Back to Intelligence

Supply Chain & Multi-Stage Infostealers: TwizAdmin, Mach-O Man, and TeamPCP Analysis — Detection Pack

SA
Security Arsenal Team
April 24, 2026
6 min read

The current threat landscape reflects a dangerous convergence of supply chain compromises and direct credential theft operations. OTX pulses from the last 72 hours reveal distinct campaigns: TeamPCP is actively exploiting CI/CD pipelines by poisoning legitimate tools (KICS, Trivy) to harvest infrastructure credentials, while DataBreachPlus (TwizAdmin) and Lazarus Group (Mach-O Man) are deploying aggressive multi-stage infostealers targeting Windows and macOS endpoints.

The collective objective of these campaigns is the exfiltration of high-value credentials—ranging from cryptocurrency seed phrases (TwizAdmin) to infrastructure-as-code secrets (TeamPCP) and corporate session tokens (Lazarus). The Trigona ransomware affiliates' adoption of custom Go-based exfiltration tools further signals a tactical shift toward evading traditional network monitoring.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Type: Multi-stage Malware-as-a-Service (MaaS)
  • Distribution: Phishing campaigns impersonating logistics/fedex, delivering payloads via dropper.
  • Behavior: Clipboard hijacking for 8 cryptocurrency chains, BIP-39 seed phrase theft, browser credential dumping.
  • C2: FastAPI-based panel at 103.241.66[.]238:1337.
  • Persistence: Uses Java RAT builder and scheduled tasks; includes a ransomware module (crpx0).

Mach-O Man (Lazarus Group)

  • Type: macOS Malware Kit / RAT
  • Distribution: "ClickFix" social engineering via Telegram; fake meeting invites leading to fraudulent collaboration pages (Zoom/Teams).
  • Behavior: PyLangGhostRAT payload execution; steals browser data and credentials.
  • C2: Exfiltration via Telegram channels.
  • Persistence: Uses launchd and disguised Mach-O binaries.

TeamPCP Supply Chain Operation

  • Type: Supply Chain Attack
  • Distribution: Poisoned Docker Hub images (KICS v2.1.20/21, Alpine) and VS Code extensions.
  • Behavior: Trojanized binaries (mcpAddon.js) encrypt and exfiltrate scan reports containing credentials to actor-controlled infrastructure.
  • C2: Uses domains mimicking legitimate vendors (e.g., aquasecurtiy.org).

Trigona Affiliates (Rhantus)

  • Type: Ransomware-as-a-Service
  • Tools: Custom uploader_client.exe (Go-based).
  • Behavior: Parallel data streaming, connection rotation to evade detection, granular file filtering. Replaces Rclone.

IOC Analysis

The provided indicators span multiple vectors, requiring a tiered defensive approach:

  • Network Infrastructure (IPv4/Domains): Includes C2 panels (103.241.66[.]238), typosquatted domains (aquasecurtiy.org), and payload delivery hosts (fanonlyatn.xyz). SOC teams should immediately block these at the perimeter and DNS layers.
  • File Artifacts (Hashes): A mix of SHA256, MD5, and SHA1 hashes corresponding to droppers, trojanized binaries, and custom tools (uploader_client.exe). EDR solutions should be configured to alert on execution matches.
  • Operationalization: Load hashes into EDR "blocklist" policies. Domains and IPs should be added to Firewall/NGFW blocklists and SIEM correlation searches for outbound connections.

Detection Engineering

YAML
title: Suspicious Connection to TwizAdmin C2 Infrastructure
id: 8a3e1b01-2026-4000-8000-000000000001
description: Detects network connections to known TwizAdmin C2 panel and associated domains.
status: experimental
date: 2026/04/24
author: Security Arsenal
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection_ip:
        DestinationIp|startswith: '103.241.66.'
    selection_domain:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
    condition: 1 of selection_
falsepositives:
    - Legitimate administrative access to this specific IP range (unlikely)
level: critical
---
title: Potential TeamPCP Supply Chain Compromise Activity
date: 2026/04/24
id: 8a3e1b01-2026-4000-8000-000000000002
description: Detects processes attempting to connect to typosquatted domains associated with the Trivy and KICS supply chain attacks.
status: experimental
author: Security Arsenal
references:
    - https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
tags:
    - attack.supply_chain
    - attack.t1195.002
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'aquasecurtiy.org'
            - 'checkmarx.zone'
    condition: selection
falsepositives:
    - Misconfigured internal hostnames (unlikely due to specific typosquatting)
level: high
---
title: Execution of Trigona Custom Exfiltration Tool
date: 2026/04/24
id: 8a3e1b01-2026-4000-8000-000000000003
description: Detects the execution of uploader_client.exe, a custom Go-based tool used by Trigona affiliates for data theft.
status: experimental
author: Security Arsenal
references:
    - https://www.security.com/blog-post/trigona-exfiltration-custom
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith: '\uploader_client.exe'
        Company|contains: 'Trigona' # Note: May be empty, but checking if present
    condition: selection
falsepositives:
    - Legitimate internal tool with same name (rare)
level: critical


kql
// Hunt for Trigona, TwizAdmin, and TeamPCP Network Activity
// Note: Add specific hashes to the list below for full coverage
let MaliciousDomains = dynamic([
    "fanonlyatn.xyz", "aquasecurtiy.org", "checkmarx.zone", 
    "scan.aquasecurtiy.org", "plug-tab-protective-relay.trycloudflare.com"
]);
let MaliciousHashes = dynamic([
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"
]);
DeviceNetworkEvents
| where RemoteUrl in~ MaliciousDomains or RemoteIP has_prefix "103.241.66."
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where SHA256 in~ MaliciousHashes
    | project Timestamp, DeviceName, AccountName, FolderPath, SHA256
)


powershell
# IOC Hunt Script for TwizAdmin, Trigona, and Supply Chain Artifacts
# Requires Administrative Privileges

$MaliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90", # Mach-O Man
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173"  # Trigona Uploader
)

$ProcessNames = @("uploader_client.exe", "java.exe") # Java is generic, check parent/args
$SuspiciousIPs = @("103.241.66.238")

Write-Host "[+] Checking for Trigona and TwizAdmin Processes..." -ForegroundColor Cyan

# Check for specific processes
Get-Process | Where-Object { 
    $ProcessNames -contains $_.Name 
} | ForEach-Object {
    Write-Host "[!] Suspicious Process Found: $($_.Name) (PID: $($_.Id))" -ForegroundColor Red
    # Attempt to get file path for hashing
    try {
        $path = $_.MainModule.FileName
        if ($path) {
            $hash = (Get-FileHash -Path $path -Algorithm SHA256).Hash.ToLower()
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!!!] CRITICAL: Known Malicious Hash Detected: $hash" -ForegroundColor Red
            }
        }
    } catch {}
}

Write-Host "[+] Checking Active Network Connections for C2 Traffic..." -ForegroundColor Cyan

# Check for connections to C2 IPs
$netstat = netstat -ano | Select-String -Pattern "TCP"
foreach ($line in $netstat) {
    $parts = $line -split '\s+'
    $local = $parts[1]
    $remote = $parts[2]
    $state = $parts[3]
    $pid = $parts[4]
    
    $remoteIP = $remote.Split(':')[0]
    
    if ($SuspiciousIPs -contains $remoteIP) {
        Write-Host "[!] C2 Connection Detected: $remote (PID: $pid)" -ForegroundColor Red
        Get-Process -Id $pid -ErrorAction SilentlyContinue | Select-Object Name, Id, Path
    }
}

Write-Host "[+] Scanning for KICS/Trivy related compromise indicators..." -ForegroundColor Cyan
# Check for presence of specific versions or known malicious paths
$checkPaths = @(
    "$env:USERPROFILE\.vscode\extensions",
    "/usr/local/bin/trivy", # Linux/Mac check if run via WSL or similar
    "C:\ProgramData\Docker"
)

# This is a basic check; specific file hash validation of the binaries is recommended for Docker images


# Response Priorities

*   **Immediate:** Block all IOCs (IPs, Domains) at the perimeter. Terminate processes matching `uploader_client.exe` or `java.exe` connecting to `fanonlyatn.xyz`. Scan for `mcpAddon.js` in VS Code extension directories.
*   **24 Hours:** Force password rotation for all developer and CI/CD service accounts due to potential exposure via the TeamPCP supply chain attack (KICS/Trivy). Investigate any recent Docker image pulls of `kics` tags v2.1.20, v2.1.21.
*   **1 Week:** Implement SBOM (Software Bill of Materials) verification for CI/CD pipelines. Harden macOS endpoints against ClickFix attacks (disable automatic terminal execution from browsers/Zoom). Review and restrict outbound connections to Telegram and non-standard ports used by crypto-clippers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssupply-chaincredential-thefttwizadminmach-o-manteampcp

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action