Back to Intelligence

TwizAdmin & ClickFix Campaigns: Infostealer & Supply Chain Attacks — OTX Pulse Analysis

SA
Security Arsenal Team
April 24, 2026
5 min read

The latest OTX pulses indicate a convergence of high-risk credential theft activity and ransomware preparation. We are tracking operations by DataBreachPlus (TwizAdmin), TeamPCP (supply chain compromises), and affiliates of the Trigona ransomware-as-a-service (RaaS). These campaigns are utilizing diverse initial access vectors ranging from sophisticated social engineering (ClickFix) to critical supply chain poisoning (Checkmarx KICS, Trivy). The collective objective is clear: harvest credentials (browser, cryptocurrency, infrastructure-as-code) and exfiltrate data using custom tooling (uploader_client.exe) to pave the way for extortion or encryption.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin)

  • Distribution: Phishing campaigns impersonating logistics/shipping (e.g., FedEx).
  • Payload: Multi-stage malware featuring a crypto-clipper (crpx0), infostealer, and ransomware module. Includes a Java RAT builder.
  • C2: FastAPI-based panel accessed via license keys.
  • Behavior: Targets Windows and macOS; steals BIP-39 seed phrases and browser credentials; manipulates clipboards for cryptocurrency theft.

TeamPCP (Supply Chain)

  • Distribution: Poisoned Docker Hub images (Checkmarx KICS) and VS Code extensions.
  • Payload: mcpAddon.js, Canister Worm.
  • Behavior: Alters official binaries to exfiltrate sensitive scan reports containing credentials; utilizes mutable tags and commit spoofing.

ClickFix Actor (Social Engineering)

  • Distribution: Fake browser errors and "update" prompts (QuickBooks, Booking.com lures).
  • Payload: Vidar, Lumma Stealer, Redline, NetSupport RAT.
  • Behavior: Living-off-the-land (LotL) techniques; manipulates users into running malicious commands via cmd.exe or PowerShell.

Rhantus (Trigona Affiliate)

  • Malware: Trigona Ransomware, uploader_client.exe.
  • Behavior: Shift from generic tools to custom Go-based exfiltration utilities featuring parallel data streams and connection rotation.

IOC Analysis

The indicators provided span multiple infrastructure and payload types:

  • Network Infrastructure: C2 IPs (e.g., 103.241.66[.]238, 94.154.172.43) and spoofed domains mimicking legitimate security vendors (e.g., aquasecurtiy.org, checkmarx.zone). SOC teams should immediately block these domains and investigate any DNS requests to them.
  • File Hashes: A significant volume of SHA256 and MD5 hashes relate to the trojanized binaries (KICS, Trivy), TwizAdmin payloads, and the Trigona exfiltration tool.
  • Operationalization: These IOCs should be loaded into EDR telemetry for immediate scanning. The spoofed domains require specific DNS sinkholing or Firewall rules, as they may bypass standard reputation filters if they closely resemble legitimate domains.

Detection Engineering

YAML
---
title: Potential ClickFix Social Engineering Activity
id: 8a1b2c3d-4e5f-6789-0123-456789abcdef
description: Detects suspicious command execution often associated with ClickFix campaigns where browsers spawn shells to download payloads.
status: experimental
date: 2026/04/25
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'copy '
            - 'Invoke-Expression'
            - 'iex'
            - 'curl '
            - 'wget '
    condition: selection
falsepositives:
    - Legitimate web-based tools
level: high
---
title: Suspicious Trivy or KICS Binary Execution
id: b2c3d4e5-6f78-9012-3456-7890abcdef12
description: Detects execution of Trivy or KICS binaries that may be compromised in recent supply chain attacks, focusing on connections to spoofed domains.
status: experimental
date: 2026/04/25
author: Security Arsenal
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|contains:
            - 'trivy'
            - 'kics'
        DestinationHostname|contains:
            - 'aquasecurtiy.org'
            - 'checkmarx.zone'
            - 'raw.icp0.io'
    condition: selection
falsepositives:
    - Legitimate usage of modified scanner targets (unlikely given the domains)
level: critical
---
title: TwizAdmin or Trigona Exfiltration Tool Execution
id: c3d4e5f6-7890-1234-5678-90abcdef1234
description: Detects execution of known custom exfiltration tools or payloads associated with TwizAdmin and Trigona campaigns.
status: experimental
date: 2026/04/25
author: Security Arsenal
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - 'uploader_client.exe'
            - 'crpx0'
            - 'TwizAdmin'
    condition: selection
falsepositives:
    - None expected
level: critical


kql
// Hunt for ClickFix-like browser spawned shells
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
;
// Hunt for Trigona/TwizAdmin C2 or Exfil domains
union DeviceNetworkEvents, IdentityLogonEvents
| where RemoteUrl in~ ("fanonlyatn.xyz", "checkmarx.zone", "aquasecurtiy.org", "103.241.66.238")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, Action
| order by Timestamp desc


powershell
# IOC Hunt for TwizAdmin and Trigona Artifacts
$iocHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173",
    "816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019",
    "d47de3772f2d61a043e7047431ef4cf4"
)

Write-Host "Scanning for malicious file hashes..."

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.Length -gt 0 } | 
ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($iocHashes -contains $hash) {
        Write-Host "[ALERT] Malicious file found: $($_.FullName) (SHA256: $hash)" -ForegroundColor Red
    }
}

# Check for suspicious scheduled tasks (Persistence)
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*" } | 
Select-Object TaskName, TaskPath, Actions

Response Priorities

  • Immediate: Block all listed IOCs, specifically the spoofed security vendor domains (aquasecurtiy.org, checkmarx.zone) and C2 IPs. Hunt for uploader_client.exe and browser-spawned shell processes.
  • 24h: Initiate credential resets for accounts potentially exposed to the TwizAdmin infostealer or the compromised Checkmarx/Trivy tools. Verify the integrity of Docker images and VS Code extensions in dev environments.
  • 1 Week: Review and harden CI/CD pipelines against mutable tag abuse. Implement strict application allowlisting for development tools to prevent supply chain re-poisoning.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminclickfixtrigonasupply-chaininfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action