Back to Intelligence

TwizAdmin, Lazarus Mach-O Man, and Supply Chain Attacks: OTX Pulse Analysis — Enterprise Credential Theft Surge

SA
Security Arsenal Team
May 23, 2026
6 min read

The latest OTX pulses from May 24, 2026, indicate a surge in credential-centric campaigns driven by distinct adversaries employing diverse TTPs. Operations range from the "TwizAdmin" Malware-as-a-Service (MaaS) targeting cryptocurrency assets with a sophisticated multi-stage payload to the Lazarus Group's "Mach-O Man" campaign, which leverages ClickFix social engineering to deliver macOS infostealers via fake meeting invites.

Simultaneously, a critical supply chain compromise affecting Checkmarx KICS (Docker Hub and VS Code extensions) by the threat actor TeamPCP highlights the evolving risk of developer tool poisoning, where infrastructure-as-code scans are weaponized to exfiltrate secrets. On the cyberespionage front, FrostyNeighbor continues targeting Eastern European governments utilizing evolved Cobalt Strike and PicassoLoader chains. Common across these campaigns is the objective to harvest credentials—whether from browsers, cryptocurrency wallets, or CI/CD pipelines—to facilitate ransomware deployment, lateral movement, or financial theft.

Threat Actor / Malware Profile

  • TwizAdmin (DataBreachPlus): A multi-platform MaaS operation targeting Windows and macOS. It features a crypto-clipboard hijacker supporting 8 chains, BIP-39 seed phrase theft, and a ransomware module (crpx0). Managed via a FastAPI C2 panel (observed on port 1337), it uses FedEx-themed lures for distribution.
  • Mach-O Man (Lazarus Group): A macOS-specific malware kit distributed via ClickFix attacks. Victims receive fake Telegram meeting invitations redirecting to fraudulent collaboration platforms. Execution involves terminal commands to download payloads, which function as infostealers and RATs (PyLangGhostRAT), exfiltrating data via Telegram.
  • TeamPCP (KICS Compromise): A supply chain actor targeting developer environments. By poisoning Docker Hub images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions, they introduce unauthorized exfiltration capabilities into the KICS binary to steal credentials from infrastructure-as-code scan reports.
  • PureLogs / PawsRunner: An infostealer campaign using steganography. Malicious .NET payloads are hidden inside PNG images distributed via TXZ archives with invoice lures. PawsRunner serves as the loader to decrypt and execute the payload using PowerShell.
  • FrostyNeighbor: A Belarus-aligned APT group active since 2016. They utilize spear-phishing with exploits like CVE-2023-38831 to deliver PicassoLoader and Cobalt Strike beacons, specifically targeting government, defense, and telecommunications sectors in Lithuania, Poland, and Ukraine.

IOC Analysis

The provided indicators span multiple vectors of compromise:

  • Network Infrastructure: Domains such as fanonlyatn.xyz (TwizAdmin), livemicrosft.com (Lazarus), and everycarebd.com (PureLogs) are critical for blocking at the proxy/DNS level. The IP 103.241.66[.]238 is a confirmed C2 node for TwizAdmin.
  • File Artifacts: A significant volume of SHA256, MD5, and SHA1 hashes are provided for the malicious binaries (TwizAdmin, Mach-O Man, PawsRunner, trojanized KICS).

SOC Operationalization:

  • Immediate Blocking: Inject all domains and the IP 103.241.66[.]238 into firewall blocklists and secure web gateways.
  • EDR Detection: Load the provided file hashes into EDR solutions to flag execution attempts.
  • Network Hunting: Use the KICS compromise indicators to audit outbound connections from build agents or developer workstations.

Detection Engineering

Sigma Rules

YAML
---
title: Potential TwizAdmin C2 Connection
id: 8e4b1d2a-3c4f-4b5a-8e6d-1f2c3b4a5e6f
description: Detects potential outbound connection to TwizAdmin C2 infrastructure on port 1337.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.c2
    - attack.command_and_control
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp|startswith: '103.241.66.'
        DestinationPort: 1337
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: macOS Suspicious Terminal Execution - ClickFix Pattern
id: 9f5c2e3b-4d5e-5f6a-9f7e-2g3h4i5j6k7l
description: Detects execution of suspicious commands via macOS Terminal often seen in Lazarus ClickFix attacks.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.execution
    - attack.user_execution
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/Terminal.app/Contents/MacOS/Terminal'
        CommandLine|contains:
            - 'curl'
            - 'wget'
            - 'bash -c'
            - 'python3 -c'
    condition: selection
falsepositives:
    - Legitimate admin scripting
level: high
---
title: Steganography Loader Execution - PawsRunner Pattern
id: a0g1h2i3-5e6f-6g7h-0i1j-3k4l5m6n7o8p
description: Detects PowerShell scripts attempting to read image files and decode them, indicative of PawsRunner steganography loader.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    product: windows
    category: ps_script
detection:
    selection:
        ScriptBlockText|contains:
            - 'System.Drawing.Bitmap'
            - '.png'
            - 'FromBase64String'
    condition: selection
falsepositives:
    - Legitimate image processing scripts
level: medium

KQL Query

KQL — Microsoft Sentinel / Defender
// Hunt for connections to known C2 domains and IPs from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any ("fanonlyatn.xyz", "livemicrosft.com", "everycarebd.com") 
   or RemoteIP == "103.241.66.238"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
| extend IOCSource = case(
    RemoteUrl has "fanonlyatn", "TwizAdmin",
    RemoteUrl has "livemicrosft", "Lazarus Mach-O Man",
    RemoteUrl has "everycarebd", "PureLogs",
    RemoteIP == "103.241.66.238", "TwizAdmin C2",
    "Unknown"
)

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for TwizAdmin and Checkmarx KICS Compromise
$ErrorActionPreference = "SilentlyContinue"

Write-Host "[+] Starting Hunt for TwizAdmin C2 and Compromised KICS Binaries..." -ForegroundColor Cyan

# 1. Check Network Connections for TwizAdmin C2 IP
$C2IP = "103.241.66.238"
$C2Port = "1337"
$connections = Get-NetTCPConnection -RemoteAddress $C2IP -ErrorAction SilentlyContinue
if ($connections) {
    Write-Host "[!!!] ALERT: Found active connection to TwizAdmin C2 $C2IP" -ForegroundColor Red
    $connections | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
} else {
    Write-Host "[-] No active connections to $C2IP detected." -ForegroundColor Green
}

# 2. Scan for compromised KICS file hashes (MD5 and SHA256 from Pulse)
$MaliciousHashes = @(
    "d47de3772f2d61a043e7047431ef4cf4", # MD5
    "e1023db24a29ab0229d99764e2c8deba", # MD5
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b", # SHA256
    "24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9"  # SHA256
)

$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($drive in $drives) {
    Write-Host "[+] Scanning $drive for KICS binaries..." -ForegroundColor Yellow
    # Searching for common KICS binary names/extensions
    $files = Get-ChildItem -Path $drive -Recurse -Include "kics","kics.exe" -ErrorAction SilentlyContinue
    foreach ($file in $files) {
        $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256).Hash.ToLower()
        $hashMD5 = (Get-FileHash -Path $file.FullName -Algorithm MD5).Hash.ToLower()
        
        if ($MaliciousHashes -contains $hash -or $MaliciousHashes -contains $hashMD5) {
            Write-Host "[!!!] ALERT: Compromised KICS binary found at $($file.FullName)" -ForegroundColor Red
        }
    }
}
Write-Host "[+] Hunt Complete."


# Response Priorities

*   **Immediate:**
    *   Block all domains and IP addresses listed in the IOC Analysis at the perimeter firewall and proxy.
    *   Isolate any endpoints showing signs of connection to `103.241.66[.]238` or `fanonlyatn.xyz`.
    *   Quarantine the trojanized Docker images (`checkmarx/kics:v2.1.20`, `v2.1.21`, `alpine`) and uninstall VS Code extension versions 1.17.0 and 1.19.0.

*   **24h:**
    *   Initiate credential resets for users with potential browser exposure due to PureLogs or TwizAdmin infection.
    *   Scan developer workstations and build servers for the malicious KICS hashes.
    *   Investigate macOS devices for signs of "Mach-O Man" (Terminal spawning Python or Curl processes).

*   **1 Week:**
    *   Review and harden supply chain security; implement image signature verification for Docker images.
    *   Conduct security awareness training specifically focusing on "ClickFix" social engineering and fake meeting invites.
    *   Update EDR policies to detect steganography techniques (reading image files via scripts).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminlazarus-groupsupply-chain-attackinfostealercobalt-strike

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action