216.73.217.86

One Misconfigured Server, Three Active Campaigns: Full exposure of three AiTM Phishing Operators

· Published 13/07/2026 12:36

Export JSON

Essential information

Published
13/07/2026 12:36
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
aitm asyncrat evilginx madoo blaster oauth abuse phishing infrastructure rmm tools
Related entities
64 indicators, 63 observables, 1 intrusion sets (apt), 12 techniques (mitre), 3 malware

Description

A misconfigured Python HTTP server on a Budapest VPS exposed the complete operational infrastructure of three distinct phishing operators. The investigation uncovered codemado, an Egyptian threat actor operating since 2018, running a full platform with custom tools including MaDoO Blaster; saroula01, deploying OAuth Device Code Flow attacks that accumulated 218 victims across 12 countries over a year; and mail-argenta, a Nigerian operator identified through infostealer logs containing his own credentials. All three actors leveraged customized forks and AI-assisted development to build MFA-bypass infrastructure from public GitHub repositories. The campaigns targeted Microsoft 365 accounts primarily, with codemado maintaining ties to RockyBelling's "The Quarry" cybercrime ecosystem. The exposed server contained phishing configurations, credential logs, RMM installers, combolists, and Telegram session files, revealing sustained operations from at least January 2025 through May 2026.

External references