A Python HTTP server left running on a VPS exposed the complete toolkit of an active AiTM phishing operator. What followed was a three-actor investigation spanning custom Evilginx forks, OAuth Device Code Flow abuse, a seven-tool RMM arsenal, and a connection to The Quarry MaaS/PhaaS ecosystem.