STPhish: Ethical Phishing Simulation Tool for Termux (2026)

March 22, 2026 17 min read By Sandeep Bhondwe

Table of Contents

STPhish Live Demo

Watch how STPhish sets up a fake login page, captures credentials, and intercepts OTPs in real‑time – all from your Termux terminal.

STPhish is the next‑generation phishing tool built by Sandeep Tech, designed for authorized security awareness testing. Unlike traditional tools like Zphisher, STPhish introduces real‑time OTP interception, Cloudflare anti‑bot bypass, and a growing library of 25+ sophisticated page templates. And the best part? It runs entirely in Termux without root access.

25+
Templates
OTP
Live Capture
0
Root Required
2026
Updated

Introduction to STPhish

Phishing simulations are a critical part of any red‑team or security audit. STPhish elevates the classic phishing toolkit by automating the deployment of fake login portals that look identical to popular services – and it goes a step further by capturing two‑factor authentication codes (OTPs) in real‑time. All you need is an Android phone with Termux installed.

Educational Use Only

STPhish is strictly for authorized security testing and educational demonstrations. Using it against individuals without explicit permission is illegal and unethical. Always obtain written consent.

Key Advanced Features

  • Real‑Time OTP Capture – Intercepts SMS OTPs and authenticator codes via a custom web panel.
  • Cloudflare Bypass – Phishing pages mimic real Cloudflare challenges to evade detection.
  • 25+ Ready‑Made Templates – Facebook, Instagram, Google, Microsoft, Paytm, and more.
  • LocalXpose & Cloudflared Tunnels – Choose between multiple tunneling services for stable URLs.
  • Credential Phishing + 2FA – The tool does not stop at passwords; it tricks users into providing their OTP as well.
  • Auto‑Cleanup – Removes temporary files and logs after each session to protect your data.

Step‑by‑Step Installation

Open your Termux terminal and run the following commands one by one. Make sure your internet connection is stable.

# Update packages and install core dependencies
apt update && apt upgrade -y
apt install git python php wget figlet curl -y
apt install p7zip -y

Now run this single command to download and execute the STPhish setup script. It will handle the rest of the installation automatically.

# Download and run the STPhish setup (one command)
cd $HOME && wget link.sandeeptech.com/stphish-setup && bash stphish-setup

After the script finishes, launch the tool by typing:

stphish
STPhish Launch Sequence
███████╗████████╗██████╗ ██╗  ██╗██╗███████╗██╗  ██╗
██╔════╝╚══██╔══╝██╔══██╗██║  ██║██║██╔════╝██║  ██║
███████╗   ██║   ██████╔╝███████║██║███████╗███████║
╚════██║   ██║   ██╔═══╝ ██╔══██║██║╚════██║██╔══██║
███████║   ██║   ██║     ██║  ██║██║███████║██║  ██║
╚══════╝   ╚═╝   ╚═╝     ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝
Developer - Sandeep Bhondwe - STPhish v1.0.0
www.sandeeptech.com | instagram.com/sandeep_tech

[1] Instagram [2] Facebook [3] Google [4] Microsoft
[5] Paytm [6] Amazon [7] TikTok [8] Snapchat
...
[+] Select a template: 3
[+] Choose tunnel: [1] Localhost.run [2] Cloudflared : 2
[+] Starting Cloudflared tunnel...
[+] Phishing URL: https://trycloudflare.com/fake-url
[+] Waiting for credentials... (Press Ctrl+C to stop)

25+ Phishing Templates

STPhish comes with a large collection of professionally designed login pages. Each template is responsive and looks exactly like the original site.

Instagram

Login + 2FA OTP

Facebook

Mobile & Desktop clone

Google

New sign‑in alert bypass

Microsoft

Office365 portal

Paytm

UPI & Wallet phishing

Amazon

Prime login clone

Real‑Time OTP Capture

What sets STPhish apart is its ability to intercept OTP codes. After the victim enters their credentials, a fake "verification" page appears. Any OTP they type is instantly displayed in your Termux session.

Simulated OTP Capture

Click "Simulate OTP" to see how an intercepted one‑time password appears.

$Waiting for OTP...

Cloud Tunneling & Anti‑Bot Protection

STPhish supports multiple port‑forwarding options: localhost.run, Serveo, and Cloudflared. The Cloudflare tunnel option provides an extra layer of stealth, making the phishing URL appear more trustworthy and bypassing basic bot detection.

Pro Tip

Always use Cloudflared or a custom domain with Let's Encrypt for realistic links. STPhish automatically configures SSL/TLS encryption.

Interactive Launch Simulator

Experience STPhish Interface

Click the button below to see a clone of the STPhish menu. This is a harmless simulation – no real phishing takes place.

STPhish Menu
$ ./stphish Select an option: [1] Instagram [2] Facebook [3] Google [4] Microsoft [5] Paytm [6] Amazon [0] Exit

Command Reference

STPhish Commands & Shortcuts

CommandDescription
bash stphishLaunch STPhish
stphish --updateUpdate to latest templates
stphish --configChange default tunnel
stphish --logView captured data logs

Ethical & Legal Warning

Stay Legal

Phishing tools are double‑edged swords. Unauthorized use is a criminal offense in most countries. Only use STPhish on systems you own or have explicit permission to test. Sandeep Tech promotes ethical hacking and will never assist in malicious activities.

Now you have a next‑level phishing simulation toolkit at your fingertips. Use it responsibly to test your own organization's security awareness, or to educate yourself about the sophistication of modern phishing attacks. Keep exploring with Sandeep Tech.

Back to Blogs

Related Posts

How to Install Zphisher on Termux

Learn the basics of phishing with this popular tool.

Read More

Top 10 Social Engineering Tools 2026

Discover the best tools for ethical social engineering.

Read More

Defend Against Phishing Attacks

Protect yourself and your organization with these tips.

Read More

Leave a Comment

No comments yet. Be the first to start the discussion!