VYPR
researchPublished Jul 13, 2026· 1 source

Open Directory Exposes Evilginx Phishing Infrastructure of Three Operators

A misconfigured server inadvertently revealed the tools and tactics of three distinct phishing operations using the Evilginx man-in-the-middle proxy.

A single, improperly secured server has inadvertently exposed the operational infrastructure of three separate phishing groups, all leveraging the Evilginx man-in-the-middle (MitM) proxy tool to bypass multi-factor authentication (MFA). The discovery, made by French security firm Lexfo, occurred in late April when a misconfigured Python HTTP server on a Budapest-based virtual private server was found to have directory listing enabled. This allowed researchers to access sensitive data including phishing configurations, credential logs, remote management installers, and even operator Telegram session files.

The primary threat actor identified on the server is tracked as 'codemado,' an Egyptian operator active since 2018 on various hacking forums. Codemado's operation focused on corporate Microsoft 365 accounts using an Evilginx-based adversary-in-the-middle (AiTM) platform. Beyond the phishing tools, the server hosted a seven-tool remote monitoring and management (RMM) arsenal for maintaining persistence, including ScreenConnect and SimpleHelp, alongside a custom bulk-mailer dubbed 'MaDoO Blaster.'

Two other distinct phishing operations were uncovered through Evilginx forks that codemado had cloned from public GitHub repositories. While the shared code doesn't necessarily indicate direct operational coordination, the presence of these forks pointed to other actors utilizing similar methodologies. One operator, 'mail-argenta,' traced to a Nigerian individual, was identified through infostealer logs containing reused credentials, including a hardcoded MySQL password within a phishing panel.

The third operator, 'saroula01,' developed a framework that specifically abused the legitimate Microsoft OAuth Device Code Flow. This legitimate feature allows users to authenticate to services on a separate device, but saroula01's backend infrastructure was designed to intercept and claim the resulting authentication token. This technique, when combined with Evilginx, provides a potent method for stealing session cookies and bypassing MFA.

Sարoula01's campaign was the most extensive of the three, having operated undetected for over a year. Lexfo reconstructed a deleted configuration file, revealing that the campaign began in June 2025 and accumulated 218 confirmed victims across 12 countries, with approximately 94% being corporate entities. The captured tokens were configured to refresh automatically, allowing the attackers to maintain access for extended periods, with some sessions being silently refreshed up to 25 times.

A common thread across these operations is the use of generative AI in developing their tooling. Evidence of AI co-author metadata was found in saroula01's code commits, and a saved development session on mail-argenta's repository also indicated AI assistance. Furthermore, codemado's MaDoO Blaster was linked to 'The Quarry,' a phishing-as-a-service (PaaS) ecosystem promoted by an actor known as RockyBelling.

Lexfo highlighted that the barrier to entry for conducting sophisticated AiTM phishing campaigns has significantly lowered. Essential components are readily available either for free on platforms like GitHub or can be purchased on Telegram for a few hundred dollars. This accessibility means that a wide range of actors can now effectively bypass MFA protections.

In light of these findings, security professionals are urged to assume that many threat actors can now circumvent MFA through session hijacking or OAuth Device Code Flow abuse. Disabling device code authentication where it is not strictly necessary is recommended as a crucial mitigation step for organizations.

Synthesized by Vypr AI