EvilURL
A practical guide to the tool for detecting and generating look-alike (homograph) URLs used in phishing and social engineering attacks.
EvilURL is an open-source tool that detects and generates IDN homograph attacks—deceptive URLs that visually mimic legitimate domains using Unicode characters. Primarily used in social engineering, phishing simulations, and red team assessments, EvilURL exposes how attackers can register domains that look identical to trusted brands but lead to malicious sites.
Whether you're defending against phishing campaigns or simulating them for awareness training, EvilURL helps identify spoofable domains and the risks they pose in modern email and browser-based attacks.
First time seeing this?
What EvilURL Does
EvilURL scans domain names and replaces Latin characters with visually identical Unicode characters from other alphabets (e.g., Cyrillic, Greek), creating “evil twins” that appear legitimate to the human eye but resolve to attacker-controlled servers. These domains can be registered and used for phishing emails, credential theft, or watering hole attacks.
It can also be used in detection mode to analyze existing domains for possible impersonation or homograph risks.
Key Features of EvilURL
Homograph Attack Simulation
Generates look-alike domains by substituting characters with Unicode twins, like replacing "a" with Cyrillic “а” or "o" with Greek “ο”.
Phishing Domain Detection
Identify potential homograph vulnerabilities in brand domains or domains used in communication channels.
Domain Registration Testing
Check if look-alike domains are already registered and being used for malicious purposes.
Simple Command-Line Interface
Lightweight and fast—ideal for scripting and automation in red team toolkits.
Multi-Language Character Support
Uses characters from multiple Unicode ranges (Cyrillic, Greek, Armenian, etc.) for realistic spoof generation.
Use Modes
Run in generation mode (to create spoofed domains) or detection mode (to check domains for look-alikes).
Advanced Use Cases
Phishing Simulation and Training
Craft believable phishing domains for awareness campaigns or tabletop exercises.
Red Team Reconnaissance
Generate spoofed domains for social engineering pretexts, payload delivery, or spoofed login portals.
Brand Protection and Monitoring
Identify whether your brand or product names can be easily mimicked using homograph attacks.
Threat Intelligence
Monitor or report malicious look-alike domains being actively used in phishing or impersonation campaigns.
Browser Behavior Analysis
Test how different browsers and operating systems render IDN-based URLs, some may display punycode while others show the deceptive string.
Latest Updates
Recent improvements and forks of EvilURL include:
Extended Unicode character sets for even more realistic domain spoofs
Domain availability checker to verify if spoofed domains are free to register
Integration into phishing toolkits for automated domain spoofing
Browser compatibility testing features for analyzing display inconsistencies
Why It Matters
Phishing attacks are increasingly sophisticated, and domain spoofing plays a central role in deceiving users. EvilURL shows just how easy it is to create nearly indistinguishable URLs, highlighting the weaknesses in visual verification and the need for domain awareness, email filtering, and browser safeguards. It empowers red teams and defenders alike to stay ahead of deceptive tactics.
Requirements and Platform Support
EvilURL runs on:
Linux and macOS
Windows (via Python)
It requires:
Python 3.x
Git and terminal access
Internet connection for DNS or registration lookups (optional)
EvilURL is open-source and available at https://github.com/UndeadSec/EvilURL, with active forks and contributions from red teamers and security educators.