Analysis of the latest OTX pulses reveals a convergence of sophisticated credential theft and supply chain attacks targeting developers, government entities, and cryptocurrency users.
The DataBreachPlus group is actively pushing TwizAdmin, a multi-platform malware combining crypto-clipping and ransomware capabilities. Simultaneously, the Lazarus Group has deployed "Mach-O Man" malware against macOS users via ClickFix social engineering. On the supply chain front, critical compromises have been identified in Laravel Lang packages (affecting 700+ versions) and Checkmarx KICS Docker images, injecting backdoors and stealers directly into developer environments. Additionally, the Cloud Atlas (Inception Framework) APT is targeting government sectors in Russia and Belarus with modular backdoors like PowerShower and VBCloud.
The collective objective of these campaigns is the mass exfiltration of credentials—ranging from browser data and crypto seed phrases to infrastructure-as-code secrets stored in CI/CD pipelines.
Threat Actor / Malware Profile
| Actor / Malware | Distribution Method | Payload Behavior | C2 & Persistence |
|---|---|---|---|
| TwizAdmin / DataBreachPlus | FedEx-themed lures, Malvertising | Crypto clipboard hijacking (8 chains), BIP-39 seed theft, Ransomware module (crpx0) | FastAPI panel on 103.241.66[.]238:1337; Java RAT for persistence. |
| Lazarus Group (Mach-O Man) | Fake meeting invites (Telegram/Zoom), ClickFix | PyLangGhostRAT, browser credential stealing, data exfil via Telegram | Telegram channels for C2; Mach-O binaries masquerading as legitimate apps. |
| Cloud Atlas (Inception) | Phishing emails with malicious ZIP/LNK | PowerCloud (exfil), VBCloud (file theft), PowerShower (recon) | Custom C2 infrastructure; Domain Generation Algorithms (DGA) observed. |
| TeamPCP (KICS/Laravel) | Supply Chain Poisoning (Docker Hub, npm, GitHub) | helpers.php stealer, DebugChromium.exe, mcpAddon.js | Exfiltration to attacker-controlled domains (e.g., flipboxstudio.info). |
IOC Analysis
The provided indicators span multiple vectors requiring immediate operationalization:
- Domains (Typosquatting/C2):
livemicrosft.com(Lazarus),fanonlyatn.xyz(TwizAdmin),flipboxstudio.info(Laravel backdoor). These should be blocked at DNS and Firewall levels. - File Hashes: A large volume of SHA256 hashes for the Mach-O binaries (Lazarus), Java RAT payloads (TwizAdmin), and trojanized Docker images (KICS). These must be uploaded to EDR detection lists and scanned in retrospectives.
- IP Addresses: Several IPs associated with Cloud Atlas (e.g.,
46.17.44.125,185.22.154.73) should be blocked. - Tooling: SOC teams should use YARA rules to scan for the specific file headers of the Mach-O malware and hash sets. SIEM correlation should look for outbound TLS connections to the non-standard ports used by the FastAPI panels.
Detection Engineering
YAML
title: Potential Laravel Supply Chain Compromise - DebugChromium Execution
id: 1e3d8f9a-2b4c-4e5f-8a9b-0c1d2e3f4a5b
description: Detects execution of DebugChromium.exe or suspicious helpers.php processes associated with the Laravel Lang compromise.
status: experimental
date: 2026/05/25
author: Security Arsenal
references:
- https://socket.dev/blog/laravel-lang-compromise
tags:
- attack.supply_chain
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\DebugChromium.exe'
- '\php.exe'
CommandLine|contains:
- 'helpers.php'
- 'flipboxstudio.info'
condition: selection
falsepositives:
- Legitimate developer debugging
level: high
---
title: TwizAdmin & Lazarus C2 Network Traffic
id: 2b4c9e0a-3d5f-4e6f-9b0c-1d2e3f4a5b6c
description: Identifies network connections to known C2 domains used by TwizAdmin and Lazarus Group campaigns.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
- https://intel.breakglass.tech/post/twizadmin-103-241-66
- https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
- attack.c2
- attack.command_and_control
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'fanonlyatn.xyz'
- 'livemicrosft.com'
- 'flipboxstudio.info'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Cloud Atlas APT LNK Phishing Pattern
id: 3c5d0f1b-4e6f-5a7b-0c1d-2e3f4a5b6c7d
description: Detects execution of LNK files initiating PowerShell with specific obfuscation patterns used by Cloud Atlas.
status: experimental
date: 2026/05/25
author: Security Arsenal
references:
- https://securelist.com/cloud-atlas-2026/119895/
tags:
- attack.initial_access
- attack.execution
- apt.cloud_atlas
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|endswith: '\explorer.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
ParentImage|endswith: '\cmd.exe' # LNK often spawns cmd which spawns powershell
selection_indicator:
CommandLine|contains:
- 'Invoke-Expression'
- 'FromBase64String'
condition: all of selection_*
falsepositives:
- Administrative scripts
level: high
Microsoft Sentinel (KQL)
KQL — Microsoft Sentinel / Defender
// Hunt for TwizAdmin, Laravel Backdoor, and Lazarus Indicators
let IOCs = dynamic(["fanonlyatn.xyz", "livemicrosft.com", "flipboxstudio.info", "DebugChromium.exe", "mcpAddon.js"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or InitiatingProcessFileName has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, Action
| union (
DeviceProcessEvents
| where FileName in ("DebugChromium.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("helpers.php", "flipboxstudio.info", "livemicrosft.com", "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
PowerShell Hunt Script
PowerShell
# IOC Hunter for TwizAdmin, Laravel, and Lazarus Campaigns
Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan
# 1. Check Hosts File for Typosquatting
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @("livemicrosft.com", "fanonlyatn.xyz", "flipboxstudio.info")
$hostsContent = Get-Content $hostsPath
foreach ($domain in $maliciousDomains) {
if ($hostsContent -match $domain) {
Write-Host "[ALERT] Malicious domain found in hosts file: $domain" -ForegroundColor Red
}
}
# 2. Check for Suspicious Processes
$suspiciousProcesses = @("DebugChromium.exe", "java.exe")
$found = Get-Process | Where-Object { $suspiciousProcesses -contains $_.ProcessName }
if ($found) {
Write-Host "[ALERT] Suspicious process running:" -ForegroundColor Red
$found | Select-Object ProcessName, Id, Path
}
# 3. Scan User Profile for mcpAddon.js (KICS Compromise)
$userProfile = $env:USERPROFILE
$jsPath = "$userProfile\.vscode\extensions\*\mcpAddon.js"
if (Test-Path $jsPath) {
Write-Host "[ALERT] Potential KICS compromise artifact found: $jsPath" -ForegroundColor Red
}
Write-Host "Hunt Complete." -ForegroundColor Green
# Response Priorities
* **Immediate:** Block all domains listed in the IOC Analysis at the perimeter firewall and proxy servers. Initiate a hunt for `DebugChromium.exe` and `mcpAddon.js` across all endpoints.
* **24 Hours:** Force a password reset for developer accounts with access to Laravel repositories and Docker Hub credentials. Validate the integrity of current Docker images (specifically KICS tags v2.1.20, v2.1.21).
* **1 Week:** Implement strict package pinning for npm and Composer dependencies. Enforce application control (AppLocker) to block unsigned binaries like the Mach-O payloads and unverified Java RATs.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialstwizadminlazarus-groupsupply-chain-attackcloud-atlascredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.