Back to Intelligence

TwizAdmin, Lazarus & KICS Supply Chain: Multi-Vector Infostealer Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 24, 2026
6 min read

Recent OTX pulses indicate a convergence of sophisticated credential theft campaigns and supply chain compromises targeting enterprise infrastructure. The landscape is dominated by the "TwizAdmin" malware-as-a-service (MaaS) operation, which blends crypto-clipping with ransomware capabilities, and renewed activity from the Lazarus Group utilizing the "Mach-O Man" malware kit against macOS users via ClickFix social engineering.

Simultaneously, a concerning supply chain attack targeting the Checkmarx KICS (Keeping Infrastructure as Code Secure) tool highlights the risks inherent in modern DevOps pipelines. Attackers poisoned official Docker images and VS Code extensions to harvest credentials from infrastructure-as-code scan reports. Rounding out the threat landscape is the "PureLogs" infostealer, which employs steganography (PawsRunner) to hide payloads within images, and persistent cyber-espionage from the "FrostyNeighbor" group utilizing Cobalt Strike.

Collective Objective: The primary goal across these disparate campaigns is the theft of credentials—ranging from cryptocurrency wallet seeds and browser cookies to infrastructure secrets and corporate authentication tokens—facilitating financial theft, lateral movement, and data exfiltration.

Threat Actor / Malware Profile

1. TwizAdmin (Actor: DataBreachPlus)

  • Type: MaaS (Malware-as-a-Service)
  • Distribution: Phishing campaigns impersonating logistics (FedEx) and other services.
  • Payload Behavior: Multi-stage operation. Initial stage involves a Java-based RAT builder. Subsequent modules include a clipboard hijacker (crypto clipper) supporting 8 chains, a BIP-39 seed phrase thief, and a browser credential stealer.
  • C2 Communication: Managed via a FastAPI-based panel located at 103.241.66[.]238:1337. Uses a license key system for operator access.
  • Unique Feature: Includes a ransomware module (crpx0) that can be deployed post-exfiltration.

2. Mach-O Man (Actor: Lazarus Group)

  • Type: macOS Malware Kit
  • Distribution: "ClickFix" attacks. Victims receive fake meeting invites via Telegram, leading to fraudulent collaboration pages (Zoom/Teams impersonation). Tricked into running terminal commands.
  • Payload Behavior: Uses Python-based payloads (PyLangGhostRAT) to steal browser data and credentials.
  • Exfiltration: Uses Telegram as the C2 channel for stolen data.
  • Targeting: Focuses on Finance and Technology sectors.

3. PureLogs / PawsRunner

  • Type: Infostealer & Steganography Loader
  • Distribution: Phishing emails with TXZ archive attachments (invoice lures).
  • Payload Behavior: PawsLoader extracts encrypted .NET payloads from PNG files (steganography). PureLogs targets cryptocurrency wallets and browser credentials.
  • Evasion: Uses PowerShell environment variables to obfuscate commands.

4. KICS Supply Chain Compromise (Actor: TeamPCP)

  • Type: Supply Chain Attack
  • Distribution: Poisoned Docker Hub images (checkmarx/kics tags v2.1.20, v2.1.21, alpine) and VS Code extensions (v1.17.0, v1.19.0).
  • Payload Behavior: The trojanized binary collects and encrypts scan reports, extracting credentials from IaC files before exfiltration.

5. FrostyNeighbor (Actor: Belarus-linked)

  • Type: Cyberespionage
  • Distribution: Spearphishing with weaponized attachments exploiting CVE-2023-38831 and CVE-2024-42009.
  • Payload Behavior: Deploys PicassoLoader and Cobalt Strike Beacons.
  • Targeting: Government, Defense, and Healthcare in Lithuania, Poland, and Ukraine.

IOC Analysis

The provided indicators offer robust coverage for detection:

  • Network Infrastructure: Domains like fanonlyatn.xyz (TwizAdmin) and livemicrosft.com (Lazarus typo-squatting) are critical for blocking at the DNS layer. The IP 5.101.84.202 is associated with PureLogs C2.
  • File Artifacts: A significant number of SHA256 hashes are provided for the malware payloads (TwizAdmin, Mach-O Man) and the compromised KICS binaries. These should be integrated into EDR blocking lists immediately.
  • Operationalization:
    • SOC Tooling: Hashes should be queried in SIEM logs (Sysmon file creation, EDR alerts) to identify execution attempts.
    • Network: Domains and IPs should be added to firewall blocklists and configured for alerting on DNS queries.
    • Decoding: The KICS artifacts use MD5 and SHA1 hashes as well; ensure hash comparison logic supports multiple algorithms.

Detection Engineering

YAML
title: Potential Steganography Loader via PowerShell
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects PowerShell scripts loading images for steganography (PawsRunner/PureLogs technique).
references:
    - https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
author: Security Arsenal
date: 2026/05/25
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'System.Drawing'
            - 'FromStream'
            - 'Bitmap'
    condition: selection
falsepositives:
    - Legitimate image processing scripts
level: high
---
title: Java Process Suspicious Network Connection
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Java processes establishing connections on non-standard ports, potentially indicating Java RAT (TwizAdmin) or C2 activity.
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
author: Security Arsenal
date: 2026/05/25
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 3
        Image|endswith:
            - '\javaw.exe'
            - '\java.exe'
        DestinationPort|notin:
            - 80
            - 443
    condition: selection
falsepositives:
    - Legitimate Java applications using custom ports
level: medium
---
title: ClickFix / Fake Meeting Invite Pattern
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects suspicious command line execution often associated with "ClickFix" attacks used by Lazarus (Mach-O Man) or similar social engineering campaigns.
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
author: Security Arsenal
date: 2026/05/25
tags:
    - attack.initial_access
    - attack.t1566
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine|contains:
            - 'mshta'
            - 'powershell'
        CommandLine|contains:
            - 'meeting'
            - 'teams'
            - 'zoom'
            - 'invite'
    condition: selection
falsepositives:
    - Legitimate meeting software installation or access
level: high


kql// Hunt for known malicious domains and IPs from the pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "fanonlyatn.xyz" 
   or RemoteUrl has "livemicrosft.com" 
   or RemoteUrl has "everycarebd.com" 
   or RemoteIP == "5.101.84.202"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

// Hunt for file creation events matching malicious hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b",
    "0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for PowerShell steganography behavior (PureLogs)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoProductName contains "PowerShell"
| where ProcessCommandLine has "System.Drawing" or ProcessCommandLine has "Bitmap"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName


powershell# IOC Hunt Script for TwizAdmin and PureLogs
# Checks for specific file hashes and suspicious script execution.

$MaliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e",
    "1b730de72f921458b6b162b105a9521a931f07e19d3cac53207c7a8efbc412f9",
    "24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9"
)

Write-Host "[+] Scanning for known malicious file hashes..."

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "[!] Scanning drive $Drive"
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($Hash -in $MaliciousHashes) {
            Write-Host "[!!!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for suspicious TwizAdmin C2 Registry Keys..."
$RegPaths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($Path in $RegPaths) {
    if (Test-Path $Path) {
        Get-Item -Path $Path | Select-Object -ExpandProperty Property | ForEach-Object {
            $Value = (Get-ItemProperty -Path $Path -Name $_).$_
            if ($Value -match "103.241.66" -or $Value -match "1337" -or $Value -match "java" -or $Value -match "fanonlyatn") {
                Write-Host "[!!!] SUSPICIOUS PERSISTENCE FOUND in $Path : $_ = $Value" -ForegroundColor Yellow
            }
        }
    }
}

Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate: Block all identified domains and IPs (fanonlyatn.xyz, livemicrosft.com, everycarebd.com, 103.241.66[.]238, 5.101.84.202) at the perimeter. Scan endpoints for the provided file hashes (MD5, SHA1, SHA256).
  • 24h: If PureLogs or TwizAdmin activity is suspected, initiate a forced password reset for high-privilege accounts and review browser credential storage. Check Docker environments for the compromised KICS image tags (v2.1.20, v2.1.21, alpine) and replace with verified clean versions.
  • 1 Week: Conduct a review of VS Code extensions in use and enforce strict pinning of Docker image digests to prevent supply chain drift. Enhance user awareness regarding "ClickFix" social engineering and fake meeting invitations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminlazarus-grouppurelogssupply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action