Open Directory Exposes Three Evilginx Phishing Operators
Open Directory Exposes Three Evilginx Phishing Operators
https://www.infosecurity-magazine.com/news/open-directory-exposes-evilginx/
Publish Date: 2026-07-13 11:30:00
Source Domain: www.infosecurity-magazine.com
A single misconfigured server has exposed the complete toolkit of an active a three-actor phishing ecosystem.
According to new research from French security firm Lexfo, the open directory was a Python HTTP server left running on a Budapest virtual private server in late April, with directory listing switched on.
Phishing configurations, credential logs, remote management installers and the operator’s own Telegram session files were all readable.
Behind it was a threat actor tracked as codemado, running an Evilginx-based adversary-in-the-middle (AiTM) platform against corporate Microsoft 365 accounts.
Read more on AiTM tooling: New Wave of AiTM Phishing Targets TikTok for Business
Three Actors, One Code Lineage
Artefacts on the server tied codemado to an Egyptian operator active on hacking forums since 2018.
Beyond the phishing proxy, the host held a seven-tool remote monitoring and management (RMM) arsenal for persistence, including ScreenConnect and SimpleHelp, plus a custom bulk-mailer of his own build, MaDoO Blaster.
The other two actors surfaced through the Evilginx forks codemado had cloned. Their link is technical rather than operational: the repositories were public on GitHub, so Lexfo said shared code does not prove coordination.
An operator called mail-argenta was traced through infostealer logs carrying his own reused credentials, notably a MySQL password hardcoded into a phishing panel, pointing to a Nigerian individual.
A third, saroula01, built a framework abusing the OAuth Device Code Flow, a legitimate Microsoft feature the victim completes on a real Microsoft page while the attacker’s backend claims the token.
Device Code Campaign Ran Undetected For a Year
Of the three, saroula01’s operation was the largest. Lexfo reconstructed a deleted configuration file from git history, and internal bot timestamps dated the campaign to June 2025, meaning it had run for more than a year without apparent interruption.
Over that window, it…