One Misconfigured Server, Three Active Campaigns: Full exposure of three AiTM Phishing Operators
Key FindingsA single misconfigured Python HTTP server exposed the complete operational stack of a li 2026-7-10 17:1:16 Author: blog.lexfo.fr(查看原文) 阅读量:11 收藏

Key Findings

  • A single misconfigured Python HTTP server exposed the complete operational stack of a live phishing operator, configs, logs, RMM installers, combolists, and Telegram session files.

  • Three distinct threat actors were identified from one entry point: codemado, mail-argenta, and saroula01, each running independent campaigns on custom Evilginx forks sourced from the same public GitHub repositories.

  • codemado is an Egyptian operator with roots in the hacking underground dating back to 2018, operating a full AiTM platform with a seven-tool RMM arsenal on a Budapest VPS.

  • saroula01's Device Code Flow campaign ran undetected for over a year, accumulating 218 confirmed victims across 12 countries, with tokens silently auto-refreshed in the background.

  • mail-argenta is a Nigerian operator who was identified through infostealer logs containing his own credentials, including the MySQL password hardcoded in his phishing panel, reused across personal accounts.

  • Both AiTM proxying and Device Code Flow abuse bypass MFA entirely.

  • codemado's MaDoO Blaster is promoted within RockyBelling's The Quarry ecosystem, reported by SOCRadar's investigation.

  • All three operators built functional MFA-bypass infrastructure from public GitHub repositories with minimal customization, using AI-assisted development.

Context

On a late April 2026 afternoon, a routine internet scan flagged an open directory on 185.163.204.7: a server located in Budapest, running python3 -m http.server 8080 on a public interface with directory listing enabled. What was exposed was not a misconfigured web root, it was a complete operational snapshot of a live attack platform. Phishing configurations, credential harvesting logs, backup archives, RMM installers, combolists and the operator's own Telegram session files were all publicly accessible. The command that left it open was still sitting in the .bash_history file, readable through the same listing.

Behind the open directory was an active threat actor running an Evilginx-based Adversary-in-the-Middle (AiTM) phishing platform and a SimpleHelp remote management console, all on the same host.

The exposed directory at http://185.163.204[.]7:8080. Visible at a glance: .bash_history, .evilginx/, .red-queen/, .black-queen/, ScreenConnect_Patch[@hackers_assemble].zip, tele/, and the full kit source in gi.zip

With our curiosity piqued, we carried out an investigation into the malicious infrastructure and the associated malicious actor in order to gather intelligence on their operations.

What started as a single open directory unraveled into the identification of three distinct active phishing campaigns, runned by three different threat actors, all leveraging custom variants of the Evilginx AiTM framework, with potential ties to the "The Quarry" ecosystem.

This article documents what we found, how we pivoted from the open directory, and what the full operations looked like once pieced together.

Identifying the Operator

Attributing the threat actor behind this infrastructure turned out to be surprisingly straightforward. Several artefacts left on the server provided a clear path to identification.

The .bash_history file contained multiple git clone commands pointing to repositories belonging to a GitHub user operating under the handle codemado. His public repositories hosted staging files tied to active operations, malware droppers, suspicious executables, and hardcoded credentials for various panels and malicious scripts. Pivoting through those repositories surfaced a recurring email address: codemadooo@gmail[.]com.

The Telegram session file present in the open directory proved equally revealing. Parsed as a SQLite database, it contained the full entity cache of the operator's Telegram account, including his username, @mad0o0o0o0o, and an Egyptian phone number (+20 10XX XXXXXX). That same number appeared hardcoded in multiple Python scripts found on the server. Arabic-language comments embedded throughout those scripts further corroborate the Egyptian origin.

Comments in Arabic from one of the script in the GitHub repository

Among the files accessible through the directory listing was a screenshot of a web panel titled MaDoO Blaster v4.7.3, a custom spam and credential management interface.

MaDoO Blaster v4.7.3, the operator's custom bulk mailer, screenshot from April 19, 2026

The handle "MaDoO" appeared in the title bar. Further confirmation came from the operator's Telegram profile: the bio of @MaD0o0o0o0o contained a direct link to a Telegraph article published April 21, 2026 under the same account, serving as the official usage guide for MaDoO Blaster. The article's metadata explicitly lists MaD0o0o0o0o as author, closing the loop between the tool, the handle, and the Telegram identity.

codemado's Telegram profile

Additional pivoting on codemadooo@gmail[.]com through breach datasets and password-based correlation surfaced two older addresses potentially associated with the same persona. While these addresses were also linked to Egyptian-registered profiles across multiple platforms, a confirmed attribution to a specific individual could not be established. The username also appeared on several dating platforms; however, it remains unclear whether these represent genuine personal accounts or profiles used for scam purposes, a common practice in the eCrime ecosystem.

Egyptian-registered dating profile

OSINT pivoting further revealed a persistent forum presence spanning several years. On Black Hat World, the account codemado dates back to 2018, where the actor posted under a logo reading "MADO - security and pentesting" and declared an interest in "VoIP, SIP, voice gateway, and exploits" alongside a greeting of "Hello from Egypt".

codemado's Black Hat World presence

This same brand identity resurfaced eight years later on Telegram under the name "MaDosc For Pentesting", the MADO acronym and "security and pentesting" positioning carried forward verbatim, confirming long-term continuity of persona. On CrackingX, the account codemadooo, directly matching his operational email address, was registered in August 2025, with a last recorded visit on April 16, 2026. The account carries zero posts, suggesting passive monitoring rather than active participation.

Egyptian-registered dating profile

Taken together, these artefacts paint a consistent picture: codemado is an Egyptian threat actor with roots in the hacking and VoIP underground dating back to at least 2018, operating under the aliases MaDoO, MaDosc, and MADO. By 2026, he had evolved from an eCrime hobbyist into a fully operational phishing actor, sourcing AiTM tooling from third-party developers, deploying it against Microsoft 365 targets, and monetising stolen credentials through a custom bulk-mailing platform of his own making.

Operator's Toolbox

The open directory at 185.163.204.7:8080 did not just expose an operator, it exposed his entire toolkit. Beyond the phishing infrastructure and credential dumps, the server revealed an assembled collection of offensive tools spanning adversary-in-the-middle phishing frameworks, remote management utilities, and custom malware droppers.

Four Evilginx variants were cloned and present on the server simultaneously:

DirectorySourceRole
master/github.com/saroula01/black-queenPrimary active fork
mast/github.com/saroula01/black-queenBackup / older clone
red-queen/github.com/mail-argenta/red-queenSecondary AiTM framework
black-queen/github.com/saroula01/black-queenThird variant

The server also hosted a full suite of Remote Monitoring and Management (RMM) tools, used for post-compromise persistence on victim machines:

ToolSourceDelivery method
ScreenConnect (ScreenConnect_Patch[@hackers_assemble].zip)Telegram channel @hackers_assembleTrojanized ZIP
SimpleHelp (simple.run / simple.tar.gz)UnknownDropped via shell script
SuperOps RMM (rmm.txt)UnknownSilent MSI (/qn LicenseAccepted=YES)
GetScreen.me (901.txt)UnknownVBScript stager
XEOX RMM (securefile.vbs)GitHub codemado/apiVBScript dropper (curl + hidden Start-Process)
GetScreen.me invitation ID 815497885, confirmed live and resolving at the time of investigation
SimpleHelp RMM page on the server

Alongside these, the operator maintained a collection of stagers and droppers: an obfuscated 4.5 MB PowerShell script (dddd.ps1), an obfuscated JScript dropper (Statement.js, using ActiveXObject to fetch a second-stage payload from codemado/api), a VBScript dropper (mad_133517.vbs) employing three obfuscation layers, VBScript wrapping Base64-encoded PowerShell wrapping an AES-encrypted final payload, as well as trojanized MSI installers (AdobeClientSetupV16.msi, NEWPANEL.msi) and credential stealers (pass.exe, getpass.exe). A Cloudflare tunnel token, present in the bash history, completed the picture, providing a persistent C2 channel capable of traversing corporate firewalls without exposing the operator's IP. One of the recovered scripts carries an inline credit to CyberNeurova, an uncensored AI API platform marketed explicitly for generating code without content restrictions and for malicious purposes, whose own documentation demonstrates the service with the prompt "Build me a keylogger in Python".

Screenshot of CyberNeurova

The toolset extends beyond phishing and RMM. Four months before our investigation, researchers @smica83 and @skocherhan had independently flagged a malicious HTA file (SSADocuments.pdf586577082.hta) attributed to Egypt on abuse.ch. The delivery chain, HTA to PowerShell dropper fetching dddd.jpg from 83.136.211[.]85/files/, ultimately installing an AsyncRAT instance with botnet name MaDOOOOOOOO_Work and C2 at 83.136.211[.]85:7077, maps directly onto the dddd.ps1 found on the server. The runtime configuration was pulled from a Pastebin URL, allowing C2 rotation without recompiling the payload. Paste titles on pastebin[.]com/u/codemadooo also reference HVNC_MADO and hvncv, indicating Hidden VNC capability alongside AsyncRAT for hands-on-keyboard access. This secondary infrastructure, 83.136.211[.]85, predates the AiTM campaign by several months, pointing to an older campaign.

Finally, and most distinctively, the operator's own custom tool was visible: MaDoO Blaster v4.7.3. The tool's complete usage guide, published on April 21, 2026, via a Telegram article authored under his own handle MaD0o0o0o0o.

MaDoO Blaster's usage guide

MaDoO Blaster operates in two sending modes. The first is traditional SMTP bulk sending, with support for multi-account rotation, per-SMTP sending limits, SOCKS/proxy chaining, and configurable delays for deliverability tuning. The second, labelled B2B mode, uses a Microsoft Entra Client ID and a target mailbox address to send directly through Microsoft's infrastructure, bypassing third-party relays entirely. The likely prerequisite is an Entra application registration performed inside the victim's tenant following initial access via AiTM, granting durable Graph API mail-sending rights. An optional saveToSentItems flag causes outbound emails to appear in the victim's own Sent folder, leaving no visible anomaly for end users.

Beyond the sending engine, the tool supports a broad lure-generation capability: HTML email templates with per-recipient personalisation (victim domain, company name, randomised strings), dynamically generated PDF, DOCX, PPTX, ZIP, and EML attachments, AI-generated voicemail .wav lures, QR code embedding, and calendar meeting invite abuse for inbox placement. A Letter-to-Image feature,described in the guide itself as useful for "spam filter evasion techniques", converts the HTML body into an image before delivery, defeating content-based filtering. Sender identity rotation, attachment encryption, and From address obfuscation complete the anti-detection layer.

The operator explicitly positions the tool as a commercial or shared product, the public documentation, placeholder-based architecture, and modular folder structure all suggest MaDoO Blaster is distributed to or used by others beyond codemado himself.

Tracing the 'red-queen' Evilginx Fork: mail-argenta

The presence of red-queen/ on the server led us to github.com/mail-argenta, a GitHub account hosting 23 public repositories covering an extensive range of phishing targets: Microsoft 365, Kraken, LinkedIn, eHarmony, GitHub, Gmail, and National Australia Bank, among others.

mail-argenta's GitHub profile

mail-argenta's primary contribution is red-queen, a fork of kgretzky's Evilginx customised for phishing operations. The repository's o365.yaml phishlet targets Microsoft 365, Okta, GoDaddy SSO, and GitHub. It introduces several technical refinements over the upstream project: a Subresource Integrity bypass achieved by renaming the crossorigin and integrity HTML attributes to rickorigin and tegridy respectively, circumventing browser-enforced script validation; a URL rewriting engine added directly to http_proxy.go, allowing phishlet YAML files to define trigger-based path and query rewrite rules applied to proxied requests before forwarding; a JavaScript injection that pre-fills the victim's email address on the phishing page, reducing abandonment; and a cookie capture TTL of 31,536,000 seconds, one full year, for the ESTSAUTH, ESTSAUTHPERSISTENT, x-ms-RefreshTokenCredential, and refresh_token session objects. The practical consequence is that a successfully intercepted M365 session survives password resets and, absent a CAE-capable conditional access policy, remains exploitable for twelve months. A pre-compiled evilginx2.exe binary is committed directly to the repository, removing the need to build from source and lowering the barrier to deployment for non-technical operators. An instructions.txt file in the repository root is a verbatim save of an AI development session, the document explicitly references "context from your previous prompts", recording how mail-argenta used a generative model to implement the URL rewriting feature.

Beyond red-queen, mail-argenta operates a parallel set of Puppeteer-based MitM panels targeting a range of platforms, LinkedIn, eHarmony, GitHub (2FA interception), and Kraken, each in its own repository. The most developed of these is kraken-live-panel, a Node.js panel with WebSocket-based real-time session streaming and MySQL credential storage, specifically targeting Kraken cryptocurrency exchange users. Telegram API keys hardcoded in the source and a MySQL password (Passionate1947.) left in the repository's .env file provide the most direct exposure of the operator's infrastructure. Stored session data and active bot callbacks confirm the panel was operational at the time of the investigation.

Codemado runs mail-argenta's tooling, and his Evilginx deployment on the open directory is built on red-queen's codebase. Whether the relationship between the two is purely one of tool consumer and developer, or involves direct coordination, cannot be confirmed from the available artefacts.

The discovery of an active credential-harvesting operation against Kraken users prompted us to investigate mail-argenta's identity directly. Git commit metadata in his projects exposed an email address associated with the developer. Pivoting on that address through infostealer log datasets returned a match: the address appeared in leaked logs alongside a set of credentials and personal details consistent with a Nigerian individual. The link between the infostealer victim and the mail-argenta developer was confirmed by the presence of the password Passionate1947. in the leaked data, the same string hardcoded as the MySQL password in kraken-live-panel's .env file, which the operator had evidently reused across accounts. The infostealer logs yielded additional profile information corroborating the Nigerian attribution. In a notable irony, mail-argenta, an operator who deploys credential-theft infrastructure against others, was himself compromised by the same class of tooling, and that compromise became the primary vector for his own identification.

Tracing the 'black-queen' Evilginx Fork: saroula01

Saroula01 is the third threat actor identified, responsible for black-queen, one of the Evilginx fork from which three of codemado's four directory entries (black-queen/, master/ and mast/) are directly cloned. Unlike mail-argenta's red-queen, which targets a broad range of platforms, black-queen is built for a single technique: O365 Device Code phishing.

saroula01's GitHub profile

The repository README is unambiguous: "Pre-configured O365 device code phishing framework with 6 lure themes ready for deployment." The six themes map directly onto the lure pages active on codemado's open directory:

Lure themeTarget scenarioActive path on 185.163.204.7
briefingO365 default/update-verification
shareOneDrive/admin-status-notice
accountAuthenticator/review-profile-alert
downloadAdobe/user-credentials-required
signDocuSign/portal-security
teamSharePoint/confirm-access

black-queen is another variant of Evilginx, by saroula01, with the original binary and source wrapped inside an evilginx/ subfolder. What distinguishes it from kgretzky's upstream are the additions built on top: six pre-configured O365 Device Code Flow lure themes ready to deploy out of the box, a web-based operator dashboard with username/password authentication replacing Evilginx's interactive CLI, a "Generate Cookies" function that automates the conversion of captured Primary Refresh Tokens into OWA session cookies, and an "Inbox" feature allowing the operator to browse a victim's mailbox via the Microsoft Graph API directly from the dashboard, none of which exist in the upstream project. A Python component backs the dashboard layer, making black-queen the only one of the three variants in the ecosystem to go beyond pure Go. The README's Support section points back to github.com/kgretzky/evilginx2 as the base project.

Two commits carry Co-Authored-By metadata referencing Claude Haiku 4.5 and Claude Opus 4.6, placing saroula01 alongside codemado and mail-argenta in his use of AI tooling for development.

Claude's co-authred commits

The git history of the "master" repository of Saroula01 yielded the most operationally significant findings. A config.json committed and subsequently deleted from an earlier revision exposes the active deployment: phishing domain romnor[.]ca, VPS at 20.118.27.127, Telegram bot, and server alias victor751. Six subdomains of romnor[.]ca serve the Device Code phishing lures described above.

The discovery of another active campaign prompted us to investigate saroula01's identity directly. The git commit author field exposes the developer's email: [email protected], consistent across commits attributed to "Black Queen", "saroula01", and "root". Unlike mail-argenta, whose email address returned a confirmed match in infostealer logs, and codemado, whose investigation returned some results, pivoting on [email protected] yielded no identity linked to this address. saroula01 remains unattributed beyond the developer of "black-queen" and the operator running an active phishing campaign.

Campaigns & Capabilities

Codemado's AiTM Campaign

The core of codemado's operation revolves around a customized fork of Evilginx, specifically saroula01/master, with red-queen from mail-argenta also present on the server. His .bash_history show codemado cloning saroula01/black-queen and saroula01/master, running their installation scripts, and renaming his existing mail-argenta/master directory beforehand (mv master mast) to free up the path. He was actively comparing kits.

His deployment ran on picis[.]net, a domain registered March 13, 2026, the same day his first TLS certificates were issued, proxying Microsoft 365 authentication flows to unsuspecting victims.

Reconstructed timeline of codemado's AiTM campaign

Certificate Transparency logs show the full infrastructure was provisioned in a single batch on March 13: named phishlet hosts (owa, sso, secure, billing) alongside a set of random-string subdomains (hervw, hervw2, hrvetbr, hterw...) functioning as per-campaign lure rotation, over thirty subdomains created simultaneously. The campaign went active on April 20, confirmed by both a mass cert renewal and the first captured sessions logged by the operator's Telegram bot. It ran uninterrupted through at least April 26, targeting corporate Microsoft 365 accounts.

The lure paths configured in the Evilginx installation cover six distinct social engineering pretexts:

  • /update-verification - Microsoft Office (generic M365 pretext)
  • /admin-status-notice - OneDrive (file sharing pretext)
  • /review-profile-alert - Microsoft Authenticator (MFA alert pretext)
  • /user-credentials-required - Adobe (PDF/contract pretext)
  • /portal-security - DocuSign (signature pretext)
  • /confirm-access - SharePoint (intranet pretext)

All six target corporate Microsoft 365 users through high-urgency pretexts.

The .bash_history found in the open directory documented the deployment of a Cloudflare Tunnel (ID 1655dd1a-1c05-4818-8491-332f29713dca, extracted from the base64-encoded cloudflared service installation token) in front of a custom Node.js anti-bot filter at verify.picis[.]net/verify-human. Traffic reaching the phishing subdomains passed through this filter before hitting the Evilginx reverse proxy. Visitors arriving without a valid lure token were redirected to https://www.youtube.com/watch?v=dQw4w9WgXcQ, the canonical Evilginx decoy redirect.

The open directory was discovered on April 30, 2026, at which point the server had captured sessions from multiple confirmed victims across French corporate organisations. Despite the exposure, the infrastructure remained active: new subdomains account.picis[.]net and track.picis[.]net were provisioned on May 5–6, and a wildcard certificate was renewed on May 29, indicating the campaign continued well past the point of discovery.

The Telegram bot associated with this campaign appears to predate picis[.]net itself, earlier captured sessions reference a phishing operation on queeenspropertyservices[.]ca, with timestamps dating back to January 2026, suggesting the actor reused the same notification infrastructure across successive campaigns.

Operator's Technical Capabilities

Codemado's toolkit extends well beyond a single phishing framework. The open directory and his GitHub repository exposed a layered operation covering initial access, credential harvesting at scale, anti-analysis evasion, and a redundant post-compromise persistence layer, the full extent of which is detailed in the Tooling Layer section above.

The primary capability is AiTM phishing via customized Evilginx forks, which we talked about, proxying live Microsoft 365 authentication sessions to capture session cookies and OAuth tokens in realtime, bypassing MFA entirely. Before any victim reaches the phishing page, traffic passes through a custom Node.js fingerprinting gateway at verify.picis[.]net/verify-human. The filter applies FingerprintJS2 (screen resolution, timezone, hardware concurrency, canvas fingerprint, mouse movements) against a bots.txt blocklist of hundreds of known scanner signatures. Low-trust visitors are silently redirected to YouTube; only browsers passing the trust threshold are forwarded to the Evilginx reverse proxy. The entire stack sits behind a Cloudflare Tunnel, removing the server's real IP from the TLS handshake and making direct infrastructure attribution harder.

Parallel to the AiTM campaign, the server ran a fully automated Telegram-based combo harvesting pipeline. A Telethon script monitored over 100 Telegram channels sharing combolists and ULP logs, automatically downloading .txt combo files posted within the past week. A second script (587_checker.py, 100 threads) validated harvested credentials against live SMTP servers on port 587. Confirmed working accounts were logged to Valid.log and fed directly into the phishing delivery pipeline. Bulk dumps were also staged on the server, including a UK corporate combo file and a multi-country Hotmail/Outlook dump.

Outbound phishing emails were sent through these compromised legitimate SMTP accounts, avoiding detection by spam filters that would flag attacker-owned sending infrastructure. A QR code tracking and redirect system (redir/app.js) mapped six QR values to distinct owa.picis[.]net lure paths, reporting each victim's IP, country, device type, and user agent to the Telegram bot before the phishing page even loaded, giving the operator pre-qualification intelligence on each incoming target.

Taken together, these capabilities paint the full picture of who is the threat actor under the username codemado.

Other Independent Campaigns

As said earlier, the server and the GitHub repositories we found revealed other threat actors with their associated active campaigns. The two other threat actors, mail-argenta and saroula01, operated their own independent campaigns, each with distinct infrastructures. Their connection to codemado is technical, not operational: shared code and shared frameworks, it could be a coincidence since the repositories were public on GitHub.

mail-argenta : the Kraken operation

mail-argenta is the most prolific actor in the ecosystem, with 23 public repositories spanning Evilginx forks, Puppeteer-based MitM panels, and credential storage for a broad range of targets: red-queen, master, kraken-live-panel, prime-factor, linkedin, eharmony, gmail-evilginx, sharefile-bitb, bybit, libero, and others.

Three campaigns had bot infrastructure exposed through .env files left in public repositories:

CampaignReposMethodBotStatus
Kraken (crypto exchange)kraken-live-panel, prime-factorPuppeteer MitM panel7183501714 (@bybit1947_bot)Active
LinkedInlinkedinPuppeteer MitM panel8093847416Down
eHarmonyeharmonyPuppeteer MitM panel7571638613Down

At the time of investigation, only the Kraken bot was live and responding. The LinkedIn and eHarmony bots returned no data, indicating those campaigns had been shut down or the infrastructure rotated.

The LinkedIn campaign left the most tangible evidence of prior activity: mail-argenta/linkedin/cookies/ contained 20 files of li_at session tokens timestamped between June and August 2025, each representing an active LinkedIn session at the time of commit. The eHarmony repository similarly contained live session cookies in eharmony/cookies.json.

A captured Microsoft 365 cookie was also found directly in the red-queen repository: A json file contained ESTSAUTHPERSISTENT and ESTSAUTH cookies for login.microsoftonline.com with an expiration date of June 30, 2027, a persistent session token that remained valid well beyond the date of discovery.

saroula01 : the Device Code campaign

Where codemado proxied Microsoft 365 sessions directly, saroula01 takes a different approach. His black-queen framework, described in section 3.3, weaponizes the OAuth Device Code Flow, a legitimate Microsoft authentication mechanism designed for devices without a browser. The attack generates a real device code through the Microsoft identity platform, then presents it to the victim through a spoofed Microsoft Authenticator page, instructing them to enter it at microsoft.com/devicelogin. The victim authenticates on a genuine Microsoft page; saroula01's backend polls the token endpoint and claims the resulting access token the moment they do.

The lure page, as the one served from account.romnor[.]ca, is convincingly dressed: Microsoft branding, an urgency-framed MFA prompt, a real rotating device code with a 15-minute countdown timer, and a "Validate MFA" call-to-action. Nothing on the page is technically spoofed, the code is real, the destination is real, and that is precisely what makes the technique effective against users who verify URLs. Even though as you can see it is not the msot convincing designed lure page.

UrlScan screenshot of "account.romnor[.]ca"

The active deployment was reconstructed from a config.json committed and subsequently deleted from the black-queen git history: phishing domain romnor[.]ca, VPS at 20.118.27[.]127 (Azure), Telegram bot 8194688339, and server alias victor751. Six subdomains serve distinct Device Code lure themes, mirroring the same social engineering taxonomy used by codemado on picis[.]net:

SubdomainLure theme
briefing.romnor[.]ca/goMicrosoft Office (generic M365)
share.romnor[.]ca/goOneDrive
account.romnor[.]ca/goMicrosoft Authenticator
download.romnor[.]ca/goAdobe
sign.romnor[.]ca/goDocuSign
team.romnor[.]ca/goSharePoint

The git history also revealed a second deletion, two consecutive commits, that removed a json file file spanning 2,815 lines with 97 accumulated Microsoft OAuth tokens (access and refresh token pairs) for captured victims. The file was never force-pushed out of the repository, leaving it accessible via public git history at the time of analysis.

Internal session timestamps in the bot logs date back to June 18, 2025, suggesting the campaign has been running for over a year with no apparent interruption.

Victims Telemetry

The three campaigns exposed by this investigation made a couple of victims. The following telemetry is derived from the Telegram bots used by the threat actors for their campaigns.

codemado - AiTM Campaign (picis.net)

AttributeValue
Bot@Davidjacks_bot (8350633477)
PeriodMarch 13 → May 29 2026 (at minimum)
Primary targetMicrosoft 365 corporate accounts
Unique targets2 confirmed
Geographic focusFrance + North America

Bot logs confirm captures against two corporate M365 accounts across multiple IP addresses, one French SME in the professional services sector, one North American company in the consumer goods industry. The repeated captures of the same accounts across different IPs are consistent with the operator actively refreshing tokens as they expired.

mail-argenta - (bot_7183501714)

AttributeValue
Bot@bybit1947_bot (7183501714)
PeriodJune 2025 → July 2026 (at minimum)
Session typesO365 (12), Google (4), eHarmony (2), Kraken (2), Bybit (1), iCloud (1)
Unique targets15 confirmed
Geographic focusFrance + international

mail-argenta's captured sessions split across two distinct target profiles. French corporate organisations account for the majority of O365 captures, five distinct .fr domains spanning the social services, construction, and professional services sectors,alongside one non-profit. The remaining sessions target personal and consumer accounts: cryptocurrency exchanges (Kraken, Bybit), Google accounts, iCloud, and eHarmony, consistent with a broad, financially motivated operation running multiple phishing kits in parallel.

saroula01 - Device Code Campaign (romnor.ca)

AttributeValue
Bot@logsnow101_bot (8194688339)
PeriodJune 18, 2025 → July 2, 2026 (at minimum)
Unique targets218 confirmed
Corporate vs personal~94% corporate / ~6% personal
Geographic focusAustralia, United Kingdom, United States, Switzerland, Spain, Poland, Canada, and broader European markets

saroula01's campaign is by far the longest-running and highest-volume operation in the ecosystem, active for over a year with no apparent interruption.

The victim profile is overwhelmingly corporate: 94% of captured addresses belong to professional domains spanning SMEs, professional services firms, legal practices, and public sector entities. Personal accounts represent a marginal share, consistent with the Device Code Flow technique which requires deliberate victim interaction and is most effective when delivered through targeted, pretextual communication to corporate users.

TLD distribution reflects an opportunistic campaign:

TLDUnique victimsNotable sectors
.com105Mixed corporate (US-dominant)
.uk34SMEs, automotive, legal, recruitment
.au19SMEs, legal, construction, dental
.pl10Polish corporate
.es7Spanish corporate
.org6Non-profits, associations
.net6Mixed
.ch6Hospitality, engineering
.ca5SMEs, legal, construction
.eu4European mixed
.br3Brazilian corporate
Other7Slovenia, Norway, Maldives, Singapore...

The .ca presence is notable given the campaign infrastructure itself runs on romnor[.]ca, a Canadian-registered domain, suggesting either deliberate targeting of the Canadian market or opportunistic reuse of a local domain for credibility with Canadian targets.

The most impactful captures are the confirmed DC Token sessions: unlike standard credential theft, these yield Microsoft Authentication Broker tokens providing persistent, MFA-resistant access to the victim's full Microsoft 365 environment. A json file deleted from the black-queen git history, but recoverable via public git history, contained 97 active token entries across 3 victims, all sourced via Device Code Flow and all configured with autoRefresh: true, meaning black-queen was silently maintaining live access by refreshing tokens in the background. Individual tokens had been refreshed up to 25 times. The deletion coincided with token expiry on June 24, suggesting the operator cleaned up once the sessions were no longer usable.

"The Quarry" ecosystem connection

In June 2026, SOCRadar published a report on a large-scale MaaS/PhaaS operation from a cybercrime ecosystem they named The Quarry, a structured criminal service built and maintained by a threat actir operating under the aliases RockyBelling, Rockky, and Rock. The operation, active since at least April 2025, serves customized phishing kits, self-hosted ScreenConnect panels, VBS droppers, and mass mailing tools against targets across 14 countries. The threat actor RockyBelling sits at the centre of the ecosystem as the developer and infrastructure provider; the operators are clients who run their own campaigns using his tooling.

The connection to codemado is documented in both the SOCRadar report and primary source Telegram evidence. MaDoO Blaster, a customizable bulk-mailing application described as a "feature-rich sender built for dynamic and intelligent mailing," is explicitly referenced within The Quarry ecosystem: RockyBelling promoted the tool in the Rocky War Room channel with the message "My crazy Bro did this…", linking to a complete usage guide published.

Telegram post on RockyBelling's Telegram channel promoting MadOo Blaster

SOCRadar independently corroborates this, noting "support has also been observed for other projects developed by separate TAs" assisting during pre-phishing stages, with the MaDoO Blaster interface featured as Figure 12 of the report. The report stops short of naming the developer, but the tool's name is an unambiguous reference to the codemado alias documented throughout this investigation.

Screenshot of MaDoO Blaster running

Beyond the Blaster connection, codemado's own infrastructure shows significant overlap with The Quarry's documented tooling. ScreenConnect appears in both ecosystems as a primary post-compromise persistence mechanism. The credential harvesting component in The Quarry's catalog is described by SOCRadar as "possibly derived from Evilginx", consistent with the Evilginx forks deployed by codemado, mail-argenta, and saroula01. Whether mail-argenta or saroula01 have a direct relationship with The Quarry cannot be determined from available artifacts; their tooling is publicly accessible on GitHub and could have been adopted independently by any operator.

Codemado therefore operates not as an affiliate of RockyBelling, but as a third-party tool vendor supplying a pre-phishing distribution layer, a supplier/associate relationship, not a hierarchical one.

Assessment

This investigation began with a single open directory and expanded into a three-actor ecosystem sharing tooling, code lineage, and relationships across at least eighteen months of sustained activity.

Codemado (MaDoO, Mado, Madosc), the threat actor behind the open directory, runs a custom Evilginx AiTM deployment, operates his own anti-bot gateway, maintains an RMM arsenal for post-compromise persistence, and distributes MaDoO Blaster as a commercial product to third-party operators, including RockyBelling's The Quarry cybercrime ecosystem. The picis[.]net campaign ran from April 20 to at least May 29, 2026, with infrastructure provisioned as early as March 13, 2026, and earlier campaigns on queeenspropertyservices[.]ca suggesting continuous activity since at least January 2026.

Mail-argenta operates a multi-platform credential harvesting operation spanning Microsoft 365, cryptocurrency exchanges (Kraken, Bybit), and consumer platforms (eHarmony, iCloud). With valid session cookies documented through June 2027, several of his captured sessions remain actionable at the time of publication.

saroula01 deployed the Device Code Flow OAuth abuse technique, a vector that bypasses MFA entirely and leaves no password exposed on the phishing page. Active since at least June 2025, his campaign accumulated 218 identified victims across 12 countries, with 94% corporate targets.

Taken together, the three actors form a loosely family of cybercriminals rather than a single coordinated group: distinct infrastructure, distinct targets, but shared tooling provenance (Evilginx forks).

The accessibility of this ecosystem also carries a broader defensive implication. The tooling documented here, Evilginx forks, Device Code Flow abuse, pre-built phishing kits, is either publicly available on GitHub or commercially distributed through platforms like Telegram for a few hundred dollars. The technical barrier to running a functional AiTM campaign has dropped to near zero: saroula01's black-queen deployment and mail-argenta's multi-platform harvesting infrastructure were both assembled from open-source components with minimal customization. Defenders must operate under the assumption that any threat actor, regardless of sophistication, is capable of bypassing MFA through session hijacking or Device Code Flow abuse, and adjust detection and response posture accordingly.


Indicators of Compromise

TLP:CLEAR - All indicators below are suitable for unrestricted sharing and automated ingestion.

Network

codemado

TypeValueNotes
Phishing domainpicis[.]netRegistered 2026-03-13
Prior phishing domainqueeenspropertyservices[.]caJan 2026, same bot infrastructure
C2 / hosting IP185.163.204.7AS56322 ServerAstra Kft., HU
Anonymization proxy216.180.245.166:50101AS212238 Datacamp Limited, US
Botnet C2 (pre-campaign)188.227.196.240:7077Distributed via pastebin[.]com/u/codemadooo; flagged by @abuse_ch Dec 2025
ScreenConnect servervinicious.picis[.]net195.20.115.103AS56322, Windows/IIS, ScreenConnect 6.6, RDP 3389 open
Anti-bot gatewayverify.picis[.]net/verify-humanNode.js, redirects bots to YouTube
Cloudflare Tunnel ID1655dd1a-1c05-4818-8491-332f29713dcaTunnels Evilginx behind CDN
XEOX RMMagent01.xeox.com, ws01.xeox.com, 80.80.250.0/24RMM C2 infrastructure

saroula01

TypeValueNotes
Phishing domainromnor[.]caDevice Code Flow lure host
VPS IP20.118.27.127Azure (AS8075), confirmed via JWT ipaddr claim in captured tokens
Lure subdomainsbriefing.romnor[.]ca, share.romnor[.]ca, account.romnor[.]ca, download.romnor[.]ca, sign.romnor[.]ca, team.romnor[.]caAll route to /go

picis[.]net Subdomains (source: crt.sh)

SubdomainPurposeFirst certRenewed
outi.picis[.]netO365 phishlet13 Mar 2026
owa.picis[.]netO365 / OWA13 Mar 202620 Apr 2026
events.api.picis[.]netO36513 Mar 2026
accounts.picis[.]netO36514 Mar 2026
account.picis[.]netO365 (new)5 May 2026
track.picis[.]netTracking (new)6 May 2026
cdn.picis[.]netCDN / assets13 Mar 202620 Apr 2026
sso.picis[.]netNAB13 Mar 202621 Apr 2026
secure.picis[.]netNAB13 Mar 202621 Apr 2026
billing.picis[.]netGoogle13 Mar 202621 Apr 2026
verify.picis[.]netAnti-bot gateway
vinicious.picis[.]netScreenConnect 6.615 Apr 2026
gui.picis[.]netUnknown13 Mar 202622 Apr 2026
img1.picis[.]netAssets13 Mar 202621 Apr 2026
img6.picis[.]netAssets13 Mar 202622 Apr 2026
hervw.picis[.]netO365 lure rotation13 Mar 202620 Apr 2026
hervw2.picis[.]netO365 lure rotation13 Mar 202620 Apr 2026
hnrvrve.picis[.]netO365 lure rotation13 Mar 202620 Apr 2026
hrvetbr.picis[.]netO365 lure rotation13 Mar 202620 Apr 2026
hterw.picis[.]netO365 lure rotation13 Mar 202620 Apr 2026
roweri.picis[.]netO365 lure rotation13 Mar 202620 Apr 2026
htejre.picis[.]netO365 lure rotation13 Mar 202622 Apr 2026
hvr34gr.picis[.]netO365 lure rotation13 Mar 202621 Apr 2026
jrhte.picis[.]netO365 lure rotation13 Mar 202621 Apr 2026
ewfweo.picis[.]netO365 lure rotation13 Mar 202621 Apr 2026
hcwdg.picis[.]netO365 lure rotation13 Mar 202621 Apr 2026
mejeff.picis[.]netO365 lure rotation13 Mar 202621 Apr 2026
b8c4u.picis[.]netO365 lure rotation13 Mar 2026
c9x3h.picis[.]netO365 lure rotation13 Mar 2026
q4b7j.picis[.]netO365 lure rotation13 Mar 2026
l5p0n.picis[.]netO365 lure rotation13 Mar 2026
e2a6m.picis[.]netO365 lure rotation13 Mar 2026
g7k1w.picis[.]netO365 lure rotation13 Mar 2026
f3d9v.picis[.]netO365 lure rotation13 Mar 2026
h6y2s.picis[.]netO365 lure rotation13 Mar 2026
t5z1r.picis[.]netO365 lure rotation13 Mar 2026
w4j1q.picis[.]netO365 lure rotation13 Mar 2026
v3n8p.picis[.]netO365 lure rotation13 Mar 2026
k9m2x.picis[.]netO365 lure rotation13 Mar 2026

Files

SHA1FilenameNotes
6a4cb1c75e1c59bbd4fbc4667f4c3bb5a74fe965AdobeClientSetupV16.msi / sam.msiMSI dropper
2ea61cdead470f570586f513e22d43d787befec6NEWPANEL.msiMSI dropper
35f23dfb4135d4cd38a6a29e64d79191d166344ddddd.jpgPowerShell disguised as JPEG
eb8ede7598220dbef28953dc7df2e5418d52fa36dddd.ps1Obfuscated PowerShell dropper
f496736e2d2344de7963d4f722381f03227ec452getpass.exeCredential stealer
cf3cbf93adf43d50618c88705857d3adb123ed24pass.exeCredential stealer
ea5d2096a2ef3dfe4fb870bd1f0270efaea993a6install.msiITarian Endpoint Manager v10.3.51334.25120
e9a44b3fe951cca57313533d6bc1d11e789c2018securefile.zipXEOX dropper archive

Accounts & Identifiers

codemado / MaDoO

TypeValue
Telegram (operator)@mad0o0o0o0o (ID 7935925875)
Telegram (personal bot)@madosc_bot (ID 7914034496)
Telegram (campaign bot)ID 8350633477
GitHubcodemado
Email[email protected]
Pastebinpastebin[.]com/u/codemadooo
ForumsBlackHatWorld codemadooo; CrackingX profile 53519
WorkstationParrot OS, user oxemde (oxemde@parrot)
SuperOps RMM agentID AW7YQEJ4MH34_19SI0B7FBSUF4, UID 387628
GetScreen.meInvitation IDs 815497885, 431183676
Cloudflare Tunnel1655dd1a-1c05-4818-8491-332f29713dca

saroula01

TypeValue
GitHubsaroula01
Telegram (campaign bot)ID 8194688339, username @logsnow101_bot
Server namevictor751
Email[email protected]
Device Code client ID abusedd3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office)

mail-argenta

TypeValue
GitHubmail-argenta (23 public repos)
Email[email protected]
Email[email protected]
Telegram bot (Kraken)ID 7183501714
Telegram bot (eHarmony)ID 7571638613
Telegram bot (LinkedIn)ID 8093847416

MITRE ATT&CK Mapping

codemado

TacticTechniqueIDDescription
Initial AccessPhishing: Spearphishing LinkT1566.002Lure URLs delivered via email and QR code redirector
Credential AccessAdversary-in-the-MiddleT1557.002AiTM via Evilginx reverse proxy on picis[.]net
Credential AccessSteal Web Session CookieT1539M365 session cookie hijacking post-AiTM
Credential AccessCredential StuffingT1110.004587_checker.py SMTP credential validation
Defense EvasionImpair DefensesT1562Anti-bot fingerprinting gateway at verify.picis[.]net
Defense EvasionObfuscated Files or InformationT1027AES-encrypted VBS, Unicode glyph WSF, PowerShell disguised as JPEG
Command & ControlProxy: External ProxyT1090.002SOCKS5 proxy + Cloudflare Tunnel in front of Evilginx
Command & ControlRemote Access SoftwareT12197-tool RMM arsenal (XEOX, SuperOps, GetScreen, ITarian, ScreenConnect)
Command & ControlWeb ServiceT1102Telegram bot for real-time victim session notification
CollectionAutomated CollectionT1119Telethon combo scraper across 100+ Telegram channels

mail-argenta

TacticTechniqueIDDescription
Initial AccessPhishing: Spearphishing LinkT1566.002Lure URLs across M365, Kraken, Bybit, eHarmony, iCloud, LinkedIn
Credential AccessAdversary-in-the-MiddleT1557.002AiTM via red-queen Evilginx fork (multi-platform phishlets)
Credential AccessSteal Web Session CookieT1539Session cookie harvesting across O365, crypto, and consumer platforms
CollectionEmail CollectionT1114M365 cookie ESTSAUTHPERSISTENT valid through June 2027 captured
Command & ControlWeb ServiceT1102Three Telegram bots for per-campaign victim notification

saroula01

TacticTechniqueIDDescription
Initial AccessPhishing: Spearphishing LinkT1566.002Lure URLs on six romnor[.]ca subdomains, path /go
Credential AccessSteal Application Access TokenT1528OAuth Device Code Flow abuse, victim authenticates at real Microsoft, token captured
Credential AccessSteal Web Session CookieT1539black-queen Evilginx fork, phishlet o365
CollectionEmail CollectionT1114Mail.ReadWrite + Mail.Send scope on all captured device code tokens
Command & ControlWeb ServiceT1102@logsnow101_bot for real-time victim logging (8,800+ messages)

Detection

Microsoft / Azure AD:

  • Disable Device Code Flow via Conditional Access if not operationally required (grant_type=device_code)
  • Enable Continuous Access Evaluation (CAE), device code tokens changing source IP trigger re-authentication
  • Alert on grant_type=refresh_token originating from the following client ID if Microsoft Office desktop is not in use: d3590ed6-52b3-4102-aeff-aad2292ab01c
  • Alert on Mail.ReadWrite + Mail.Send OAuth grants issued via device code flow to unknown IPs

Endpoint:

  • Hunt for XEOX agent: C:\Program Files (x86)\XEOX\xeox-agent_x64.exe
  • Hunt for scheduled tasks matching *XEOX*Agent*Watchdog*
  • Block *.xeox.com and 80.80.250.0/24 if XEOX is not an authorized RMM in the environment
  • Flag MSI/EXE filenames matching tax-lure patterns: *TaxOrganizer*, *StatementID*, *AdobeClient*

Network:

  • Block / alert on picis[.]net and all listed subdomains
  • Block / alert on romnor[.]ca and all six lure subdomains
  • Block 185.163.204.7, 195.20.115.103, 20.118.27.127
  • Alert on outbound connections to *.xeox.com, portal.xeox.com
  • Alert on TLS SNI matching *.picis.net or *.romnor.ca

文章来源: https://blog.lexfo.fr/opendir-to-phishing-operator.html
如有侵权请联系:admin#unsafe.sh