient, or print for physical delivery.

Scheduling

Time box distributes sends evenly across a window. Daily slots restrict delivery to specific weekdays and hours. Sort by department, city or other recipient attributes. Auto-close and auto-anonymize.

Recipients and groups

Static groups and dynamic groups that filter by department, position, city or country and update automatically. Repeat offender tracking. Per-recipient analytics across all campaigns.

Multi-tenant

Multiple companies per instance. Shared resources available to all companies. Company data, recipients and campaigns are isolated. Per-company export. Whitebox mode for less technical operators.

Evasion and filtering

IP and JA4 TLS fingerprint filtering with wildcard patterns. HTTP header rules. Evasion pages show clean content to scanners. HTML obfuscation. Custom deny pages. Per-campaign configuration.

Analytics

Open, click, submit and report tracking. Campaign timeline and dashboard trendline. Score cards. CSV export. Webhook events per campaign with selectable event types and data levels.

Integration and tooling

  • Webhooks HMAC-SHA256 signed. Per webhook event selection and data levels.
  • REST API API key per user for programmatic campaign and recipient management.
  • Session Sushi Browser extension. Import captured cookie bundles and OAuth tokens from proxy and remote browser sessions.
  • Template Workbench Build phishing pages and emails in your own editor with local preview and import.
  • OAuth Providers Integrate with any OAuth 2.0 provider for API-based email delivery. Import captured refresh tokens from Session Sushi.
  • Import and export Zip-based import and export of pages, emails and assets. Quick backup of the most important data.
GIF with images of Session Sushi and OAuth import
Fish outgrowing its bowl

Self hosted. Open source.

Single binary for AMD64 and ARM64. CLI installer, systemd service, automatic TLS per domain. Docker images available. In-app update notifications with one-click update.

Admin panel IP allowlist, TOTP MFA, Microsoft Entra SSO, multi-user with session management. Your data stays on your infrastructure.

AGPL v3 for organizations that can comply. Commercial license available for those who need to modify the source without publishing their changes.

GitHub Install guide
Deployment Single binary
Architecture AMD64 + ARM64
Database SQLite
License AGPL v3 / Commercial