TwizAdmin MaaS & JINX-0164 Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated, financially motivated threat operations targeting high-value financial and development sectors. The DataBreachPlus group is actively deploying the TwizAdmin Malware-as-a-Service (MaaS) platform, featuring a multi-stage attack chain capable of cryptocurrency clipboard hijacking, BIP-39 seed phrase theft, and ransomware delivery via a FastAPI-based C2. Simultaneously, the JINX-0164 actor is conducting precise supply chain attacks against cryptocurrency infrastructure, utilizing typosquatting and social engineering on LinkedIn to deliver custom macOS malware (AUDIOFIX, MINIRAT). These campaigns are supported by a massive expansion in malicious infrastructure, with over 1,350 C2 servers identified in the Middle East (hosted largely by STC) supporting APT groups like Energetic Bear and APT28.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin)

Malware Families: TwizAdmin (Java RAT Builder), crpx0 (Ransomware).
Objective: Cryptocurrency theft via clipboard hijacking (8 chains) and credential exfiltration, followed by ransomware extortion.
Distribution: Phishing campaigns utilizing FedEx-themed lures targeting Windows and macOS.
C2 & Persistence: Utilizes a FastAPI-based panel at 103.241.66[.]238:1337. Features a license key system for malware management.

JINX-0164

Malware Families: AUDIOFIX (Python-based Infostealer/RAT), MINIRAT (Go backdoor).
Objective: Long-term persistence within crypto organizations to steal source code and credentials.
Distribution: LinkedIn social engineering (recruiter personas), npm trojans, and CI/CD hijacking.
Infrastructure: Uses typosquatted domains like login.teamicrosoft.com and driver-updater.net to facilitate initial access.

IOC Analysis

The provided indicators span multiple layers of the attack chain:

Domains/URLs: High-risk typosquatted domains (login.teamicrosoft.com, live.us.org) used for credential harvesting and payload delivery. Legitimate-looking URLs (fanonlyatn.xyz) host malicious payloads.
File Hashes: Numerous SHA256 hashes correspond to the TwizAdmin payloads and Python/Go binaries for JINX-0164. These should be blocked immediately on endpoints.
Network Infrastructure: A concentration of C2 IPs (e.g., 37.32.15.8, 197.51.170.131) linked to Middle Eastern hosting providers, correlating with a surge in APT activity.
CVE Reference: CVE-2025-11953 is associated with the Middle East infrastructure campaign, suggesting an active exploitation vector for initial access.

SOC teams should ingest the domains and IPs into firewall blocklists and SIEM correlation engines. File hashes must be added to EDR exclusion allow-lists (for whitelisting) or block-lists (for prevention).

Detection Engineering

Sigma Rules

YAML

---
title: Potential TwizAdmin Java RAT Execution
id: 3a9f1c2b-8d4e-4f5a-9b1c-2d3e4f5a6b7c
description: Detects suspicious Java execution patterns often associated with TwizAdmin RAT builder activity, specifically spawned from user directories or document viewers.
status: experimental
date: 2026/05/29
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\java.exe'
      - '\javaw.exe'
    ParentImage|contains:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\Reader.exe'
  condition: selection
falsepositives:
  - Legitimate business applications running Java macros
level: high
tags:
  - attack.execution
  - attack.t1059.005
---
title: JINX-0164 Typosquatting Domain Access
id: 4b0g2d3c-9e5f-5g6b-0c2d-3e4f5g6a7c8d
description: Identifies network connections to known JINX-0164 typosquatted domains used for credential harvesting and payload delivery.
status: experimental
date: 2026/05/29
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'teamicrosoft.com'
      - 'live.us.org'
      - 'driver-updater.net'
  condition: selection
falsepositives:
  - Unknown
level: critical
tags:
  - attack.command_and_control
  - attack.t1071.001
---
title: Suspicious Python Script Execution from Temp
id: 5c1h3e4d-0f6g-6h7c-1d3e-4f5g6h7a8d9e
description: Detects execution of Python scripts (potentially AUDIOFIX) from temporary or download directories, a common behavior in JINX-0164 attacks.
status: experimental
date: 2026/05/29
author: Security Arsenal
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|contains: '/python'
    CommandLine|contains:
      - '/tmp/'
      - '/Downloads/'
    ParentImage|contains:
      - 'Teams'
      - 'Safari'
      - 'Chrome'
  condition: selection
falsepositives:
  - Developer testing scripts
level: medium
tags:
  - attack.execution
  - attack.t1059.006

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for TwizAdmin and JINX-0164 Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("fanonlyatn.xyz", "driver-updater.net", "live.us.org", "teamicrosoft.com") 
   or RemoteIP in ("37.32.15.8", "197.51.170.131", "89.36.224.5", "93.113.62.247", "94.252.245.193")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCMatch = "OTX_2026-05-29"

PowerShell IOC Hunt Script

PowerShell

# TwizAdmin & JINX-0164 IOC Hunter
# Checks for specific file hashes and suspicious network connections

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Get fixed drives
$Drives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Root -ne "\" -and $_.Used -gt 0 }

foreach ($Drive in $Drives) {
    Write-Host "Scanning drive: $($Drive.Root)"
    try {
        $Files = Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.bin, *.py, *.sh
        
        foreach ($File in $Files) {
            $Hash = Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($Hash -and $TargetHashes -contains $Hash.Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName) | Hash: $($Hash.Hash)" -ForegroundColor Red
            }
        }
    }
    catch {
        # Ignore access errors
    }
}

Write-Host "[+] Checking for established C2 connections (Port 1337)..." -ForegroundColor Cyan
Get-NetTCPConnection -State Established -RemotePort 1337 -ErrorAction SilentlyContinue | 
Select-Object LocalAddress, RemoteAddress, OwningProcess | 
Format-Table -AutoSize

Write-Host "[+] Hunt complete."

Response Priorities

Immediate:
- Block all listed IOCs (Domains, IPs, Hashes) at the perimeter and endpoint level.
- Isolate endpoints with observed connections to 103.241.66[.]238 or fanonlyatn.xyz.
24 Hours:
- Initiate credential resets for users identified as potential targets of the TwizAdmin infostealer (specifically browser credentials).
- Verify identity of recent LinkedIn connection requests for development staff (JINX-0164 vector).
1 Week:
- Audit CI/CD pipelines for unauthorized npm packages or supply chain tampering.
- Review network traffic logs for the Middle Eastern IP ranges indicated in the infrastructure report to identify potential dormant C2 beacons.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

TwizAdmin MaaS & JINX-0164 Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack