One Misconfigured Server, Three Active Campaigns: Full exposure of three AiTM Phishing Operators
A misconfigured Python HTTP server on a Budapest VPS exposed the full operational infrastructure of three distinct AiTM phishing operators: codemado (Egyptian), saroula01, and mail-argenta (Nigerian). The exposed data included phishing configurations, credential logs, remote management tool installers, combolists, and Telegram session files. These operators used customized Evilginx forks and AI-assisted development to build MFA-bypass phishing infrastructure targeting primarily Microsoft 365 accounts. The campaigns were active from at least January 2025 through May 2026 and involved OAuth Device Code Flow attacks and other sophisticated phishing techniques.
AI Analysis
Technical Summary
This threat involves a misconfigured Python HTTP server that publicly exposed the complete infrastructure of three active AiTM phishing operators. The operators—codemado, saroula01, and mail-argenta—leveraged customized Evilginx forks and AI-assisted tools to conduct MFA bypass attacks, primarily targeting Microsoft 365 accounts. The exposed server contained extensive operational data including phishing configurations, credential logs, RMM installers, combolists, and Telegram session files. Codemado is linked to the RockyBelling cybercrime ecosystem, while saroula01 conducted OAuth Device Code Flow attacks affecting 218 victims across 12 countries over a year. The exposure reveals sustained phishing operations from January 2025 through May 2026.
Potential Impact
The exposure of the phishing operators' full infrastructure allows defenders and law enforcement to analyze and potentially disrupt ongoing AiTM phishing campaigns. The compromised data includes sensitive operational tools and victim credentials, indicating active and sustained phishing attacks with MFA bypass capabilities targeting Microsoft 365 users. This could lead to unauthorized access to corporate and personal accounts, data theft, and further cybercrime activities if not mitigated.
Mitigation Recommendations
Patch status is not applicable as this is a case of a misconfigured server exposing threat actor infrastructure. Organizations should ensure proper configuration and security of their servers to prevent accidental exposure of sensitive data. Monitoring for phishing campaigns using customized Evilginx forks and OAuth Device Code Flow attacks is recommended. No official fix or patch is available for the threat actors' tools themselves; mitigation focuses on detection and prevention of phishing attacks leveraging these infrastructures.
Indicators of Compromise
- domain: picis.net
- ip: 83.136.211.85
- ip: 188.227.196.240
- hash: 1a37b674ed29c877890834e9aba616d9
- hash: ea5d2096a2ef3dfe4fb870bd1f0270efaea993a6
- hash: 7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0
- domain: hrvetbr.picis.net
- domain: hervw.picis.net
- domain: cdn.picis.net
- domain: hervw2.picis.net
- domain: ewfweo.picis.net
- domain: htejre.picis.net
- domain: sso.picis.net
- domain: jrhte.picis.net
- domain: events.api.picis.net
- domain: mejeff.picis.net
- domain: hvr34gr.picis.net
- domain: img1.picis.net
- cidr: 80.80.250.0/24
- hash: 2ea61cdead470f570586f513e22d43d787befec6
- hash: 35f23dfb4135d4cd38a6a29e64d79191d166344d
- hash: 6a4cb1c75e1c59bbd4fbc4667f4c3bb5a74fe965
- hash: cf3cbf93adf43d50618c88705857d3adb123ed24
- hash: e9a44b3fe951cca57313533d6bc1d11e789c2018
- hash: eb8ede7598220dbef28953dc7df2e5418d52fa36
- hash: f496736e2d2344de7963d4f722381f03227ec452
- ip: 216.180.245.166
- url: http://account.romnor.ca/go
- url: http://briefing.romnor.ca/go
- url: http://download.romnor.ca/go
- url: http://share.romnor.ca/go
- url: http://sign.romnor.ca/go
- url: http://team.romnor.ca/go
- url: http://verify.picis.net/verify-human
- domain: queeenspropertyservices.ca
- domain: romnor.ca
- domain: simple.run
- domain: account.picis.net
- domain: account.romnor.ca
- domain: accounts.picis.net
- domain: agent01.xeox.com
- domain: b8c4u.picis.net
- domain: billing.picis.net
- domain: briefing.romnor.ca
- domain: c9x3h.picis.net
- domain: download.romnor.ca
- domain: e2a6m.picis.net
- domain: f3d9v.picis.net
- domain: g7k1w.picis.net
- domain: gui.picis.net
- domain: h6y2s.picis.net
- domain: hcwdg.picis.net
- domain: hnrvrve.picis.net
- domain: hterw.picis.net
- domain: img6.picis.net
- domain: k9m2x.picis.net
- domain: l5p0n.picis.net
- domain: outi.picis.net
- domain: owa.picis.net
- domain: portal.xeox.com
- domain: q4b7j.picis.net
- domain: roweri.picis.net
- domain: secure.picis.net
- domain: share.romnor.ca
- domain: sign.romnor.ca
- domain: t5z1r.picis.net
- domain: team.romnor.ca
- domain: track.picis.net
- domain: v3n8p.picis.net
- domain: verify.picis.net
- domain: vinicious.picis.net
- domain: w4j1q.picis.net
- domain: ws01.xeox.com
One Misconfigured Server, Three Active Campaigns: Full exposure of three AiTM Phishing Operators
Description
A misconfigured Python HTTP server on a Budapest VPS exposed the full operational infrastructure of three distinct AiTM phishing operators: codemado (Egyptian), saroula01, and mail-argenta (Nigerian). The exposed data included phishing configurations, credential logs, remote management tool installers, combolists, and Telegram session files. These operators used customized Evilginx forks and AI-assisted development to build MFA-bypass phishing infrastructure targeting primarily Microsoft 365 accounts. The campaigns were active from at least January 2025 through May 2026 and involved OAuth Device Code Flow attacks and other sophisticated phishing techniques.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a misconfigured Python HTTP server that publicly exposed the complete infrastructure of three active AiTM phishing operators. The operators—codemado, saroula01, and mail-argenta—leveraged customized Evilginx forks and AI-assisted tools to conduct MFA bypass attacks, primarily targeting Microsoft 365 accounts. The exposed server contained extensive operational data including phishing configurations, credential logs, RMM installers, combolists, and Telegram session files. Codemado is linked to the RockyBelling cybercrime ecosystem, while saroula01 conducted OAuth Device Code Flow attacks affecting 218 victims across 12 countries over a year. The exposure reveals sustained phishing operations from January 2025 through May 2026.
Potential Impact
The exposure of the phishing operators' full infrastructure allows defenders and law enforcement to analyze and potentially disrupt ongoing AiTM phishing campaigns. The compromised data includes sensitive operational tools and victim credentials, indicating active and sustained phishing attacks with MFA bypass capabilities targeting Microsoft 365 users. This could lead to unauthorized access to corporate and personal accounts, data theft, and further cybercrime activities if not mitigated.
Mitigation Recommendations
Patch status is not applicable as this is a case of a misconfigured server exposing threat actor infrastructure. Organizations should ensure proper configuration and security of their servers to prevent accidental exposure of sensitive data. Monitoring for phishing campaigns using customized Evilginx forks and OAuth Device Code Flow attacks is recommended. No official fix or patch is available for the threat actors' tools themselves; mitigation focuses on detection and prevention of phishing attacks leveraging these infrastructures.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.lexfo.fr/opendir-to-phishing-operator.html"]
- Adversary
- codemado
- Pulse Id
- 6a54bfc57c70fae743cb883e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainpicis.net | — | |
domainhrvetbr.picis.net | — | |
domainhervw.picis.net | — | |
domaincdn.picis.net | — | |
domainhervw2.picis.net | — | |
domainewfweo.picis.net | — | |
domainhtejre.picis.net | — | |
domainsso.picis.net | — | |
domainjrhte.picis.net | — | |
domainevents.api.picis.net | — | |
domainmejeff.picis.net | — | |
domainhvr34gr.picis.net | — | |
domainimg1.picis.net | — | |
domainqueeenspropertyservices.ca | — | |
domainromnor.ca | — | |
domainsimple.run | — | |
domainaccount.picis.net | — | |
domainaccount.romnor.ca | — | |
domainaccounts.picis.net | — | |
domainagent01.xeox.com | — | |
domainb8c4u.picis.net | — | |
domainbilling.picis.net | — | |
domainbriefing.romnor.ca | — | |
domainc9x3h.picis.net | — | |
domaindownload.romnor.ca | — | |
domaine2a6m.picis.net | — | |
domainf3d9v.picis.net | — | |
domaing7k1w.picis.net | — | |
domaingui.picis.net | — | |
domainh6y2s.picis.net | — | |
domainhcwdg.picis.net | — | |
domainhnrvrve.picis.net | — | |
domainhterw.picis.net | — | |
domainimg6.picis.net | — | |
domaink9m2x.picis.net | — | |
domainl5p0n.picis.net | — | |
domainouti.picis.net | — | |
domainowa.picis.net | — | |
domainportal.xeox.com | — | |
domainq4b7j.picis.net | — | |
domainroweri.picis.net | — | |
domainsecure.picis.net | — | |
domainshare.romnor.ca | — | |
domainsign.romnor.ca | — | |
domaint5z1r.picis.net | — | |
domainteam.romnor.ca | — | |
domaintrack.picis.net | — | |
domainv3n8p.picis.net | — | |
domainverify.picis.net | — | |
domainvinicious.picis.net | — | |
domainw4j1q.picis.net | — | |
domainws01.xeox.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip83.136.211.85 | — | |
ip188.227.196.240 | — | |
ip216.180.245.166 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash1a37b674ed29c877890834e9aba616d9 | — | |
hashea5d2096a2ef3dfe4fb870bd1f0270efaea993a6 | — | |
hash7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0 | — | |
hash2ea61cdead470f570586f513e22d43d787befec6 | — | |
hash35f23dfb4135d4cd38a6a29e64d79191d166344d | — | |
hash6a4cb1c75e1c59bbd4fbc4667f4c3bb5a74fe965 | — | |
hashcf3cbf93adf43d50618c88705857d3adb123ed24 | — | |
hashe9a44b3fe951cca57313533d6bc1d11e789c2018 | — | |
hasheb8ede7598220dbef28953dc7df2e5418d52fa36 | — | |
hashf496736e2d2344de7963d4f722381f03227ec452 | — |
Cidr
| Value | Description | Copy |
|---|---|---|
cidr80.80.250.0/24 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://account.romnor.ca/go | — | |
urlhttp://briefing.romnor.ca/go | — | |
urlhttp://download.romnor.ca/go | — | |
urlhttp://share.romnor.ca/go | — | |
urlhttp://sign.romnor.ca/go | — | |
urlhttp://team.romnor.ca/go | — | |
urlhttp://verify.picis.net/verify-human | — |
Threat ID: 6a54c5e868715ace43c4fa76
Added to database: 07/13/2026, 11:03:04 UTC
Last enriched: 07/13/2026, 11:19:26 UTC
Last updated: 07/14/2026, 03:29:49 UTC
Views: 158
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.