HomeRisk ManagementsOpen Directory Exposes Three Evilginx Phishing Operators

Open Directory Exposes Three Evilginx Phishing Operators

Published on

spot_img

Misconfigured Server Reveals Extensive Toolkit of Active Phishing Ecosystem

In a troubling revelation reported by the French security firm Lexfo, a single misconfigured server has unwittingly exposed the entire toolkit of a well-coordinated three-actor phishing ecosystem. The incident highlights significant vulnerabilities within cybersecurity infrastructures, demonstrating how a seemingly innocuous oversight can lead to extensive data exposure.

The research indicates that the exposure originated from an open directory on a Python HTTP server, which had been left running on a virtual private server located in Budapest. The server was improperly configured, with directory listing enabled, allowing unauthorized access to sensitive information. This lack of basic security practices made it possible for malicious actors to access critical phishing configurations, credential logs, and even remote management installers. Notably, the server also revealed the threat actor’s own Telegram session files, providing a clear insight into the operations of the malicious individual involved.

At the core of this phishing initiative is an individual identified as "codemado," who has been utilizing an Evilginx-based attack platform designed for adversarial-in-the-middle (AiTM) assaults specifically targeting corporate Microsoft 365 accounts. This sophisticated strategy allows cybercriminals to intercept and manipulate communication between a user and the Microsoft service, capturing sensitive information such as login credentials without the user’s knowledge.

The Three Actors Behind a Unified Code Lineage

Lexfo’s investigation traced codemado’s activities back to an Egyptian individual active on hacking forums since 2018. Artifacts discovered on the server strongly linked codemado to this operator, indicating a continuity of operational habits and malicious intent. Furthermore, the server hosted not only the phishing proxy but also a comprehensive seven-tool remote monitoring and management (RMM) arsenal for maintaining persistence, which included well-known tools like ScreenConnect and SimpleHelp. A custom-built bulk mailer named MaDoO Blaster was also featured prominently on the server.

The investigation unveiled the presence of two additional actors who operated through different forks of the Evilginx software that codemado had cloned. While their connection to codemado is technical rather than operational, the shared code repositories on GitHub allowed Lexfo to identify them as mail-argenta and saroula01. Mail-argenta was notably traced via infostealer logs, which revealed reused personal credentials, such as a MySQL password hardcoded into a phishing panel. This evidence points toward a suspected Nigerian individual behind this particular phishing effort.

In contrast, saroula01 had developed a framework that exploited the legitimate OAuth Device Code Flow, a feature that facilitates user authentication. By tricking victims into completing the process on a genuine Microsoft page, saroula01’s backend could claim the authentication token, allowing access without raising immediate suspicion.

Prolonged Campaign Operated Undetected

Among the three actors, saroula01’s campaign stands out as the most extensive. Lexfo was able to reconstruct a previously deleted configuration file from the git history, revealing that the operation began around June 2025, which means it could have run undetected for over a year. Throughout this time frame, the actor successfully targeted 218 confirmed victims across twelve countries, with a staggering 94% of them being corporate entities. The captured tokens were designed to refresh automatically in the background, allowing persistent access long after the initial successful phishing attempt. Some recovered tokens had been silently refreshed up to 25 times, maintaining illicit access to victims’ accounts for prolonged periods.

One notable thread connecting all three operators is their utilization of generative AI to enhance their phishing toolsets. Evidence of AI involvement surfaced in the form of AI co-author metadata found in saroula01’s development commits, alongside a saved development session within mail-argenta’s repository. This incorporation of AI not only streamlines the creation of phishing tools but also lowers the entry barrier for individuals seeking to engage in these nefarious activities.

Lexfo established additional links by associating codemado’s MaDoO Blaster with "The Quarry," a phishing-as-a-service ecosystem previously documented by SOCRadar. This operation is run by an actor known as RockyBelling, who actively promotes the toolkit to prospective users, further commercializing cybercrime.

In light of these findings, Lexfo has emphasized the urgent need for organizations to fortify their cybersecurity defenses. It is recommended that security professionals assume any threat actor may be capable of bypassing multi-factor authentication (MFA) through various sophisticated methods, including session hijacking or exploitation of the Device Code Flow. Consequently, organizations are urged to disable device code authentication in scenarios where it is unnecessary, thereby reducing potential vulnerabilities. The rapid evolution of phishing techniques underscores the critical importance of maintaining vigilant security protocols in an increasingly digital world.

Source link

Latest articles

Pakistani Police Systems Targeted by Espionage from China and India

Rival Cyber Operations Target Pakistani Law Enforcement In a concerning development for global cybersecurity, an...

Network Data Fuels Predictive Security

Network Detection...

Torq and Criminal IP Collaborate to Provide Decision-Ready Threat Intelligence for Autonomous SOC Operations

Criminal IP and Torq Unite to Strengthen Cybersecurity Operations through Innovative Partnership Torrance, California, USA,...

Your AI Risk Register Is Distinct from an Incident Response Plan

Increasing Accountability in AI Systems: The Need for Evidence and Ownership Structures As artificial intelligence...

More like this

Pakistani Police Systems Targeted by Espionage from China and India

Rival Cyber Operations Target Pakistani Law Enforcement In a concerning development for global cybersecurity, an...

Network Data Fuels Predictive Security

Network Detection...

Torq and Criminal IP Collaborate to Provide Decision-Ready Threat Intelligence for Autonomous SOC Operations

Criminal IP and Torq Unite to Strengthen Cybersecurity Operations through Innovative Partnership Torrance, California, USA,...