Supply Chain Poisoning & Multi-Stage Infostealers: TwizAdmin, TeamPCP & Trigona Analysis

The current threat landscape is defined by a aggressive convergence of supply chain compromises and sophisticated credential theft operations. Analysis of live OTX pulses reveals that the threat actor TeamPCP is actively poisoning trusted development infrastructure, specifically targeting Checkmarx KICS and Trivy distributions to harvest infrastructure-as-code credentials via trojanized binaries and compromised CI/CD pipelines.

Concurrently, the DataBreachPlus group (TwizAdmin) is operating a robust Malware-as-a-Service (MaaS) platform delivering a multi-stage payload capable of cryptocurrency clipping, BIP-39 seed phrase theft, and ransomware deployment (crpx0). Additionally, ClickFix campaigns are leveraging living-off-the-land techniques to distribute loaders for Vidar, Lumma, and Redline stealers. Ransomware affiliates affiliated with Trigona have also evolved, utilizing custom Go-based exfiltration tools (uploader_client.exe) to streamline data theft prior to encryption.

Threat Actor / Malware Profile

TeamPCP (Supply Chain Actor)

Malware Families: mcpAddon.js, Canister Worm, Trivy trojan.
Methodology: Exploits mutable tags and commit identity spoofing in GitHub Actions and Docker Hub repositories.
Objective: Long-term credential harvesting from DevOps environments and infrastructure scans.
TTPs: Poisoning official Docker images (KICS v2.1.20/v2.1.21) and VS Code extensions; establishing C2 via typosquatted domains (e.g., aquasecurtiy.org).

DataBreachPlus (TwizAdmin)

Malware Families: TwizAdmin, crpx0 (Ransomware), Java RAT.
Methodology: Multi-platform malware (Windows/macOS) spread via phishing lures impersonating logistics (FedEx).
Objective: Financial theft via cryptocurrency hijacking and credential extortion.
TTPs: Clipboard hijacking for 8 crypto chains; exfiltration via FastAPI-based C2 panels (port 1337); usage of BIP-39 seed stealers.

Rhantus (Trigona Affiliates)

Malware Families: Trigona, uploader_client, HRSword.
Methodology: Ransomware-as-a-Service (RaaS) with a tactical shift to custom tooling.
Objective: Data exfiltration and encryption.
TTPs: Custom uploader_client.exe for parallel data streams and connection rotation to evade network monitoring.

IOC Analysis

Infrastructure (IP/Domains): The IOCs include specific C2 IPs such as 103.241.66[.]238 (TwizAdmin) and 94.154.172.43 (TeamPCP). Critical attention must be paid to the TeamPCP typosquatted domains aquasecurtiy.org and checkmarx.zone, which mimic legitimate infrastructure to intercept data.
File Hashes: A significant volume of SHA256, MD5, and SHA1 hashes are provided for the trojanized binaries (KICS, Trivy) and malware payloads (TwizAdmin, Lumma, Vidar). SOC teams should prioritize hashing files in Docker layers and CI/CD artifact repositories against these indicators.
Operationalization: Immediate blocking of the listed domains is required to stop C2 beaconing. File hashes should be loaded into EDR threat feeds to scan developer workstations and build servers.

Detection Engineering

Sigma Rules

YAML

---
id: 9e1b3c2d-5a6f-4b7e-8c9d-0f1e2a3b4c5d
title: TeamPCP Supply Chain C2 Communication
status: experimental
description: Detects network connections to known TeamPCP C2 domains associated with the Trivy and KICS supply chain compromises.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
author: Security Arsenal Research
date: 2026/04/25
modified: 2026/04/25
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationHostname|contains:
      - 'aquasecurtiy.org'
      - 'checkmarx.zone'
      - 'scan.aquasecurtiy.org'
  condition: selection
falsepositives:
  - Unknown
level: critical
---
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
title: Potential Infostealer Browser Database Access
status: experimental
description: Detects non-browser processes accessing browser credential files, common in TwizAdmin, Lumma, and Vidar campaigns.
references:
  - https://intel.breakglass.tech/post/twizadmin-103-241-66
author: Security Arsenal Research
date: 2026/04/25
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
      - '\AppData\Local\Google\Chrome\User Data\Default\Cookies'
      - '\AppData\Local\Mozilla\Firefox\Profiles\key4.db'
      - '\AppData\Local\Mozilla\Firefox\Profiles\logins.'
    Image|notcontains:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\brave.exe'
  condition: selection
falsepositives:
  - Legitimate backup software
  - Password managers
level: high
---
id: b2c3d4e5-f6a7-4b5c-8d9e-0f1a2b3c4d5e
title: Suspicious PowerShell Encoded Command (ClickFix Technique)
status: experimental
description: Detects PowerShell execution with encoded arguments, often used in ClickFix campaigns to bypass controls.
references:
  - https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos
author: Security Arsenal Research
date: 2026/04/25
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-e' 
    CommandLine|matches: '^[A-Za-z0-9+/]{50,}={0,2}$'
  condition: selection
falsepositives:
  - System administration scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for TeamPCP and TwizAdmin Network Indicators
let IOCs = dynamic(["aquasecurtiy.org", "checkmarx.zone", "scan.aquasecurtiy.org", "plug-tab-protective-relay.trycloudflare.com", "fanonlyatn.xyz", "103.241.66.238", "94.154.172.43"]);
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend FullURL = strcat("https://", RemoteUrl, RequestURL)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# IOC Hunter for TeamPCP and TwizAdmin Campaigns
# Checks Hosts file for supply chain poisoning and active connections to C2

$MaliciousDomains = @(
    "aquasecurtiy.org",
    "checkmarx.zone",
    "fanonlyatn.xyz",
    "scan.aquasecurtiy.org"
)

Write-Host "[+] Checking Hosts file for malicious redirections..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] ALERT: Domain $Domain found in hosts file!" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking active TCP connections for TwizAdmin and TeamPCP C2 IPs..." -ForegroundColor Cyan
$MaliciousIPs = @("103.241.66.238", "94.154.172.43")
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($IP in $MaliciousIPs) {
    $Found = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Found) {
        $Process = Get-Process -Id $Found.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] ALERT: Active connection to C2 IP $IP detected. Process: $($Process.ProcessName) (PID: $($Found.OwningProcess))" -ForegroundColor Red
    }
}

Write-Host "[+] Hunt Complete."

Response Priorities

Immediate: Block all listed TeamPCP typosquatted domains (aquasecurtiy.org, checkmarx.zone) at the perimeter and DNS forwarders. Kill connections to 103.241.66.238 (TwizAdmin C2) and 94.154.172.43 (TeamPCP C2).
24 Hours: Verify the integrity of all Checkmarx KICS Docker images and Trivy binaries in the environment. Replace with confirmed clean versions from official sources. Initiate credential rotation for developers and CI/CD service accounts if compromise is suspected.
1 Week: Implement code-signing verification for all internal binaries and Docker images. Review and harden CI/CD pipeline permissions to prevent mutable tag abuse. Conduct a review of browser extensions on developer endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub