Back to Intelligence

TwizAdmin, Lazarus & Cloud Atlas: OTX Pulse Analysis — Multi-Platform Credential Theft

SA
Security Arsenal Team
May 25, 2026
6 min read

Recent OTX pulses indicate a surge in multi-vector credential theft campaigns targeting both end-users and developer infrastructure. The activity spans from sophisticated APT operations (Lazarus Group, Cloud Atlas) to cybercriminal commoditized malware (TwizAdmin) and supply chain attacks (Laravel Lang, KICS Docker).

Collectively, these campaigns aim to harvest cryptocurrency wallets (BIP-39 seeds), browser credentials, infrastructure-as-code secrets, and government data. Attackers are leveraging "ClickFix" social engineering, poisoned package repositories, and typosquatting domains (e.g., livemicrosft.com) to bypass traditional email defenses. The convergence of ransomware modules (TwizAdmin/crpx0) with infostealing capabilities suggests a monetization strategy involving both direct data theft and extortion.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin & crpx0)

  • Distribution: Phishing impersonating FedEx, leading to multi-stage payload delivery.
  • Payload Behavior: A complex "Malware-as-a-Service" featuring a crypto-clipper (supporting 8 chains), BIP-39 seed phrase theft, and browser credential dumping. Includes a ransomware module (crpx0) and a Java RAT builder.
  • C2 Communication: Managed via a FastAPI-based panel (observed at 103.241.66[.]238:1337) utilizing a license key system.
  • Persistence: Established via Java RAT and likely scheduled tasks or registry run keys.

Lazarus Group (Mach-O Man & PyLangGhostRAT)

  • Distribution: "ClickFix" attacks via Telegram. Victims receive fake meeting invites redirecting to fraudulent collaboration sites (Fake Zoom/Teams), tricking them into running terminal commands.
  • Payload Behavior: macOS-native malware kit (Mach-O Man) focusing on browser data theft and credential exfiltration via Telegram.
  • C2 Communication: Uses Telegram for exfiltration, making network detection difficult.
  • Anti-Analysis: Masquerades as legitimate meeting software components.

TeamPCP (Canister Worm & mcpAddon.js)

  • Distribution: Supply chain compromise of official Checkmarx KICS Docker Hub images and VS Code extensions.
  • Payload Behavior: Trojanized binaries collect and encrypt scan reports, specifically targeting credentials found in infrastructure-as-code.
  • C2 Communication: Exfiltrates data to attacker-controlled endpoints embedded in the poisoned images.

Inception Framework (Cloud Atlas)

  • Distribution: Phishing emails with malicious ZIP archives containing LNK shortcuts.
  • Payload Behavior: Deploys a cocktail of backdoors (VBCloud, PowerShower, PowerCloud) for file theft and network reconnaissance.
  • Targeting: Government and commercial entities in Russia and Belarus.

IOC Analysis

The provided indicators highlight a blend of infrastructure and file-based artifacts:

  • Typosquatting & Delivery Domains: livemicrosft.com (Lazarus), fanonlyatn.xyz (TwizAdmin), flipboxstudio.info (Laravel backdoor). These should be blocked immediately at the DNS layer.
  • C2 & Exfil Infrastructure: istochnik.org and allgoodsdirect.com.au (Cloud Atlas) alongside specific IPs (e.g., 46.17.44.125).
  • File Hashes: A heavy volume of SHA256 hashes are provided for the macOS binaries (Mach-O Man), Windows payloads (TwizAdmin), and compromised Docker images (mcpAddon.js).

SOC Operationalization:

  1. EDR: Load the SHA256 hashes into watchlists for immediate process creation and file write alerts.
  2. Network: Block all listed domains and IPs.防火墙 should flag connections to non-standard ports (e.g., 1337) associated with fanonlyatn.xyz.
  3. Logs: Correlate powershell.exe or terminal execution events with network connections to the listed domains.

Detection Engineering

YAML
title: Potential TwizAdmin Clipper Process Creation
id: 6678d9a1-8b12-4c5d-9e0f-1a2b3c4d5e6f
description: Detects potential execution of TwizAdmin or related clippers based on command line arguments and file hash patterns observed in OTX Pulse.
status: experimental
date: 2026/05/25
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\java.exe'
      - '\cmd.exe'
      - '\powershell.exe'
    CommandLine|contains:
      - 'clipper'
      - 'fanonlyatn'
      - 'BIP-39'
  condition: selection
falsepositives:
  - Legitimate developer tools referencing clipboard
level: high
---
title: Laravel Lang Supply Chain Backdoor Execution
id: 7778d9a1-8b12-4c5d-9e0f-1a2b3c4d5e6f
description: Detects execution of malicious helpers.php or DebugChromium.exe associated with the Laravel Lang compromise.
status: experimental
date: 2026/05/25
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\php.exe'
      - '\DebugChromium.exe'
  selection_cli:
    CommandLine|contains:
      - 'helpers.php'
      - 'flipboxstudio.info'
  condition: 1 of selection_*
falsepositives:
  - Legitimate Laravel development
level: critical
---
title: Lazarus ClickFix macOS Terminal Execution
id: 8888d9a1-8b12-4c5d-9e0f-1a2b3c4d5e6f
description: Detects suspicious terminal commands often used in ClickFix attacks targeting macOS users.
status: experimental
date: 2026/05/25
author: Security Arsenal
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|endswith:
      - '/bin/bash'
      - '/bin/zsh'
      - '/usr/bin/osascript'
    CommandLine|contains:
      - 'curl'
      - 'livemicrosft.com'
      - 'meeting'
  condition: selection
falsepositives:
  - Administrative scripting
level: high


kql
// Hunt for TwizAdmin and Lazarus C2 Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("fanonlyatn.xyz", "flipboxstudio.info", "livemicrosft.com", "allgoodsdirect.com.au", "istochnik.org")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP

// Hunt for Malicious File Hashes (Sample of TwizAdmin and Mach-O Man)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in ("06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256

// Check for PowerShell script execution related to supply chain
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe" 
| where ProcessCommandLine contains "DebugChromium" or ProcessCommandLine contains "mcpAddon"
| project Timestamp, DeviceName, ProcessCommandLine


powershell
# IOC Hunt Script for TwizAdmin and Supply Chain Malware
$MaliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"
)

Write-Host "[+] Scanning for malicious file hashes..."

# Scan common download and temp directories
$PathsToScan = @("C:\Users\", "C:\Windows\Temp", "C:\ProgramData")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object {
            $MaliciousHashes -contains $_.Hash
        } | ForEach-Object {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
        }
    }
}

# Check Hosts File for Typosquatting
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$BadDomains = @("livemicrosft.com", "fanonlyatn.xyz", "flipboxstudio.info")
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $BadDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] Suspicious entry found in hosts file for: $Domain" -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Scan complete."

Response Priorities

  • Immediate: Block all listed domains and IPs at the firewall and proxy level. Scan endpoints for the specific SHA256 hashes provided for TwizAdmin and Mach-O Man. Identify and contain any devices communicating with flipboxstudio.info (Laravel backdoor C2).
  • 24h: Initiate credential rotation for developer accounts if supply chain compromise (Laravel/KICS) is suspected. Audit all Docker images in use against the provided KICS hashes.
  • 1 week: Review and harden macOS endpoint detection rules to catch ClickFix social engineering attempts. Implement strict package pinning for PHP/Composer and NPM/Docker dependencies to prevent future supply chain intrusions.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminmach-o-mansupply-chain-attackinfostealerapt-activity

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action