One Misconfigured Server, Three Active Campaigns: Full exposure of three AiTM Phishing Operators
Essential information
- Published
- 13/07/2026 12:36
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- aitm asyncrat evilginx madoo blaster oauth abuse phishing infrastructure rmm tools
- Related entities
- 64 indicators, 63 observables, 1 intrusion sets (apt), 12 techniques (mitre), 3 malware
Description
A misconfigured Python HTTP server on a Budapest VPS exposed the complete operational infrastructure of three distinct phishing operators. The investigation uncovered codemado, an Egyptian threat actor operating since 2018, running a full AiTM platform with custom tools including MaDoO Blaster; saroula01, deploying OAuth Device Code Flow attacks that accumulated 218 victims across 12 countries over a year; and mail-argenta, a Nigerian operator identified through infostealer logs containing his own credentials. All three actors leveraged customized Evilginx forks and AI-assisted development to build MFA-bypass infrastructure from public GitHub repositories. The campaigns targeted Microsoft 365 accounts primarily, with codemado maintaining ties to RockyBelling's "The Quarry" cybercrime ecosystem. The exposed server contained phishing configurations, credential logs, RMM installers, combolists, and Telegram session files, revealing sustained operations from at least January 2025 through May 2026.