One Open Server Exposed Three Live Phishing Operations
Want more insights like this?
A misconfigured Python HTTP server in Budapest with directory listing enabled handed researchers a full look inside three active phishing campaigns. The exposed server at 185.163.204.7 contained credential logs, phishing configs, RMM installers, combolists, and even the operator's own Telegram session files.
Three distinct threat actors were identified: codemado, an Egyptian operator running Microsoft 365 AiTM attacks since March 2026; mail-argenta, a Nigerian operator whose own credentials appeared in infostealer logs; and saroula01, whose Device Code Flow campaign quietly accumulated 218 victims across 12 countries over a year.
All three built MFA-bypassing infrastructure from public GitHub repositories. The barrier to running these attacks is effectively zero.
Source: Lexfo Security Blog