Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

One Misconfigured Server, Three Active Campaigns: Full exposure of three AiTM Phishing Operators

0
Medium
Published: 07/13/2026 (07/13/2026, 10:36:53 UTC)
Source: AlienVault OTX General

Description

A misconfigured Python HTTP server on a Budapest VPS exposed the full operational infrastructure of three distinct AiTM phishing operators: codemado (Egyptian), saroula01, and mail-argenta (Nigerian). The exposed data included phishing configurations, credential logs, remote management tool installers, combolists, and Telegram session files. These operators used customized Evilginx forks and AI-assisted development to build MFA-bypass phishing infrastructure targeting primarily Microsoft 365 accounts. The campaigns were active from at least January 2025 through May 2026 and involved OAuth Device Code Flow attacks and other sophisticated phishing techniques.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 11:19:26 UTC

Technical Analysis

This threat involves a misconfigured Python HTTP server that publicly exposed the complete infrastructure of three active AiTM phishing operators. The operators—codemado, saroula01, and mail-argenta—leveraged customized Evilginx forks and AI-assisted tools to conduct MFA bypass attacks, primarily targeting Microsoft 365 accounts. The exposed server contained extensive operational data including phishing configurations, credential logs, RMM installers, combolists, and Telegram session files. Codemado is linked to the RockyBelling cybercrime ecosystem, while saroula01 conducted OAuth Device Code Flow attacks affecting 218 victims across 12 countries over a year. The exposure reveals sustained phishing operations from January 2025 through May 2026.

Potential Impact

The exposure of the phishing operators' full infrastructure allows defenders and law enforcement to analyze and potentially disrupt ongoing AiTM phishing campaigns. The compromised data includes sensitive operational tools and victim credentials, indicating active and sustained phishing attacks with MFA bypass capabilities targeting Microsoft 365 users. This could lead to unauthorized access to corporate and personal accounts, data theft, and further cybercrime activities if not mitigated.

Mitigation Recommendations

Patch status is not applicable as this is a case of a misconfigured server exposing threat actor infrastructure. Organizations should ensure proper configuration and security of their servers to prevent accidental exposure of sensitive data. Monitoring for phishing campaigns using customized Evilginx forks and OAuth Device Code Flow attacks is recommended. No official fix or patch is available for the threat actors' tools themselves; mitigation focuses on detection and prevention of phishing attacks leveraging these infrastructures.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.lexfo.fr/opendir-to-phishing-operator.html"]
Adversary
codemado
Pulse Id
6a54bfc57c70fae743cb883e
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainpicis.net
domainhrvetbr.picis.net
domainhervw.picis.net
domaincdn.picis.net
domainhervw2.picis.net
domainewfweo.picis.net
domainhtejre.picis.net
domainsso.picis.net
domainjrhte.picis.net
domainevents.api.picis.net
domainmejeff.picis.net
domainhvr34gr.picis.net
domainimg1.picis.net
domainqueeenspropertyservices.ca
domainromnor.ca
domainsimple.run
domainaccount.picis.net
domainaccount.romnor.ca
domainaccounts.picis.net
domainagent01.xeox.com
domainb8c4u.picis.net
domainbilling.picis.net
domainbriefing.romnor.ca
domainc9x3h.picis.net
domaindownload.romnor.ca
domaine2a6m.picis.net
domainf3d9v.picis.net
domaing7k1w.picis.net
domaingui.picis.net
domainh6y2s.picis.net
domainhcwdg.picis.net
domainhnrvrve.picis.net
domainhterw.picis.net
domainimg6.picis.net
domaink9m2x.picis.net
domainl5p0n.picis.net
domainouti.picis.net
domainowa.picis.net
domainportal.xeox.com
domainq4b7j.picis.net
domainroweri.picis.net
domainsecure.picis.net
domainshare.romnor.ca
domainsign.romnor.ca
domaint5z1r.picis.net
domainteam.romnor.ca
domaintrack.picis.net
domainv3n8p.picis.net
domainverify.picis.net
domainvinicious.picis.net
domainw4j1q.picis.net
domainws01.xeox.com

Ip

ValueDescriptionCopy
ip83.136.211.85
ip188.227.196.240
ip216.180.245.166

Hash

ValueDescriptionCopy
hash1a37b674ed29c877890834e9aba616d9
hashea5d2096a2ef3dfe4fb870bd1f0270efaea993a6
hash7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0
hash2ea61cdead470f570586f513e22d43d787befec6
hash35f23dfb4135d4cd38a6a29e64d79191d166344d
hash6a4cb1c75e1c59bbd4fbc4667f4c3bb5a74fe965
hashcf3cbf93adf43d50618c88705857d3adb123ed24
hashe9a44b3fe951cca57313533d6bc1d11e789c2018
hasheb8ede7598220dbef28953dc7df2e5418d52fa36
hashf496736e2d2344de7963d4f722381f03227ec452

Cidr

ValueDescriptionCopy
cidr80.80.250.0/24

Url

ValueDescriptionCopy
urlhttp://account.romnor.ca/go
urlhttp://briefing.romnor.ca/go
urlhttp://download.romnor.ca/go
urlhttp://share.romnor.ca/go
urlhttp://sign.romnor.ca/go
urlhttp://team.romnor.ca/go
urlhttp://verify.picis.net/verify-human

Threat ID: 6a54c5e868715ace43c4fa76

Added to database: 07/13/2026, 11:03:04 UTC

Last enriched: 07/13/2026, 11:19:26 UTC

Last updated: 07/14/2026, 03:29:49 UTC

Views: 158

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses