codemado is an Egyptian cybercriminal operator active since at least 2018, with roots in VoIP and hacking forums and aliases including MaDoO, MaDosc, and MADO. The actor has been linked to Microsoft 365-focused phishing operations designed to bypass multifactor authentication, as well as to bulk email tooling used to monetize and scale access operations. The actor is associated with adversary-in-the-middle phishing infrastructure built on customized Evilginx tooling. These operations targeted primarily corporate Microsoft 365 mailboxes and used reverse-proxy credential interception to steal authenticated sessions and session cookies, enabling account compromise even when MFA was enabled. The phishing lures impersonated common enterprise services and document-sharing workflows, including Microsoft Office, OneDrive, Microsoft Authenticator, Adobe, DocuSign, and SharePoint. The infrastructure also employed anti-bot filtering and traffic screening to reduce exposure to researchers and automated scanners. codemado has also been linked to a bulk-mailing platform known as MaDoO Blaster, which supported large-scale phishing delivery through compromised SMTP infrastructure and other sending mechanisms. Reported features included personalized lure generation, QR-code-based lures, and evasion-oriented delivery options. The actor maintained an automated pipeline for collecting and validating credential material, including combolists and SMTP credentials, indicating an operational model that combined phishing, credential abuse, and spam enablement. Post-compromise tooling associated with codemado included a broad remote-management and persistence arsenal, with multiple legitimate remote monitoring and management products staged for follow-on access and control. Additional malware and stealer-related tooling has also been associated with the actor, and reporting has tied parts of the ecosystem to AsyncRAT delivery and Hidden VNC-related activity. Use of long-lived stolen sessions and evidence consistent with token refreshing suggest an emphasis on maintaining durable access to compromised Microsoft 365 accounts. The actor does not appear to have developed the core phishing framework independently, instead relying heavily on publicly available kits, cloned repositories, and incremental customization. Reporting also indicates signs of AI-assisted development in scripts and supporting components rather than deep changes to the underlying framework. Overall, codemado represents a financially motivated operator leveraging low-cost public tooling, MFA-bypass phishing, commodity post-exploitation utilities, and scalable email operations to target enterprise cloud accounts.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 malware families attributed to this actor across reporting.
60 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operating a Microsoft 365 adversary-in-the-middle phishing campaign using a custom Evilginx fork to capture credentials and session tokens from primarily corporate mailboxes, while monetizing access with a bulk mailer.
Runs an Evilginx-based adversary-in-the-middle phishing operation targeting Microsoft 365 corporate accounts, uses anti-bot filtering, Telegram-based combo harvesting, compromised SMTP accounts for delivery, and multiple RMM tools for post-compromise persistence. Also develops/promotes MaDoO Blaster as a bulk-mailing tool.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.