TwizAdmin Infostealer, DinDoor Backdoor, and ClickFix Attacks: Multi-Platform Threat Analysis

Recent OTX pulses indicate a surge in sophisticated, multi-platform threats targeting enterprise environments. Three distinct clusters have been identified:

TwizAdmin (DataBreachPlus): A "Malware-as-a-Service" (MaaS) operation combining crypto-clipping, BIP-39 seed phrase theft, and a ransomware module (crpx0). It utilizes a FastAPI-based C2 panel to manage operations, indicating a high degree of commercialization within the Russian-speaking cybercrime underground.
ClickFix Campaigns: A broad social engineering campaign targeting Windows and macOS users. These attacks utilize "living-off-the-land" binaries, tricking users into executing system commands (via fake browser errors or captchas) that ultimately deliver payloads like Vidar, Lumma Stealer, and Redline Stealer.
DinDoor (MuddyWater): A state-aligned APT actor has been observed deploying a new backdoor, "DinDoor," which abuses the Deno JavaScript/TypeScript runtime. Delivered via MSI files, this malware demonstrates a shift toward abusing lesser-known runtimes to evade traditional EDR heuristics.

Collectively, these threats demonstrate a trend toward leveraging legitimate development tools (Deno, FastAPI) and social engineering (ClickFix) to bypass static defenses and exfiltrate sensitive financial or credential data.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

Distribution: Phishing campaigns impersonating logistics entities (e.g., FedEx).
Behavior: Multi-stage payload. It begins as a clipboard hijacker for 8+ cryptocurrency chains, upgrades to an infostealer (browser credentials), and can deploy a ransomware module (crpx0).
C2: FastAPI panel accessible via port 1337, utilizing a license key system for operators.

ClickFix Technique

Distribution: Malvertising and SEO poisoning targeting specific industries (Accounting, Travel, Real Estate).
Behavior: Displays fake browser popups instructing users to run "repair" commands (PowerShell/Bash) which are actually malicious download cradles.
Payloads: Vidar, Lumma Stealer, Redline Stealer, NetSupport RAT.

DinDoor (MuddyWater)

Distribution: Malicious MSI installers, likely delivered via spear-phishing.
Behavior: Exploits the Deno runtime to execute obfuscated JavaScript. Capable of in-memory execution to avoid disk forensics and system fingerprinting.
C2: Communication via Caddy reverse proxy infrastructure; utilizes over 20 active C2 servers.

IOC Analysis

Indicator Types: The pulses provide a robust set of Network (IPs, Domains), Host (File Hashes), and Endpoint (URLs) artifacts.
Operationalization:
- Network: Block all listed domains and IPs (e.g., 103.241.66[.]238, fanonlyatn.xyz) at the perimeter firewall and proxy. Pay specific attention to non-standard ports (e.g., 1337 for TwizAdmin C2).
- Endpoint: Load SHA256 hashes (e.g., 06299676...) into EDR "blocklist" or "quarantine" policies.
- Decoding: The Deno-based payloads may be obfuscated JavaScript; use a sandbox environment to detonate the MSI samples and capture the in-memory JS code for analysis.

Detection Engineering

YAML

title: Potential DinDoor Backdoor Activity via Deno Runtime
id: 9e2a4b1c-8d3e-4a1f-9c5d-2b6a8c7d1e0f
description: Detects the execution of Deno runtime processes often associated with DinDoor backdoor activity following MSI installation.
status: experimental
date: 2026/04/25
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\\deno.exe'
      - '\\deno'
    CommandLine|contains:
      - 'run'
      - 'eval'
  condition: selection
falsepositives:
  - Legitimate developer usage of Deno runtime
level: high
tags:
  - attack.execution
  - attack.t1059.006
  - apt.muddywater
  - malware.dindoor
---
title: TwizAdmin Crypto Clipper C2 Traffic
id: f1c2d3e4-5678-90ab-cdef-1234567890ab
description: Detects potential network connections to FastAPI-based panels associated with TwizAdmin on port 1337.
status: experimental
date: 2026/04/25
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 1337
    Initiated: 'true'
  filter:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
  condition: selection and not filter
falsepositives:
  - Legitimate local development on FastAPI
level: medium
tags:
  - attack.command_and_control
  - attack.t1071.001
  - malware.twizadmin
---
title: ClickFix Social Engineering Pattern
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects suspicious PowerShell execution spawned by browsers indicative of ClickFix campaigns.
status: experimental
date: 2026/04/25
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\\chrome.exe'
      - '\\msedge.exe'
      - '\\firefox.exe'
    Image|endswith:
      - '\\powershell.exe'
      - '\\cmd.exe'
    CommandLine|contains:
      - 'copy'
      - 'clipboard'
      - 'iex'
      - 'Invoke-Expression'
  condition: selection
falsepositives:
  - Administrative scripts launched by IT staff
level: high
tags:
  - attack.initial_access
  - attack.t1566.002
  - attack.t1204.002


kql
// Hunt for DinDoor processes and TwizAdmin network indicators
let MaliciousHashes = pack_array(
  "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
  "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
  "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5"
);
let SuspiciousDomains = pack_array(
  "fanonlyatn.xyz", "ineracaspsl.site", "serialmenot.com", "ustazazharidrus.com"
);
// Hunt for File Hash Matches
DeviceProcessEvents
| where FolderPath has_any (MaliciousHashes) or SHA256 has_any (MaliciousHashes)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256
| union (
  // Hunt for Deno Runtime Execution
  DeviceProcessEvents
  | where FileName has "deno"
  | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
  )
| union (
  // Hunt for Network Connections to C2
  DeviceNetworkEvents
  | where RemoteUrl has_any (SuspiciousDomains) or RemoteIP == "31.31.198.206"
  | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
  )


powershell
# IOC Hunt Script for TwizAdmin and DinDoor
# Requires Administrator privileges

Write-Host "Starting Hunt for TwizAdmin/DinDoor Indicators..." -ForegroundColor Cyan

$IOC_Hashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5"
)

$IOC_Domains = @(
    "fanonlyatn.xyz",
    "ineracaspsl.site",
    "serialmenot.com",
    "justtalken.com"
)

# 1. Scan running processes for Deno (DinDoor) or Suspicious Names
Write-Host "Checking for Suspicious Processes..." -ForegroundColor Yellow
$suspiciousProcs = Get-Process | Where-Object {$_.ProcessName -like "*deno*" -or $_.ProcessName -like "*twiz*"}
if ($suspiciousProcs) {
    Write-Host "ALERT: Found suspicious processes:" -ForegroundColor Red
    $suspiciousProcs | Format-Table Id, ProcessName, Path
} else {
    Write-Host "No suspicious processes found." -ForegroundColor Green
}

# 2. Scan specific directories (User Downloads, AppData) for IOCs
Write-Host "Scanning common directories for known malicious hashes..." -ForegroundColor Yellow
$pathsToScan = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:TEMP")

foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $file = $_
            try {
                $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction Stop).Hash.ToLower()
                if ($IOC_Hashes -contains $hash) {
                    Write-Host "MALICIOUS FILE FOUND: $($file.FullName)" -ForegroundColor Red
                }
            } catch {
                # Ignore access errors
            }
        }
    }
}

# 3. Check Hosts File for C2 Domains
Write-Host "Checking HOSTS file for C2 domains..." -ForegroundColor Yellow
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $hostsPath) {
    $hostsContent = Get-Content $hostsPath
    foreach ($domain in $IOC_Domains) {
        if ($hostsContent -match $domain) {
            Write-Host "WARNING: C2 Domain '$domain' found in HOSTS file." -ForegroundColor Red
        }
    }
}

Write-Host "Hunt Complete." -ForegroundColor Cyan

Response Priorities

Immediate:
- Block all listed IP addresses and domains at the network perimeter.
- Isolate endpoints with identified malware hashes (TwizAdmin/DinDoor) immediately.
- Kill any deno.exe processes not associated with approved developer workflows.
24 Hours:
- Conduct credential audits and forced password resets for users on devices infected with infostealers (TwizAdmin, Lumma, Vidar).
- Review browser history for ClickFix-related domains (account-help.info, ustazazharidrus.com) to identify potential victims who executed the fake fix commands.
1 Week:
- Implement application allowlisting policies to restrict the usage of the Deno runtime to approved developer devices only.
- Update security awareness training to include "ClickFix" scenarios (fake browser errors requesting terminal commands).
- Review outbound proxy rules to detect and block traffic to non-standard ports used by FastAPI panels.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub