This Python script is a credential-harvesting and phishing framework. It:
• Downloads and execs multiple obfuscated payloads via zlib/base64 decoding at import time.
• Pulls website templates and tunneler binaries from github[.]com/KasRoudra/MaxPhisher and github[.]com/KasRoudra/files, and from raw.githubusercontent[.]com.
• Installs and launches a local PHP server and exposes it publicly via ngrok, cloudflared, localxpose (api.localxpose[.]io) or SSH reverse tunnels.
• Prompts the operator for authtokens (dashboard.ngrok[.]com, localxpose[.]io), redirect URLs and Gmail app-password credentials.
• Serves phishing pages that capture victim usernames, passwords, IP addresses, geolocation and media, saving them under ~/.site and other hidden directories.
• Continuously monitors for new files (creds.txt, ip.txt, info.txt, location.txt, media logs), appends them to persistent storage files and JSON, and exfiltrates stolen data via SMTP (smtp.gmail[.]com) to a configured recipient.
This behavior—dynamic code execution, remote payload download, automated tunneling, credential capture and exfiltration—constitutes clear malicious intent.