<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">

One Open Server Exposed Three Live Phishing Operations

Exposed server in Budapest reveals three phishing campaigns with MFA-bypassing tactics, targeting victims across 12 countries.
Content Team

A misconfigured Python HTTP server in Budapest with directory listing enabled handed researchers a full look inside three active phishing campaigns. The exposed server at 185.163.204.7 contained credential logs, phishing configs, RMM installers, combolists, and even the operator's own Telegram session files.

Three distinct threat actors were identified: codemado, an Egyptian operator running Microsoft 365 AiTM attacks since March 2026; mail-argenta, a Nigerian operator whose own credentials appeared in infostealer logs; and saroula01, whose Device Code Flow campaign quietly accumulated 218 victims across 12 countries over a year.

All three built MFA-bypassing infrastructure from public GitHub repositories. The barrier to running these attacks is effectively zero.

Source: Lexfo Security Blog

Share this article
Share on facebook Share on linkedin Share on twitter Share on email
blog_book_a_demo_cta_3x
Have questions about protecting your software?
Our escrow experts are standing by to help.
Book a free demo