HomeRisk ManagementsOpen Directory Exposes Three Evilginx Phishing Operators

Open Directory Exposes Three Evilginx Phishing Operators

Published on

spot_img

Misconfigured Server Reveals Extensive Toolkit of Active Phishing Ecosystem

In a troubling revelation reported by the French security firm Lexfo, a single misconfigured server has unwittingly exposed the entire toolkit of a well-coordinated three-actor phishing ecosystem. The incident highlights significant vulnerabilities within cybersecurity infrastructures, demonstrating how a seemingly innocuous oversight can lead to extensive data exposure.

The research indicates that the exposure originated from an open directory on a Python HTTP server, which had been left running on a virtual private server located in Budapest. The server was improperly configured, with directory listing enabled, allowing unauthorized access to sensitive information. This lack of basic security practices made it possible for malicious actors to access critical phishing configurations, credential logs, and even remote management installers. Notably, the server also revealed the threat actor’s own Telegram session files, providing a clear insight into the operations of the malicious individual involved.

At the core of this phishing initiative is an individual identified as "codemado," who has been utilizing an Evilginx-based attack platform designed for adversarial-in-the-middle (AiTM) assaults specifically targeting corporate Microsoft 365 accounts. This sophisticated strategy allows cybercriminals to intercept and manipulate communication between a user and the Microsoft service, capturing sensitive information such as login credentials without the user’s knowledge.

The Three Actors Behind a Unified Code Lineage

Lexfo’s investigation traced codemado’s activities back to an Egyptian individual active on hacking forums since 2018. Artifacts discovered on the server strongly linked codemado to this operator, indicating a continuity of operational habits and malicious intent. Furthermore, the server hosted not only the phishing proxy but also a comprehensive seven-tool remote monitoring and management (RMM) arsenal for maintaining persistence, which included well-known tools like ScreenConnect and SimpleHelp. A custom-built bulk mailer named MaDoO Blaster was also featured prominently on the server.

The investigation unveiled the presence of two additional actors who operated through different forks of the Evilginx software that codemado had cloned. While their connection to codemado is technical rather than operational, the shared code repositories on GitHub allowed Lexfo to identify them as mail-argenta and saroula01. Mail-argenta was notably traced via infostealer logs, which revealed reused personal credentials, such as a MySQL password hardcoded into a phishing panel. This evidence points toward a suspected Nigerian individual behind this particular phishing effort.

In contrast, saroula01 had developed a framework that exploited the legitimate OAuth Device Code Flow, a feature that facilitates user authentication. By tricking victims into completing the process on a genuine Microsoft page, saroula01’s backend could claim the authentication token, allowing access without raising immediate suspicion.

Prolonged Campaign Operated Undetected

Among the three actors, saroula01’s campaign stands out as the most extensive. Lexfo was able to reconstruct a previously deleted configuration file from the git history, revealing that the operation began around June 2025, which means it could have run undetected for over a year. Throughout this time frame, the actor successfully targeted 218 confirmed victims across twelve countries, with a staggering 94% of them being corporate entities. The captured tokens were designed to refresh automatically in the background, allowing persistent access long after the initial successful phishing attempt. Some recovered tokens had been silently refreshed up to 25 times, maintaining illicit access to victims’ accounts for prolonged periods.

One notable thread connecting all three operators is their utilization of generative AI to enhance their phishing toolsets. Evidence of AI involvement surfaced in the form of AI co-author metadata found in saroula01’s development commits, alongside a saved development session within mail-argenta’s repository. This incorporation of AI not only streamlines the creation of phishing tools but also lowers the entry barrier for individuals seeking to engage in these nefarious activities.

Lexfo established additional links by associating codemado’s MaDoO Blaster with "The Quarry," a phishing-as-a-service ecosystem previously documented by SOCRadar. This operation is run by an actor known as RockyBelling, who actively promotes the toolkit to prospective users, further commercializing cybercrime.

In light of these findings, Lexfo has emphasized the urgent need for organizations to fortify their cybersecurity defenses. It is recommended that security professionals assume any threat actor may be capable of bypassing multi-factor authentication (MFA) through various sophisticated methods, including session hijacking or exploitation of the Device Code Flow. Consequently, organizations are urged to disable device code authentication in scenarios where it is unnecessary, thereby reducing potential vulnerabilities. The rapid evolution of phishing techniques underscores the critical importance of maintaining vigilant security protocols in an increasingly digital world.

Source link

Latest articles

Cyber Briefing – July 13, 2026 – CyberMaterial

Cybersecurity Briefs: Recent Threats and Data Breaches In recent developments within the cybersecurity landscape, significant...

Progress Urges ShareFile Shutdown Due to Credible Threat

Honeypot Records Exploitation Attempt Against Flaw Patched Earlier This Year In a significant security alert,...

RabbitMQ Vulnerabilities Expose OAuth Secrets and Risk Complete Broker Takeover

Critical Vulnerability in RabbitMQ Fixed: High Severity Update Required A significant security vulnerability in RabbitMQ...

Attackers Use MCP Recon and Cloud Metadata SSRF to Steal Service Account Tokens

Expanding Horizons: The Rising Threat of AI-Focused Reconnaissance In the ever-evolving landscape of internet security,...

More like this

Cyber Briefing – July 13, 2026 – CyberMaterial

Cybersecurity Briefs: Recent Threats and Data Breaches In recent developments within the cybersecurity landscape, significant...

Progress Urges ShareFile Shutdown Due to Credible Threat

Honeypot Records Exploitation Attempt Against Flaw Patched Earlier This Year In a significant security alert,...

RabbitMQ Vulnerabilities Expose OAuth Secrets and Risk Complete Broker Takeover

Critical Vulnerability in RabbitMQ Fixed: High Severity Update Required A significant security vulnerability in RabbitMQ...