Skip to content
View Hexix23's full-sized avatar
🏎️
Hate taxes, be happy
🏎️
Hate taxes, be happy
34 followers · 74 following

Achievements

Achievement: Pair ExtraordinaireAchievement: QuickdrawAchievement: YOLOAchievement: Pull Shark

Achievements

Achievement: Pair ExtraordinaireAchievement: QuickdrawAchievement: YOLOAchievement: Pull Shark

Highlights

  • Pro

Block or report Hexix23

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
Hexix23/README.md

Typing SVG

Blog Maldev Academy Research

Red team operator and offensive tool developer. Most of my work lives under @Maldev-Academy and in private repositories for my current employer (IOActive). I write about what I can share at cgomezsec.com.

Author of Authentication Downgrade Attacks: Deep Dive Into MFA Bypass.

What I'm working on

AiTM phishing against hardened targets like Google using real browser instances via CDP instead of reverse proxies, sidestepping TLS fingerprinting, BotGuard, and anti-bot systems. Also doing FIDO2/WebAuthn research, looking at where passkey implementations break in practice.

Maldev Academy

Modules on phishing, auth attacks, and cloud identity exploitation. Protocol internals, working implementations, OPSEC. All MFA bypass modules include FIDO downgrade vectors.

# Module Target Technique
01 Microsoft Device Code Phishing M365 OAuth 2.0 device code flow abuse
02 GitHub Device Code Phishing GitHub Device code phishing against GitHub OAuth
03 Illicit Consent Grant Attack M365 OAuth consent phishing for persistent access
04 MFA Bypass: Invisible Proxy M365 AiTM proxy via Cloudflare Workers
05 Invisible Proxy: OPSEC Detection evasion and infrastructure hardening
06 Evilginx Phishlet Development M365 Custom phishlet with MFA downgrade capabilities
07 Evilginx URL Rewriting Evilginx Modifying Evilginx URLs to avoid signature detection
08 GitLab Device Code Phishing GitLab Cloud + self-managed instance support
09 Client Analysis Via Cloudflare Workers Anti-bot, anti-analysis, client fingerprinting
10 Dynamic Device Code Phishing Microsoft Flask app for runtime device code generation
11 MFA Bypass Via Azure AiTM Azure AD AiTM via Azure Functions + Azure Front Door

In Development

# Module Target Technique
12 Google AiTM Google Real-time credential relay via nodriver + CDP
13 Phishing Passkeys FIDO2/WebAuthn Passkey theft, CDP virtual authenticators

Tools

Open Source

GitHubDeviceCodePhishing

GitHub device code phishing. Minimal setup.

GitLabDeviceCodePhishing

Same approach for GitLab. Cloud and self-managed.

shodan-mcp

Shodan MCP server. Query Shodan from AI assistants.

Internal (Maldev Academy)

Real-time Phishing Framework

Multi-provider credential relay with live error feedback. Real Chrome per target via nodriver/CDP.

Victim <-> Flask <-> Chrome/CDP <-> Real Site
                         |
              Sync / Passkeys / Vault

Google, GitHub, Bitwarden built in.

Cloudflare Workers AiTM Proxy

Invisible reverse proxy on CF Workers. Rewrites requests/responses on the edge, captures credentials and session tokens. No servers.

Azure AiTM Proxy

AiTM proxy on Azure Functions + Front Door. Legitimate Microsoft infrastructure proxying auth flows.

Evilginx M365 Phishlet

Custom phishlet with MFA downgrade. Forces FIDO-capable accounts to weaker auth methods.

Client Fingerprinting Worker - CF Worker that profiles clients before serving content. Anti-bot, sandbox detection, browser fingerprinting, geo filtering.

Internal R&D

Things I work on that aren't public.



Implant dev in C/C++ and C#/.NET. DLL sideloading, signed binary abuse, BoF development, UDRL custom loader, payload staging. Tested against production EDR.

Attack paths, privesc, lateral movement. Azure AD token manipulation, conditional access bypass, cross-tenant abuse. Internal engagement tooling.

Training specialist models for offensive security. RL pipeline with feedback from live security products instead of static datasets.

Stack

Languages

Infra

0xh3l1x

Pinned Loading

  1. shodan-mcp shodan-mcp Public

    Python 14 4