Codemado open-directory operator toolkit leak
Data Leak
Summary
Hide ▲
Show ▼
A misconfigured Budapest VPS exposed codemado's phishing toolkit, leaking session material and credential artifacts that could enable account hijacking. The readable directory included phishing configurations, credential logs, RMM installers, and Telegram session files. The exposed files tied the operator to an active Evilginx-based phishing ecosystem and created immediate operational risk for anyone using the compromised infrastructure.
Related Happenings
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Storm-1175 high-velocity exploit campaign
Campaign
H score59
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
H score31
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...
GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems
Malware Activity
H score28
First: 03.02.2026 00:04
Last: 03.02.2026 00:04
Sources 1
About this happening:
**GlassWorm** is a malware campaign that now also fuels **ForceMemo**, a **supply-chain attack** that steals **GitHub tokens** and force-pushes malicious code into **Python reposi...
GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems
Malware ActivityAbout this happening: **GlassWorm** is a malware campaign that now also fuels **ForceMemo**, a **supply-chain attack** that steals **GitHub tokens** and force-pushes malicious code into **Python reposi...
Amnesia RAT retrieved from Dropbox for data theft and remote control
Malware Activity
H score29
First: 24.01.2026 13:09
Last: 24.01.2026 13:09
Sources 1
About this happening:
The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...
Amnesia RAT retrieved from Dropbox for data theft and remote control
Malware ActivityAbout this happening: The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...
Timeline
-
13.07.2026 18:30 2 articles · 8h ago
Misconfigured Budapest VPS exposes codemado's phishing toolkit
Initial DisclosureLexfo disclosed that a Python HTTP server left running with directory listing switched on on a Budapest virtual private server exposed phishing configurations, credential logs, remote management installers, and Telegram session files tied to codemado's Evilginx-based adversary-in-the-middle platform against corporate Microsoft 365 accounts. The exposed host also contained a seven-tool remote monitoring and management arsenal, including ScreenConnect and SimpleHelp, plus the custom bulk-mailer MaDoO Blaster.
Show sources
- Open Directory Exposes Three Evilginx Phishing Operators — www.infosecurity-magazine.com — 13.07.2026 18:30
- Open Directory Exposes Three Evilginx Phishing Operators — www.infosecurity-magazine.com — 13.07.2026 18:30