MaDoO Blaster
At a glance
| Actor / group | codemado, mail-argenta, saroula01 (online aliases) |
| Activity | AiTM phishing and OAuth Device Code Flow abuse |
| Targets / victims | Corporate Microsoft 365 accounts, plus crypto and consumer platforms |
| Scale (claimed) | 218+ victims across 12 countries in the largest campaign |
| Status | No arrests reported; public research disclosure |
| Source | LEXFO threat report; SOCRadar “The Quarry” report |
TL;DR
In late April 2026, one open directory exposed the full toolkit of a live phishing operation. Researchers at LEXFO traced the server to three separate operators. All of them abused forks of the Evilginx framework to bypass multi-factor authentication on Microsoft 365 accounts.
What happened
On a late April afternoon, an internet scan flagged an open directory on a Budapest server. The host ran a basic Python web server with directory listing switched on. As a result, phishing configs, logs, installers, combolists, and Telegram session files sat in plain view.
LEXFO described the exposure as “a complete operational snapshot of a live attack platform.” The command that opened the folder still sat in the shell history. From that single entry point, the team pivoted outward and mapped an entire ecosystem.
The server held several Evilginx forks side by side, including kits named black-queen and red-queen. Alongside them sat remote management tools for keeping access after a break-in. In short, one folder revealed a full attack chain.
Who is behind it
Three operators emerged, and LEXFO backs each attribution with clear artefacts.
codemado
codemado is allegedly an Egyptian actor with a hacking-forum trail dating back to 2018. He ran an Evilginx AiTM platform and a remote console on the same host. He also built a bulk-mailer that he appears to sell to other operators.
mail-argenta
mail-argenta is a suspected Nigerian operator. Ironically, infostealer logs exposed him after his own credentials leaked. Those logs reportedly matched a password he reused inside his phishing panel.
saroula01
saroula01 built a Device Code phishing kit. Its README reads: “Pre-configured O365 device code phishing framework with 6 lure themes ready for deployment.” Attribution here stays weaker, since LEXFO could not tie the developer to a named person.
All three sourced their code from public GitHub repositories. Notably, each customized that code with AI assistance.
Impact and scale
The three campaigns chase different victims, yet they share one aim: stealing live sessions. Because AiTM proxies and Device Code Flow both capture tokens, they slip past MFA entirely.
Why Device Code Flow works
Device Code Flow is a real Microsoft sign-in feature for devices without a browser. saroula01’s kit turns it against victims. The lure shows a genuine code and asks the user to enter it on Microsoft’s real page. The victim then signs in for real, and the attacker’s backend grabs the token. Nothing on the page is faked, which is what makes the trick land.
Victim numbers
saroula01’s operation looks the largest. LEXFO claims it ran for over a year and reached 218 victims across 12 countries. Roughly 94% of those targets were corporate, according to the report. mail-argenta’s panels, meanwhile, captured sessions from crypto exchanges, Google, iCloud, and Microsoft 365. codemado’s own campaign confirmed captures against French and North American firms.
These figures come from the researchers, not from any court. Therefore, treat the victim counts as claims pending independent confirmation.
The report also ties codemado to “The Quarry,” a phishing-as-a-service network documented by SOCRadar. That second report places codemado’s mailer inside the group’s channels. Even so, LEXFO frames the link as supplier and client, not a command structure.
How to stay protected
The campaigns stayed active after discovery. Fresh subdomains and new certificates appeared weeks later. So defenders should assume this tooling still circulates.
The wider lesson is cost. These kits sell cheaply, or arrive free on GitHub. In practice, the barrier to running an MFA-bypass campaign has fallen close to zero.
Defenders can still push back. First, move toward phishing-resistant MFA, such as FIDO2 security keys. Next, tighten conditional access and block Device Code Flow where nobody needs it. Then, watch for odd OAuth grants and unexpected token refreshes. Finally, review Microsoft 365 sign-in logs for foreign IPs on trusted accounts.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.