Skip to content
View Hexix23's full-sized avatar
🏎️
Hate taxes, be happy
🏎️
Hate taxes, be happy
39 followers · 75 following

Achievements

Achievement: Pair ExtraordinaireAchievement: QuickdrawAchievement: YOLOAchievement: Pull Shark

Achievements

Achievement: Pair ExtraordinaireAchievement: QuickdrawAchievement: YOLOAchievement: Pull Shark

Highlights

  • Pro

Block or report Hexix23

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
Hexix23/README.md

Typing SVG

Blog Maldev Academy Research

Red team operator and offensive tool developer. Most of my work lives under @Maldev-Academy and in private repositories for my current employer (IOActive). I write about what I can share at cgomezsec.com.

Author of Authentication Downgrade Attacks: Deep Dive Into MFA Bypass.

What I'm working on

AiTM phishing against hardened targets like Google using real browser instances via CDP instead of reverse proxies, sidestepping TLS fingerprinting, BotGuard, and anti-bot systems. Also doing FIDO2/WebAuthn research, looking at where passkey implementations break in practice.

Maldev Academy

Modules on phishing, auth attacks, and cloud identity exploitation. Protocol internals, working implementations, OPSEC. All MFA bypass modules include FIDO downgrade vectors.

# Module Target Technique
01 Microsoft Device Code Phishing M365 OAuth 2.0 device code flow abuse
02 GitHub Device Code Phishing GitHub Device code phishing against GitHub OAuth
03 Illicit Consent Grant Attack M365 OAuth consent phishing for persistent access
04 MFA Bypass: Invisible Proxy M365 AiTM proxy via Cloudflare Workers
05 Invisible Proxy: OPSEC Detection evasion and infrastructure hardening
06 Evilginx Phishlet Development M365 Custom phishlet with MFA downgrade capabilities
07 Evilginx URL Rewriting Evilginx Modifying Evilginx URLs to avoid signature detection
08 GitLab Device Code Phishing GitLab Cloud + self-managed instance support
09 Client Analysis Via Cloudflare Workers Anti-bot, anti-analysis, client fingerprinting
10 Dynamic Device Code Phishing Microsoft Flask app for runtime device code generation
11 MFA Bypass Via Azure AiTM Azure AD AiTM via Azure Functions + Azure Front Door
12 Google Phishing: BotGuard, Browser Automation, Chrome Sync Google BotGuard internals + custom bypass tool to defeat Google MFA
13 Phishing Passkeys FIDO2/WebAuthn Synced passkeys + hardware security keys, custom Passkey Phisher
14 ConsentFix Attack M365 / OAuth ConsentFix attack chain with custom tooling for engagements

Tools

Open Source

GitHubDeviceCodePhishing

GitHub device code phishing. Minimal setup.

GitLabDeviceCodePhishing

Same approach for GitLab. Cloud and self-managed.

shodan-mcp

Shodan MCP server. Query Shodan from AI assistants.

Internal Tooling — Maldev Academy

Private frameworks shipped alongside the corresponding research modules.

Real-time Phishing Framework

Multi-provider credential relay with live error feedback. Real Chrome per target via nodriver/CDP. Google, GitHub, Bitwarden built in.

Cloudflare Workers AiTM Proxy

Invisible reverse proxy on CF Workers. Rewrites requests/responses on the edge, captures credentials and session tokens. No servers.

Azure AiTM Proxy

AiTM proxy on Azure Functions + Front Door. Legitimate Microsoft infrastructure proxying auth flows.

Evilginx M365 Phishlet

Custom phishlet with MFA downgrade. Forces FIDO-capable accounts to weaker auth methods.

Google MFA Bypass Framework

BotGuard internals reversing + custom bypass. Real Chrome via nodriver/CDP, Chrome Sync abuse for credential and session theft. Defeats Google MFA end-to-end.

Passkey Phisher

Targets synced passkeys and hardware security keys. CDP virtual authenticators, downgrade paths, session capture.

ConsentFix Tool

End-to-end ConsentFix attack chain packaged for engagements. OAuth consent abuse with the ConsentFix lure flow.

Client Fingerprinting Worker

CF Worker that profiles clients before serving content. Anti-bot, sandbox detection, browser fingerprinting, geo filtering.

Internal R&D

Things I work on that aren't public.



Implant dev in C/C++ and C#/.NET. DLL sideloading, signed binary abuse, BoF development, UDRL custom loader, payload staging. Tested against production EDR.

Attack paths, privesc, lateral movement. Azure AD token manipulation, conditional access bypass, cross-tenant abuse. Internal engagement tooling.

Training specialist models for offensive security. RL pipeline with feedback from live security products instead of static datasets.

Stack

Languages

Infra

0xh3l1x

Pinned Loading

  1. shodan-mcp shodan-mcp Public

    Python 14 4