Back to Intelligence

TwizAdmin Infostealer & Lazarus Mach-O Man: OTX Pulse Analysis — Credential Theft & Supply Chain Defense

SA
Security Arsenal Team
May 25, 2026
5 min read

Recent intelligence from OTX pulses indicates a coordinated surge in credential theft operations spanning multiple platforms and vectors. The primary threats identified this week include the TwizAdmin malware operation, which combines clipboard hijacking, seed phrase theft, and ransomware capabilities; the Lazarus Group's "Mach-O Man" campaign targeting macOS users via ClickFix social engineering; and significant supply chain compromises affecting the Laravel Lang packages and Checkmarx KICS Docker images. Collectively, these campaigns aim to harvest cryptocurrency wallets, browser credentials, and developer infrastructure keys, emphasizing a shift towards multi-stage, MaaS (Malware-as-a-Service) frameworks and poisoned developer tooling.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Distribution: Phishing campaigns impersonating FedEx and shipping logistics.
  • Payload Behavior: A multi-stage malware suite featuring a crypto clipper supporting 8 blockchains, BIP-39 seed phrase extractor, and browser credential stealer. It also deploys a ransomware module (crpx0).
  • C2 Communication: Uses a FastAPI-based panel hosted on exposed infrastructure (e.g., 103.241.66[.]238). Communication involves encrypted HTTP posts to exfiltrate stolen data.
  • Persistence: Utilizes scheduled tasks and registry run keys to maintain persistence on Windows and LaunchAgents on macOS.

Mach-O Man (Lazarus Group)

  • Distribution: Fake meeting invitations via Telegram redirecting to fraudulent collaboration platforms (Zoom, Teams).
  • Payload Behavior: PyLangGhostRAT and Mach-O Man binaries designed to steal browser cookies, passwords, and cryptocurrency data.
  • C2 Communication: Exfiltration via Telegram channels and custom HTTP endpoints.
  • Persistence: Uses macOS LaunchDaemons and manipulated shell profiles.

Supply Chain Actors (TeamPCP / Unknown)

  • Distribution: Compromised npm packages, Docker Hub tags (Checkmarx KICS), and GitHub repositories (Laravel Lang).
  • Payload Behavior: The Laravel compromise involves an RCE backdoor (helpers.php) facilitating webshell access. The KICS compromise introduces mcpAddon.js to encrypt and exfiltrate scan reports containing sensitive credentials.
  • C2 Communication: Data sent to attacker-controlled domains such as flipboxstudio.info.

IOC Analysis

The provided Indicators of Compromise (IOCs) span several categories:

  • Domains: High-risk domains including fanonlyatn.xyz (TwizAdmin), livemicrosft.com (Lazarus typo-squatting), and flipboxstudio.info (Laravel C2) should be blocked immediately at DNS and Proxy levels.
  • File Hashes: A significant volume of SHA256 and MD5 hashes are provided for the malicious binaries (TwizAdmin samples, Mach-O Man, and trojanized KICS). SOC teams should ingest these into EDR solutions for immediate scanning.
  • IPv4 Addresses: Specific IPs linked to Cloud Atlas activity (e.g., 46.17.44.125, 185.22.154.73) should be firewalled.
  • Operationalization: Use SIEM correlation rules to match process execution against the file hashes and network connection logs against the domain/IP lists. Decode the helpers.php backdoor scripts to identify additional webshell signatures.

Detection Engineering

Sigma Rules

YAML
title: Potential TwizAdmin C2 Traffic
id: 99d8f72a-1234-5678-9101-112131415161
description: Detects potential network traffic to known TwizAdmin C2 infrastructure and payload domains
status: experimental
author: Security Arsenal
date: 2026/05/25
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.command_and_control
    - attack.exfiltration
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
            - '103.241.66.238'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Potential Mach-O Man macOS Infection
id: 88c7e61b-9876-5432-1098-765432109876
description: Detects execution of shell commands associated with Lazarus ClickFix attacks leading to Mach-O Man malware
status: experimental
author: Security Arsenal
date: 2026/05/25
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.execution
    - attack.initial_access
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        Image|endswith:
            - '/bin/bash'
            - '/bin/sh'
            - '/bin/zsh'
    selection_cli:
        CommandLine|contains:
            - 'curl'
            - 'wget'
    selection_domain:
        CommandLine|contains:
            - 'livemicrosft.com'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration scripts
level: high
---
title: Suspicious Laravel Backdoor Activity
id: 77b6d50c-8765-4321-0567-123456789012
description: Detects potential outbound connections from webserver processes to known exfiltration domains associated with Laravel Lang compromise
status: experimental
author: Security Arsenal
date: 2026/05/25
references:
    - https://socket.dev/blog/laravel-lang-compromise
tags:
    - attack.persistence
    - attack.web_shell
logsource:
    category: webserver
detection:
    selection_host:
        cs-host|contains:
            - 'flipboxstudio.info'
    selection_uri:
        cs-uri-query|contains:
            - 'payload'
            - 'exfil'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("fanonlyatn.xyz", "flipboxstudio.info", "livemicrosft.com", "allgoodsdirect.com.au") or RemoteIP has_any ("46.17.44.125", "185.22.154.73", "195.58.49.9", "93.125.114.193", "194.102.104.207")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

Hunt Script

PowerShell
# PowerShell script to hunt for specific file hashes on disk
$targetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "d47de3772f2d61a043e7047431ef4cf4",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"
)

$paths = @("C:\\Users\\", "C:\\ProgramData\\", "C:\\Windows\\Temp\\")

Write-Host "Scanning for TwizAdmin, Mach-O Man, and KICS related file hashes..."

foreach ($path in $paths) {
    Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -in $targetHashes) {
            Write-Host "[ALERT] Match found: $($_.FullName) - Hash: $hash" -ForegroundColor Red
        }
    }
}
Write-Host "Scan complete."

Response Priorities

  • Immediate: Block all identified domains and IP addresses at the perimeter firewall and proxy servers. Initiate a scan of all endpoints for the listed SHA256 and MD5 file hashes.
  • 24h: Conduct an audit of all developer workstations and CI/CD pipelines for the compromised Laravel Lang versions and KICS Docker images. Rotate API keys and credentials stored in infrastructure-as-code repositories if compromise is suspected.
  • 1 week: Review and harden macOS endpoint security policies to prevent curl/wget execution from unverified sources. Implement strict dependency pinning for all npm and PHP packages used in the organization.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminmach-o-mansupply-chaininfostealerlazarus-group

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action