Skip to content
feed: live
>_ 0dayNews
threat intel
Analysis

Three Evilginx Crews, One Forgotten Bash History

Lexfo pulled the full toolkit from an open Python server in Budapest and pivoted to two more Evilginx operations targeting Microsoft 365 tenants.

Three Evilginx Crews, One Forgotten Bash History
Image: 0dayNews / 0dayNews Editorial · All rights reserved
kilobaud Dave "Kilobaud" Ferris · Published · 2 min read

Lexfo, the French security firm, spent a routine scan in late April on the kind of thing that almost never pays off — an internet-facing Python HTTP server with directory listing enabled. This one, running at 185.163.204[.]7 in Budapest, did pay off. The command that stood the whole thing up, python3 -m http.server 8080, was still sitting in the operator’s readable .bash_history, and from that single lapse Lexfo pulled the full working toolkit of one Microsoft 365 phishing operation, then pivoted through the shared infrastructure to two more. All three, reported by The Hacker News on July 13, were running variants of the same open-source AiTM proxy: Evilginx.

None of the three operators is state-tier. Codemado — an Egyptian actor active on VoIP and hacking forums since 2018 — launched a fresh campaign on April 20, 2026, ran an adversary-in-the-middle platform out of picis[.]net, and monetized through a custom bulk mailer marketed as MaDoO Blaster. Mail-argenta, a Nigerian operator, maintained a private Evilginx fork called red-queen, patched to swap out HTML attributes that would otherwise trip Subresource Integrity checks, and stretched captured Microsoft session cookies to a full one-year TTL. Saroula01, the third and least-attributed, wrote a “black-queen” variant that leaned on Microsoft’s OAuth device code flow rather than a straight cookie proxy, and had logged 218 distinct captured accounts across twelve countries between June 2025 and July 2026 — 94% of them corporate mailboxes, and 97 of the sessions in the repo still refresh-token-live at the moment Lexfo pulled the data.

None of that is technically surprising. What is worth pausing on is that three unrelated actors, three regions, three separate customer bases, all converged on essentially the same tooling: Evilginx2 forked from a public GitHub, SimpleHelp for remote console, XEOX RMM for persistence, and throwaway domains. That convergence is the same story we’ve been telling about ransomware affiliates for years, playing out on the credential-harvesting side of the house: the toolchain is commodity, the barrier to entry is a weekend’s reading, and the individual operator is much less interesting than the ecosystem they buy from. Lexfo ties the picis[.]net campaign back to The Quarry, a phishing-as-a-service outfit SOCRadar documented in June and which reportedly serves roughly two hundred customers. Different names, same warehouse.

There is a second detail buried in the artifacts that will look ordinary in two years and does not now: AI-generated code turned up across all three operations, including commits attributed to Claude-family models and references to a “CyberNeurova” API. The commodification is not only in the tools; it is in the writing of the tools.

For defenders, the practical shape of the advice Lexfo gives has not changed in a year. If a tenant is still running Microsoft 365 with anything short of FIDO2 or passkeys with origin binding, an Evilginx proxy will unwrap the login every time — the same point that keeps surfacing in post-mortem after post-mortem. The OAuth device code flow, exploited by Saroula01’s black-queen variant, is worth blocking outright via Conditional Access unless a specific workflow actually requires it. And it is worth hunting Entra sign-in logs for the Office client ID d3590ed6-52b3-4102-aeff-aad2292ab01c paired with device-code-flow entries from IPs the tenant does not otherwise see. That is the mechanical part. The rest is boring in the way this whole story is boring, which is exactly why it will keep working: someone will keep forgetting to turn off directory listing on the attacker side, and someone will keep leaving MFA at “SMS is fine” on the defender side, and the middle of that graph is where the operators live.

Found this useful? Share it.