mail-argenta is a Nigerian phishing operator and developer associated with customized Evilginx-based adversary-in-the-middle tooling used primarily against Microsoft 365 and other online services. The actor is linked to a public GitHub persona using the same handle and has been associated with repositories and phishing infrastructure targeting Microsoft 365, Kraken, LinkedIn, eHarmony, GitHub, Gmail, and banking-themed lures. Attribution to Nigeria is supported by exposed credential reuse and operational artifacts tying the developer persona to active phishing tooling. The actor is best known for developing the red-queen Evilginx fork, a modified phishing framework designed to intercept authenticated Microsoft 365 sessions and bypass conventional multi-factor authentication by stealing session cookies. Reported modifications include changes intended to defeat Subresource Integrity protections, URL-rewriting logic to evade path-based detections, and victim email prefilling to reduce abandonment during phishing flows. The framework was also configured to retain captured Microsoft session cookies for unusually long periods, enabling durable session hijacking where token revocation and Conditional Access controls were insufficient. A precompiled binary was distributed alongside the source, indicating an effort to lower the barrier for operators or customers using the tool. mail-argenta has also been linked to Kraken-focused man-in-the-middle tooling implemented as a live panel with real-time session handling and backend credential storage, suggesting capability beyond simple kit reuse. The actor appears to operate as both a developer and an end-user of phishing infrastructure rather than solely as a commodity seller. Observed activity indicates interest in credential theft, session theft, and persistent access to cloud accounts and financial-service accounts. Operationally, mail-argenta reflects a broader trend of low-cost but effective phishing tradecraft built on public offensive frameworks with incremental customization. The actor’s tooling shows emphasis on MFA bypass through reverse-proxy phishing, session persistence through stolen cookies, and usability improvements that increase victim conversion. There are also indications of AI-assisted development in supporting code and implementation details. Known associated tooling and aliases include red-queen and the handle mail-argenta.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operating and developing a customized Evilginx phishing kit for Microsoft 365 that modifies HTML attributes to evade Subresource Integrity checks, rewrites URLs to avoid path-based detection, pre-fills victim email addresses, and extends captured cookie lifetime.
Operates a multi-platform credential-harvesting operation using a customized Evilginx fork and Puppeteer-based MitM panels targeting Microsoft 365, Kraken, Bybit, LinkedIn, eHarmony, iCloud, and Google accounts.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.