Back to Intelligence

Lazarus Mach-O Man & TwizAdmin Operation: OTX Pulse Analysis — Multi-Platform Malware & C2 Infrastructure Surge

SA
Security Arsenal Team
May 22, 2026
6 min read

Threat Summary

Recent OTX pulses reveal a coordinated escalation in cyber-threat activity spanning APT-level operations and large-scale criminal infrastructure. Key intelligence highlights the Lazarus Group actively targeting the macOS ecosystem with a new "Mach-O Man" malware kit utilizing ClickFix social engineering. Simultaneously, the DataBreachPlus actor is pushing the multi-stage TwizAdmin campaign, combining crypto-clipping, infostealing, and ransomware capabilities. Furthermore, a significant infrastructure mapping exercise has identified over 1,350 C2 servers concentrated in the Middle East, primarily hosted by STC, supporting a diverse range of threat actors including APT28 and Energetic Bear.

The collective objective of these campaigns is financial exfiltration (cryptocurrency and credentials) and establishing persistent footholds via abused legitimate infrastructure.

Threat Actor / Malware Profile

Lazarus Group: Mach-O Man & PyLangGhostRAT

  • Distribution: Fake meeting invitations via Telegram redirecting to fraudulent collaboration platforms (Zoom/Teams impersonation). Uses "ClickFix" techniques to trick users into executing terminal commands.
  • Payload Behavior: A macOS-native malware kit (Mach-O Man) that facilitates browser credential theft and launches the PyLangGhostRAT for remote access.
  • C2 Communication: Utilizes Telegram for exfiltration, blending in with legitimate traffic.
  • Persistence: Likely via LaunchAgents or fake application bundles (typical for macOS persistence).
  • Anti-Analysis: Uses Python-based packing (PyLangGhostRAT) to obfuscate code.

DataBreachPlus: TwizAdmin & crpx0

  • Distribution: Malicious spam campaigns masquerading as logistics deliveries (e.g., FedEx). Targets both Windows and macOS.
  • Payload Behavior: A modular operation featuring a clipboard hijacker targeting 8 cryptocurrency chains, BIP-39 seed phrase thief, and browser credential stealer. It includes a ransomware module (crpx0) and a Java RAT builder.
  • C2 Communication: Managed via a FastAPI-based panel hosted on 103.241.66[.]238:1337, requiring license keys, indicating a Malware-as-a-Service (MaaS) model.
  • Persistence: Registry run keys or scheduled tasks on Windows; LaunchDaemons on macOS.

Middle East Infrastructure Cluster

  • Actors: Eagle Werewolf, ENERGETIC BEAR, APT28, GrayCharlie.
  • Malware: Phorpiex, LockBit Black, Sliver, Cobalt Strike, Mirai.
  • Profile: High concentration of C2 infrastructure (72.4%) hosted on Saudi Arabia's STC network. This infrastructure supports botnets, RATs, and offensive frameworks.

IOC Analysis

The provided indicators highlight a mix of delivery infrastructure and payload artifacts:

  1. Domains & URLs:

    • fanonlyatn.xyz (TwizAdmin payload delivery).
    • livemicrosft.com (Lazarus typo-squatting for ClickFix).
    • Action: Immediate blocklist addition. These domains are currently active delivery nodes.

  2. File Hashes (SHA256):

    • Multiple hashes corresponding to TwizAdmin components (Java RAT, ransomware modules) and Mach-O Man binaries.
    • Action: SOC teams should utilize EDR solutions to scan for these specific hashes. Retro-hunting is advised given the 2026-05-22 modification date.

  3. Network Infrastructure (IPv4):

    • IPs such as 37.32.15.8, 197.51.170.131, and others identified in the Middle East report.
    • Action: These IPs serve as C2 nodes. Block outbound connections to these subnets, particularly on non-standard ports often used by RATs (e.g., 1337 for FastAPI/TwizAdmin).

Detection Engineering

YAML
title: Potential Mach-O Man ClickFix MacOS Execution
description: Detects potential execution of Mach-O Man malware via ClickFix technique where terminal commands are executed from a browser download.
status: experimental
date: 2026/05/23
author: Security Arsenal
logsource:
  product: macos
  category: process_creation
detection:
  selection:
    ParentImage|endswith:
      - '/Safari'
      - '/Google Chrome'
      - '/Firefox'
    Image|endswith:
      - '/zsh'
      - '/bash'
      - '/sh'
    CommandLine|contains:
      - 'curl'
      - 'chmod +x'
      - 'osascript'
  condition: selection
falsepositives:
  - Legitimate developer scripts
level: high
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1059.004
---
title: TwizAdmin FastAPI C2 Connection
status: experimental
description: Detects network connections to known TwizAdmin C2 port 1337 or suspicious FastAPI endpoints associated with DataBreachPlus.
references:
  - https://intel.breakglass.tech/post/twizadmin-103-241-66
date: 2026/05/23
author: Security Arsenal
logsource:
  product: windows
  category: network_connection
detection:
  selection_port:
    DestinationPort: 1337
  selection_process:
    Image|endswith:
      - '\java.exe'
      - '\python.exe'
      - '\powershell.exe'
  condition: all of selection*
falsepositives:
  - Legitimate development traffic on port 1337
level: high
tags:
  - attack.command_and_control
  - attack.t1071
---
title: Lazarus Group Typo-Squatting Domain Connection
date: 2026/05/23
author: Security Arsenal
status: experimental
description: Detects connections to known Lazarus typo-squatting domains used in Mach-O Man campaigns.
logsource:
  category: dns_query
  product: windows
detection:
  selection:
    QueryName|contains:
      - 'livemicrosft.com'
      - 'fanonlyatn.xyz'
  condition: selection
level: critical
tags:
  - attack.command_and_control
  - attack.t1071.001


kql
// Hunt for connections to TwizAdmin C2 and Middle East Infrastructure IPs
let IOCs = dynamic([
    "37.32.15.8", "197.51.170.131", "5.109.182.231", "93.113.62.247", 
    "94.252.245.193", "103.241.66.238"
]);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has "livemicrosft.com" or RemoteUrl has "fanonlyatn.xyz"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc


powershell
# PowerShell Hunt Script for TwizAdmin and Mach-O Man Hashes
# Requires file system access and Get-FileHash capability

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9",
    "4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b",
    "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c",
    "871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3",
    "89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938",
    "a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614"
)

Write-Host "[+] Scanning C:\ drive for known malware hashes..." -ForegroundColor Cyan

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $file = $_
        try {
            $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($TargetHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($file.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $hash" -ForegroundColor DarkRed
            }
        }
        catch {
            # Ignore locked files or access errors
        }
    }

Write-Host "[+] Scan complete." -ForegroundColor Green

Response Priorities

Immediate (0-24h)

  1. Block IOCs: Immediately block the domains livemicrosft.com and fanonlyatn.xyz at the proxy/DNS level. Block the listed IPv4 addresses at the firewall.
  2. Hunt for Artifacts: Run the provided PowerShell script across endpoints to detect dropped payloads for TwizAdmin or Mach-O Man.
  3. Network Isolation: Identify and isolate any devices communicating with the Middle East C2 infrastructure or port 1337.

Short Term (24-48h)

  1. Credential Audit: Given the infostealing capabilities (BIP-39 phrases, browser credentials), force a password reset for high-privileged accounts and investigate cryptocurrency wallet access logs.
  2. Session Review: Analyze VPN and remote access logs for anomalies corresponding to the timeline of the infrastructure activity (Feb-May 2026).

Long Term (1 Week)

  1. Architecture Hardening: Implement strict egress filtering to block non-standard ports (e.g., 1337) and restrict access to bulletproof hosting ranges identified in the Middle East report.
  2. Awareness Training: Update security awareness training to specifically cover "ClickFix" and fake collaboration meeting scams, especially for users in Finance and Tech sectors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlazarus-grouptwizadminmach-o-manclickfixransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action