218 confirmed victims across 12 countries — roughly 94% corporate — were quietly harvested in a campaign that ran for more than a year, according to new research published by French security firm Lexfo.
Open directory on a Budapest VPS exposed an entire toolkit
Lexfo found a misconfigured Python HTTP server left running on a Budapest virtual private server in late April with directory listing switched on. The open directory made readable phishing configurations, credential logs, remote management installers, and the operator's own Telegram session files. The exposed artifacts gave researchers a full view of an active adversary-in-the-middle (AiTM) phishing ecosystem rather than a single exploit or credential dump.
Codemado: Evilginx forks, RMM persistence, and MaDoO Blaster
Artifacts on the host tied an operator tracked as codemado to an Egyptian individual active on hacking forums since 2018, Lexfo reported. Beyond the phishing proxy itself, the server contained a seven-tool remote monitoring and management (RMM) arsenal for persistence, including ScreenConnect and SimpleHelp, plus a custom bulk-mailer built by codemado called MaDoO Blaster. Lexfo connected MaDoO Blaster to The Quarry, a phishing-as-a-service ecosystem documented by SOCRadar in June and run by an actor known as RockyBelling, who promoted the tool to his customers.
Lexfo also noted that codemado had cloned Evilginx forks from public GitHub repositories. Because those repositories were public, Lexfo emphasized the connection between operators was technical rather than operational: shared code does not prove coordination.
Mail-argenta: infostealer traces and reused credentials
A second operator, mail-argenta, surfaced through infostealer logs recovered on the server. Those logs carried reused credentials and, notably, a MySQL password hardcoded into a phishing panel, which Lexfo said pointed to a Nigerian individual. A saved development session in mail-argenta's repository further showed the use of generative AI in building tooling — a programmatic thread Lexfo saw across multiple operators.
Saroula01's Device Code Flow campaign: June 2025 configuration, token refreshes
Of the three operators, Lexfo found saroula01's operation to be the largest. The firm reconstructed a deleted configuration file from git history and used internal bot timestamps to date the campaign to June 2025, indicating it had run for more than a year without apparent interruption. Over that window, the operation accumulated 218 confirmed victims across 12 countries, roughly 94% of them corporate.
Saroula01 built a framework abusing the OAuth Device Code Flow: the victim completes authentication on a real Microsoft page while the attacker's backend claims the token. Captured tokens were configured to refresh automatically; recovered entries had been silently refreshed up to 25 times, maintaining access long after the initial phish. Lexfo also observed AI co-author metadata on saroula01's commits, underlining the actors' reliance on generative AI to develop tooling.
What this means for technologists, enterprise procurement, and defenders
- Technologists and security teams should assume session hijacking and Device Code Flow abuse are viable ways to bypass multifactor protections, Lexfo warned; defenders will need to monitor for silently refreshing tokens and unexpected RMM installations like ScreenConnect or SimpleHelp.
- Affected enterprises and procurement leaders should note the low cost and availability of AiTM components: Lexfo observed that key components are either free on GitHub or sold on Telegram for a few hundred dollars, and that MaDoO Blaster was being marketed inside a PaaS ecosystem. Procurement and vendor-risk processes will need to account for tools that originate in promiscuous open-source forks or in small commercial Telegram channels.
- Defenders and incident responders should consider disabling device code authentication where it is not needed. Lexfo urged organizations to assume any actor can bypass MFA through session hijacking or Device Code Flow abuse and to restrict or disable the feature when it is unnecessary.
Lexfo's findings illustrate how a single misconfiguration — a directory listing left on a publicly reachable Python HTTP server — can reveal the full lifecycle of modern phishing operations: public code forks and AI-assisted development feeding into bespoke phishing proxies, RMM persistence, and long-lived token refresh mechanisms. The firm concluded that the barrier to running a functional AiTM campaign has dropped "close to zero," raising a clear choice for defenders: harden authentication surfaces and remove features attackers can abuse, or accept that session-level compromises may persist unnoticed for months.
https://www.infosecurity-magazine.com/news/open-directory-exposes-evilginx/




