TwizAdmin, Lumma, and SectopRAT: Multi-Vector Infostealer Campaigns Leveraging Crypto Clipping, Smart Contracts, and Supply Chain Attacks — Enterprise Detection Pack

Threat Summary

Recent OTX pulse data reveals a complex ecosystem of credential theft campaigns operating through multiple vectors. Five distinct threat actors are actively targeting organizations with sophisticated infostealers, crypto clippers, and supply chain compromises:

1. DataBreachPlus operating the TwizAdmin campaign combines cryptocurrency clipboard hijacking across eight blockchain networks, BIP-39 seed phrase theft, browser credential exfiltration, and a ransomware module (crpx0). The operation targets both Windows and macOS platforms using FedEx-themed phishing lures and is managed through a FastAPI-based C2 panel with licensing controls.

2. GHOST STADIUM, a Chinese-speaking threat actor, has deployed a massive FIFA World Cup 2026 phishing operation using Vidar and Lumma stealers across more than 4,300 fraudulent domains. The campaign primarily targets hospitality, media, and finance sectors in the Americas, using pixel-perfect clones of FIFA's authentication system.

3. An unknown threat actor is exploiting EtherHiding techniques to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating immutable C&C infrastructure. The campaign delivers SectopRAT and ACRStealer payloads through compromised Swiss websites.

4. A sophisticated supply chain attack compromised community-maintained Laravel Lang packages, introducing RCE backdoors across more than 700 versions. The attack appears to involve coordinated credential theft affecting multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions.

5. Cloud Atlas (Inception Framework) continues targeting government entities in Russia and Belarus with multiple backdoors including PowerCloud, VBCloud, PowerShower, ReverseSocks, PhantomHeart, ValleyRAT, ABCDoor, and NetSupport RAT, delivered via phishing emails containing malicious ZIP archives with LNK shortcuts.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

Distribution Method:

• FedEx-themed phishing emails with malicious attachments
• Cross-platform targeting of Windows and macOS systems

Payload Behavior:

• Multi-stage malware with modular architecture
• Cryptocurrency clipboard hijacking across eight blockchain networks
• BIP-39 seed phrase theft from cryptocurrency wallets
• Browser credential exfiltration supporting multiple browsers
• Ransomware module (crpx0) for encryption-based extortion
• Java RAT builder capabilities

C2 Communication:

• FastAPI-based management panel with license key system
• C2 server at 103.241.66[.]238:1337 with exposed panel interface
• Domain infrastructure including fanonlyatn.xyz

Persistence Mechanism:

• Likely through scheduled tasks or registry modifications (Windows)
• Launch agents or login items (macOS)

Anti-Analysis Techniques:

• License key verification system for malware builder
• Modular architecture allowing component isolation

GHOST STADIUM

Distribution Method:

• Facebook advertising exploitation to direct traffic to phishing sites
• Over 4,300 fraudulent domains impersonating FIFA's official website
• 300+ domains hosting pixel-perfect clones of FIFA's authentication system

Payload Behavior:

• Vidar stealer for credential and data theft
• Lumma stealer for browser credential harvesting
• Targeting of hospitality, media, and finance sectors

C2 Communication:

• Distributed across 300+ phishing domains
• Key domains include fifa.gold, fifa.black, fifa.tax, fifaweb.com, fifa.red, fifa.fund
• C2 IP infrastructure includes 148.178.22.16

Persistence Mechanism:

• Browser-based credential theft without local malware persistence
• Cookie hijacking for session takeover

Anti-Analysis Techniques:

• Pixel-perfect cloning of legitimate authentication systems
• Rapid domain registration to stay ahead of blocklists

SectopRAT/ACRStealer (EtherHiding Campaign)

Distribution Method:

• Compromised Swiss websites with injected JavaScript
• Smart contract-based payload delivery routing

Payload Behavior:

• SectopRAT for remote access and control
• ACRStealer for credential and data theft
• Bypass of anti-analysis checks before payload delivery

C2 Communication:

• Immutable C&C infrastructure using BNB Smart Chain testnet smart contracts
• EtherHiding technique for storing payload routing instructions
• Key domains: afraid.veloitall.cfd, root-cul.xamir3on.lat, ohn.stainedunstitch.work, getcfgs.qen9varol.lat, ootid.srv-auth-dlt-msh.in.net

Persistence Mechanism:

• Browser compromise through injected JavaScript
• Potential registry modifications for RAT persistence

Anti-Analysis Techniques:

• Blockchain-based C&C infrastructure resistant to takedown
• Anti-checking routines to avoid analysis environments

Laravel Lang Supply Chain Attack

Distribution Method:

• Compromised community-maintained Laravel packages
• Coordinated rapid tag publishing on May 22-23, 2026
• Affected repositories: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions

Payload Behavior:

• Remote code execution backdoor through compromised helpers.php files
• Information stealer functionality (helpers.php stealer)
• Additional payload: DebugChromium.exe

C2 Communication:

• flipboxstudio.info domain for payload delivery
• Payload URL: https://flipboxstudio.info/payload
• Exfiltration URL: https://flipboxstudio.info/exfil

Persistence Mechanism:

• Embedded in development dependencies
• Automatic inclusion in application builds using compromised packages

Anti-Analysis Techniques:

• Supply chain attack making detection difficult
• Organization-level credential compromise allowing repository access

Cloud Atlas (Inception Framework)

Distribution Method:

• Phishing campaigns with malicious ZIP archives containing LNK shortcuts
• Targeting government organizations and commercial companies in Russia and Belarus

Payload Behavior:

• Multiple backdoors including PowerCloud, VBCloud, PowerShower
• Network reconnaissance via PowerShower
• File theft through VBCloud
• Additional tools: ReverseSocks, PhantomHeart, ValleyRAT, ABCDoor, NetSupport RAT

C2 Communication:

• Multiple C2 servers: 46.17.44.125, 185.22.154.73, 195.58.49.9, 93.125.114.193, 194.102.104.207
• Domain infrastructure: allgoodsdirect.com.au, istochnik.org
• CVE exploitation: CVE-2018-0802

Persistence Mechanism:

• Scheduled tasks for backdoor execution
• Registry modifications for persistence

Anti-Analysis Techniques:

• Multiple backdoors providing redundancy
• Sophisticated anti-VM and sandbox detection

IOC Analysis

The indicators of compromise across these pulse collections represent a diverse set of malicious infrastructure:

Domain-Based IOCs

• Over 100 malicious domains including key infrastructure for GHOST STADIUM (fifa.gold, fifa.black, fifaweb.com, etc.), TwizAdmin (fanonlyatn.xyz), and SectopRAT/ACRStealer (afraid.veloitall.cfd, root-cul.xamir3on.lat, etc.)
• These domains should be added to DNS sinkholes and blocklists immediately

IP Address IOCs

• Multiple C2 infrastructure IPs including 103.241.66[.]238 (TwizAdmin), 148.178.22.16 (GHOST STADIUM), and several Cloud Atlas C2 servers
• These IPs should be blocked at network firewalls

File Hash IOCs

• SHA256 hashes for TwizAdmin samples including:
  • 06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092
  • 3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4
  • 584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527
  • 74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150
  • 9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec

URL IOCs

• Payload delivery URLs including:
  • https://fanonlyatn.xyz/files/
  • https://flipboxstudio.info/payload
  • https://flipboxstudio.info/exfil

CVE References

• CVE-2018-0802 exploited by Cloud Atlas for initial access

Operational Recommendations for SOC Teams:

1. Implement domain and IP blocking at perimeter firewalls and DNS resolvers
2. Create EDR threat hunting queries for known file hashes
3. Set up SIEM alerts for connections to identified C2 infrastructure
4. Implement certificate pinning or block lists for specific domains
5. Configure network monitoring for suspicious connections to port 1337 (TwizAdmin)
6. Monitor for unusual outbound connections to blockchain-related endpoints
7. Hunt for evidence of compromised Laravel packages in development environments

Recommended Tooling:

• CrowdStrike Falcon for endpoint detection and hunting
• Splunk or Microsoft Sentinel for log analysis and correlation
• ThreatConnect or MISP for IOC management and sharing
• AlienVault OTX API for continuous threat intelligence updates
• YARA and Sigma rules for custom detection content

Detection Engineering

---
title: Potential TwizAdmin C2 Communication
id: 12cd3e45-6f78-90ab-c1d2-3e4f5a6b7c8d
description: Detects potential connection to TwizAdmin C2 infrastructure
status: experimental
date: 2026/05/28
author: Security Arsenal
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.c2
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
            - '103.241.66.'
        DestinationPort: 1337
    condition: selection
falsepositives:
    - Legitimate connection to the FastAPI service
level: high
---
title: Laravel Lang Compromise Backdoor Execution
id: 23de4f56-7a89-01bc-d2e3-4f5a6b7c8d9e
description: Detects execution of Laravel Lang compromise backdoor
status: experimental
date: 2026/05/28
author: Security Arsenal
references:
    - https://socket.dev/blog/laravel-lang-compromise
tags:
    - attack.execution
    - attack.t1203
    - attack.initial_access
logsource:
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\php.exe'
        CommandLine|contains:
            - 'helpers.php'
            - 'flipboxstudio.info'
    condition: selection
falsepositives:
    - Legitimate Laravel package execution
level: critical
---
title: GHOST STADIUM Phishing Infrastructure
id: 34ef5a67-8b90-12cd-e3f4-5a6b7c8d9e0f
description: Detects connections to GHOST STADIUM phishing infrastructure
status: experimental
date: 2026/05/28
author: Security Arsenal
references:
    - https://www.group-ib.com/blog/ghost-stadium-football-fraud/
tags:
    - attack.initial_access
    - attack.t1566.002
    - attack.credential_access
logsource:
    category: dns_query
detection:
    selection:
        QueryName|contains:
            - 'fifa.gold'
            - 'fifa.black'
            - 'fifa.tax'
            - 'fifaweb.com'
            - 'fifa.red'
            - 'fifa.fund'
            - 'fifa-com.shop'
    condition: selection
falsepositives:
    - Legitimate FIFA-related connections
level: high


kql
// Hunt for TwizAdmin-related network activity
let TwizAdminDomains = dynamic(["fanonlyatn.xyz", "103.241.66.238"]);
let SuspiciousPorts = dynamic([1337]);
DeviceNetworkEvents
| where RemoteUrl in (TwizAdminDomains) or RemotePort in (SuspiciousPorts)
| where InitiatingProcessFileName in_any ("powershell.exe", "cmd.exe", "unknown")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort, RemoteIP
| order by Timestamp desc
| extend threat = "TwizAdmin C2 Communication"


powershell
# IOC Hunt for TwizAdmin, GHOST STADIUM, Laravel Lang Compromise, and Cloud Atlas
# Author: Security Arsenal
# Date: 2026-05-28

# TwizAdmin Related File Paths
$twizAdminPaths = @(
    "C:\Windows\Temp\twizadmin*",
    "C:\Users\*\AppData\Local\Temp\crpx0*",
    "C:\Users\*\AppData\Roaming\FedEx*"
)

# GHOST STADIUM Related Domains in Hosts File
$ghostStadiumDomains = @(
    "fifa.gold", 
    "fifa.black", 
    "fifa.tax",
    "fifaweb.com",
    "fifa.red",
    "fifa.fund",
    "fifa-com.shop"
)

# Laravel Lang Compromise Related File Paths
$laravelPaths = @(
    "vendor\laravel-lang\lang\helpers.php",
    "vendor\laravel-lang\http-statuses\helpers.php",
    "vendor\laravel-lang\attributes\helpers.php",
    "vendor\laravel-lang\actions\helpers.php"
)

# Cloud Atlas Related Registry Keys
$cloudAtlasKeys = @(
    "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PowerCloud",
    "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VBCloud",
    "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ValleyRAT"
)

# Function to check for TwizAdmin files
function Check-TwizAdminFiles {
    Write-Host "Checking for TwizAdmin files..." -ForegroundColor Yellow
    foreach ($path in $twizAdminPaths) {
        $files = Get-ChildItem -Path $path -ErrorAction SilentlyContinue
        if ($files) {
            Write-Host "Found TwizAdmin-related files:" -ForegroundColor Red
            $files | ForEach-Object { Write-Host $_.FullName }
        }
    }
}

# Function to check for GHOST STADIUM domains in hosts file
function Check-GhostStadiumHosts {
    Write-Host "Checking for GHOST STADIUM domains in hosts file..." -ForegroundColor Yellow
    $hostsContent = Get-Content -Path "$env:SystemRoot\System32\drivers\etc\hosts" -ErrorAction SilentlyContinue
    if ($hostsContent) {
        foreach ($domain in $ghostStadiumDomains) {
            if ($hostsContent -match $domain) {
                Write-Host "Found GHOST STADIUM domain in hosts file: $domain" -ForegroundColor Red
            }
        }
    }
}

# Function to check for Laravel Lang Compromise files
function Check-LaravelCompromise {
    Write-Host "Checking for Laravel Lang compromise files..." -ForegroundColor Yellow
    foreach ($path in $laravelPaths) {
        if (Test-Path $path) {
            Write-Host "Found potential Laravel Lang compromise file: $path" -ForegroundColor Red
            # Check if file contains malicious content
            $content = Get-Content $path -Raw -ErrorAction SilentlyContinue
            if ($content -match "flipboxstudio.info|eval\(|base64_decode") {
                Write-Host "  File contains suspicious content!" -ForegroundColor Red
            }
        }
    }
}

# Function to check for Cloud Atlas registry keys
function Check-CloudAtlasRegistry {
    Write-Host "Checking for Cloud Atlas registry keys..." -ForegroundColor Yellow
    foreach ($key in $cloudAtlasKeys) {
        if (Test-Path "Registry::$key") {
            Write-Host "Found Cloud Atlas registry key: $key" -ForegroundColor Red
            $value = Get-ItemProperty -Path "Registry::$key" -ErrorAction SilentlyContinue
            if ($value) {
                Write-Host "  Value: $($value.PSObject.Properties.Value -join ', ')"
            }
        }
    }
}

# Function to check for network connections to C2 infrastructure
function Check-C2Connections {
    Write-Host "Checking for connections to C2 infrastructure..." -ForegroundColor Yellow
    $c2Hosts = @(
        "103.241.66.238",
        "148.178.22.16",
        "46.17.44.125",
        "185.22.154.73",
        "flipboxstudio.info",
        "fanonlyatn.xyz"
    )
    
    $connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue | 
                   Where-Object { $_.RemoteAddress -in $c2Hosts -or 
                                (Get-DnsClientCache -ErrorAction SilentlyContinue | 
                                 Where-Object { $_.Data -in $c2Hosts }).Data }
    
    if ($connections) {
        Write-Host "Found connections to C2 infrastructure:" -ForegroundColor Red
        $connections | ForEach-Object { 
            $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "  Remote: $($_.RemoteAddress):$($_.RemotePort) - Process: $($process.ProcessName)"
        }
    }
}

# Execute all checks
Check-TwizAdminFiles
Check-GhostStadiumHosts
Check-LaravelCompromise
Check-CloudAtlasRegistry
Check-C2Connections

Write-Host "IOC Hunt completed." -ForegroundColor Green

Response Priorities

Immediate Actions

• Block all identified IOCs (domains, IPs, file hashes) at network perimeter and endpoints
• Hunt for execution artifacts related to TwizAdmin, Laravel Lang compromise, and Cloud Atlas tools
• Isolate potentially compromised systems showing indicators of malware execution
• Implement DNS sinkholing for all identified malicious domains
• Block network connections to port 1337 across the enterprise

24-Hour Actions

• Conduct identity verification for accounts potentially compromised by credential stealers
• Rotate credentials for users who may have accessed GHOST STADIUM phishing sites
• Audit all Laravel projects for compromised lang packages and update to clean versions
• Review and block any additional FedEx-themed emails with suspicious attachments
• Scan development environments for indicators of Laravel Lang compromise
• Implement enhanced monitoring for cryptocurrency wallet credential theft

One-Week Actions

• Implement application whitelisting for development environments to prevent supply chain attacks
• Enhance email filtering to detect FedEx-themed phishing campaigns
• Deploy browser security extensions to detect and block credential harvesting sites
• Conduct developer training on supply chain security and dependency verification
• Implement package integrity verification for all open-source dependencies
• Review and update incident response playbooks for multi-vector infostealer campaigns
• Establish continuous monitoring of blockchain networks for C2 communication patterns
• Implement zero-trust network access controls for all development environments

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub