Back to Intelligence

TwizAdmin, DinDoor & ClickFix: OTX Pulse Analysis — Multi-Vector Threat Brief

SA
Security Arsenal Team
April 25, 2026
6 min read

Recent OTX pulses indicate a surge in sophisticated multi-vector threats targeting enterprise environments. This brief synthesizes intelligence on three distinct but concerning activities: the TwizAdmin operation (DataBreachPlus) blending crypto-clipping with ransomware; widespread ClickFix campaigns delivering commodity stealers like Lumma and Vidar; and the DinDoor backdoor attributed to MuddyWater, exploiting the Deno runtime. Collectively, these campaigns highlight a trend toward abusing legitimate runtimes (Deno) and living-off-the-land (LotL) techniques (ClickFix) to evade detection while maximizing financial theft or espionage.

Threat Actor / Malware Profile

1. DataBreachPlus (TwizAdmin)

  • Type: Crime / MaaS (Malware-as-a-Service)
  • Malware: TwizAdmin, crpx0 (Ransomware)
  • Capabilities: Multi-platform (Windows/macOS) malware featuring a clipboard hijacker for 8+ cryptocurrency chains, BIP-39 seed phrase theft, and browser credential exfiltration. It utilizes a Java RAT builder and a FastAPI-based C2 panel with a license key system.
  • Delivery: FedEx-themed lures targeting corporate logistics and finance.

2. MuddyWater (DinDoor)

  • Type: APT / Nation-State
  • Malware: DinDoor, CastleLoader, CastleRAT
  • Capabilities: A backdoor leveraging the Deno JavaScript/TypeScript runtime. It executes obfuscated JavaScript for C2 communication and system fingerprinting. Variants include disk-based or in-memory execution using CastleLoader components.
  • Delivery: Malicious MSI installers, often utilizing Caddy proxy infrastructure.

3. ClickFix Campaign Operators

  • Type: Cybercrime / Initial Access Brokers
  • Malware: Vidar, Lumma Stealer, Redline, NetSupport RAT
  • Capabilities: A social engineering technique tricking users into executing "fix" commands in native tools (PowerShell/Terminal). This bypasses traditional security controls by abusing legitimate system binaries.
  • Delivery: SEO poisoning and impersonation of brands like QuickBooks and Booking.com.

IOC Analysis

  • Indicator Types:

    • Network Infrastructure: C2 IPs (e.g., 31.31.198.206) and domains utilizing generic TLDs (.xyz, .cyou, .site).
    • File Artifacts: SHA256 hashes for payloads, MD5/SHA1 for legacy compatibility.
    • URLs: Distribution paths for malicious files (e.g., https://fanonlyatn.xyz/files/).

  • Operational Guidance:

    • Blocking: Immediate ingestion of IPs and Domains into perimeter firewalls and secure web gateways (SWG).
    • Hunting: Use EDR solutions to hunt for the specific file hashes provided. Focus on processes spawned from browsers (chrome.exe, msedge.exe) or installers (msiexec.exe) that initiate network connections to the listed C2 infrastructure.
    • Decoding: The Deno-based payloads require JavaScript analysis environments; standard disassemblers may be insufficient.

Detection Engineering

Sigma Rules

YAML
title: Potential ClickFix Activity - Browser Spawning Shell
id: 4f3e1a2b-6c9d-4a1e-9b2c-3d4e5f6a7b8c
date: 2026/04/25
status: experimental
description: Detects potential ClickFix social engineering activity where a browser process spawns a shell (PowerShell, Bash, CMD) often triggered by fake error messages.
references:
    - https://otx.alienvault.com/pulse/6265c8d0e7e46166c8e3f1e2/
author: Security Arsenal
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.001
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wsl.exe'
    filter:
        CommandLine|contains:
            - 'youtube-dl' # Legitimate use case
            - 'vlc' 
    condition: selection and not filter
falsepositives:
    - Legitimate web-based utilities launching command lines
level: high
---
title: DinDoor Backdoor - Deno Runtime Execution via Installer
id: 5a4b2c1d-7d0e-5f2a-0c3d-4e5f6a7b8c9d
date: 2026/04/25
status: experimental
description: Detects the execution of the Deno runtime immediately following an MSI installer, characteristic of the DinDoor backdoor delivery used by MuddyWater.
references:
    - https://otx.alienvault.com/pulse/6265c8d0e7e46166c8e3f1e4/
author: Security Arsenal
tags:
    - attack.execution
    - attack.t1059.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\msiexec.exe'
    selection_child:
        Image|contains: '\deno.exe'
        CommandLine|contains: 'run'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate software development using Deno installed via MSI
level: critical
---
title: TwizAdmin C2 Connection - FastAPI Panel Traffic
id: 6b5c3d2e-8e1f-6a3b-1d4e-5f6a7b8c9d0e
date: 2026/04/25
status: experimental
description: Detects network connections to known TwizAdmin FastAPI C2 panels or suspicious traffic on port 1337 associated with the DataBreachPlus operation.
references:
    - https://otx.alienvault.com/pulse/6265c8d0e7e46166c8e3f1e0/
author: Security Arsenal
tags:
    - attack.c2
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection_port:
        DestinationPort: 1337
    selection_ioc:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
    condition: 1 of selection*
falsepositives:
    - Legitimate traffic on non-standard ports
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and DinDoor IOCs
let IOCs = dynamic(["fanonlyatn.xyz", "ustazazharidrus.com", "account-help.info", "ineracaspsl.site", "serialmenot.com", "justtalken.com", "31.31.198.206"]);
// Network Events
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatType = iff(RemotePort == 1337, "TwizAdmin C2", "General C2")
| order by Timestamp desc
;
// Process Creation for Deno/Msiexec chain
DeviceProcessEvents
| where InitiatingProcessFileName =~ "msiexec.exe" and FileName =~ "deno.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, CommandLine, FolderPath
| order by Timestamp desc
;

PowerShell Hunt Script

PowerShell
<#
    Security Arsenal Threat Hunt - TwizAdmin & DinDoor
    Checks for active network connections to known malicious IPs/Domains
    and suspicious Deno runtime processes.
#>

$TargetIOCs = @(
    "31.31.198.206",
    "103.241.66.238"
)

Write-Host "[+] Checking Active Network Connections to Known C2s..." -ForegroundColor Cyan

$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($IP in $TargetIOCs) {
    $Match = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Match) {
        $Process = Get-Process -Id $Match.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] ALERT: Connection to $IP found!" -ForegroundColor Red
        Write-Host "    Local Address: $($Match.LocalAddress):$($Match.LocalPort)" -ForegroundColor Yellow
        Write-Host "    Process: $($Process.ProcessName) (PID: $($Match.OwningProcess))" -ForegroundColor Yellow
        Write-Host "    Path: $($Process.Path)" -ForegroundColor Yellow
    }
}

Write-Host "[+] Checking for Deno Runtime Processes (DinDoor)..." -ForegroundColor Cyan
$DenoProcesses = Get-Process -Name "deno" -ErrorAction SilentlyContinue
if ($DenoProcesses) {
    Write-Host "[!] ALERT: Deno runtime detected. Investigate parent chain." -ForegroundColor Red
    $DenoProcesses | ForEach-Object {
        $Parent = Get-Process -Id $_.Parent.ProcessId -ErrorAction SilentlyContinue
        Write-Host "    PID: $($_.Id), Parent: $($Parent.ProcessName), Path: $($_.Path)" -ForegroundColor Yellow
    }
} else {
    Write-Host "[-] No Deno processes found." -ForegroundColor Green
}


# Response Priorities

Immediate

  1. Block IOCs: Push all listed IPs, Domains, and URLs to firewall blocklists and secure web gateways.
  2. Hunt DinDoor: Scan endpoints for deno.exe execution or MSI installers from the last 48 hours.

24 Hours

  1. Credential Audit: If TwizAdmin or Lumma/Vidar infection is suspected, force a password reset for browser-saved credentials and cryptocurrency wallets.
  2. Isolate: Isolate hosts with confirmed C2 connections (31.31.198.206, fanonlyatn.xyz) for forensic imaging.

1 Week

  1. Runtime Restriction: Restrict the usage of the Deno runtime and FastAPI panels to developer-approved environments only.
  2. User Awareness: Conduct security awareness training regarding the "ClickFix" technique (fake browser errors asking to run commands).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadmindindoorclickfixmuddywaterinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action