Back to Intelligence

TwizAdmin MaaS & Lazarus Mach-O Man: Cross-Platform Infostealer Surge — OTX Pulse Analysis

SA
Security Arsenal Team
May 22, 2026
8 min read

Recent OTX pulses indicate a surge in sophisticated credential theft campaigns targeting enterprise environments. These operations are primarily driven by two distinct but equally dangerous threats:

  1. TwizAdmin Operation (DataBreachPlus): A comprehensive Malware-as-a-Service (MaaS) platform offering a multi-stage attack chain. It integrates crypto-clipping (impacting 8 blockchains), BIP-39 seed phrase theft, browser credential exfiltration, and a modular ransomware component (crpx0). The operation utilizes a FastAPI-based C2 panel (103.241.66[.]238:1337) and demonstrates cross-platform capabilities (Windows/macOS), distributing via FedEx-themed lures.

  2. Lazarus Group "Mach-O Man" Campaign: A state-sponsored actor actively targeting the finance and technology sectors. The group employs ClickFix social engineering tactics, utilizing fake meeting invitations spread via Telegram. Victims are redirected to fraudulent collaboration sites and manipulated into executing terminal commands that deploy Mach-O Man, a macOS-native infostealer and RAT, which exfiltrates data via Telegram.

Collective Objective: The primary objective across these pulses is the wholesale theft of credentials (browser-stored, crypto wallets, session tokens) and financial assets, coupled with establishing persistence for subsequent ransomware or espionage activities. The convergence of MaaS (TwizAdmin) and APT tactics (Lazarus) lowers the barrier to entry for high-impact credential theft.

Threat Actor / Malware Profile

Threat Actor 1: DataBreachPlus (TwizAdmin)

  • Malware Families: TwizAdmin (Loader/Stealer), crpx0 (Ransomware), Java RAT
  • Distribution Method: Phishing campaigns with masqueraded logistics themes (e.g., FedEx delivery notifications).
  • Payload Behavior:
    • Clipboard Hijacking: Actively monitors and replaces cryptocurrency wallet addresses across 8 different blockchain networks.
    • Infostealing: Targets browser credentials, cookies, and autocomplete data. Specifically hunts for BIP-39 seed phrases for wallet recovery.
    • Ransomware: The crpx0 module can be deployed for extortion.
  • C2 Communication: Communicates with a managed FastAPI panel on TCP port 1337 (e.g., 103.241.66[.]238), using a license key system for operational control.
  • Persistence: Unknown specifics, but likely via scheduled tasks or startup registry keys given its malware-as-a-service nature.
  • Anti-Analysis: Uses a license key system and likely obfuscation/encryption for payloads to evade static analysis.

Threat Actor 2: Lazarus Group (Mach-O Man)

  • Malware Families: Mach-O Man, PyLangGhostRAT
  • Distribution Method: "ClickFix" attacks via Telegram. Victims receive fake meeting invites that redirect to cloned collaboration platforms (Zoom, MS Teams, Google Meet).
  • Payload Behavior:
    • Social Engineering: Triggers a fake browser error or software issue, prompting the user to copy and paste a malicious bash command into Terminal.
    • Infostealing: The Mach-O Man malware steals browser data, system information, and potentially credentials.
    • C2 Communication: Utilizes the Telegram API for C2 communication and data exfiltration, blending in with normal traffic.
  • Persistence: Likely achieved via LaunchAgents or LaunchDaemons to maintain execution upon macOS reboot.
  • Anti-Analysis: The multi-stage process and reliance on user-executed commands helps evade automated email gateways. The use of legitimate APIs (Telegram) also bypasses traditional network blocking.

IOC Analysis

The provided indicators of compromise (IOCs) are diverse and require a multi-layered detection approach:

  • Domains & URLs (e.g., fanonlyatn.xyz, livemicrosft.com): These serve as C2 infrastructure, payload delivery points, or phishing landing pages. SOC teams should immediately block these at the perimeter (DNS firewall, web proxy) and hunt for successful DNS resolutions or HTTP/HTTPS connections to these hosts in proxy or firewall logs.
  • File Hashes (SHA256): The numerous file hashes correspond to various stages of the malware payload (droppers, loaders, final payload). These should be imported into EDR solutions for immediate quarantine. Engineering teams should use tools like VirusTotal, Hybrid Analysis, or internal sandbox environments to detonate these samples and understand their behavior.
  • IP Addresses (e.g., 103.241.66[.]238): Direct C2 IPs are high-confidence indicators. Firewalls and IPS systems should be configured to block all inbound/outbound traffic to these addresses.

Operational Guidance: The sheer volume of hashes (23+ across all pulses) suggests the campaigns are highly active and variants are being released rapidly. Automation is key. Use your threat intelligence platform (TIP) to auto-push these IOCs to your security stack (SIEM, EDR, Firewall).

Detection Engineering

Sigma Rules

YAML
---
title: Suspicious PowerShell Command with Decoding Obfuscation
id: 7c3f8b9e-5a1f-4b8c-9c2d-3e6f7g8h9i0j
description: Detects PowerShell commands that use common decoding techniques (e.g., Base64, FromBase64String) often used in droppers like PawsRunner/TwizAdmin.
author: Security Arsenal
date: 2026/05/22
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'FromBase64String'
      - 'IEX '
      - 'Invoke-Expression'
  condition: selection
falsepositives:
  - Legitimate system administration scripts
level: medium
tags:
  - attack.execution
  - attack.t1059.001
---
title: Potential Mach-O Malware Execution on macOS
description: Detects execution of unsigned or recently created Mach-O binaries, which could be indicative of Mach-O Man or similar macOS malware.
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
author: Security Arsenal
date: 2026/05/22
status: experimental
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|endswith:
      - '.app/Contents/MacOS/'
    EventType: 'exec'
  filter:
    SignedStatus: 'valid'
  condition: selection and not filter
falsepositives:
  - User-compiled binaries or new legitimate software installations
level: low
tags:
  - attack.execution
  - attack.t1059.004
---
title: C2 Communication to Known TwizAdmin or Lazarus Infrastructure
description: Detects network connections to known C2 domains or IPs associated with TwizAdmin or Lazarus campaigns from this OTX pulse.
id: f9e8d7c6-b5a4-9372-8190-abcdef123456
author: Security Arsenal
date: 2026/05/22
status: experimental
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'fanonlyatn.xyz'
      - 'livemicrosft.com'
      - 'everycarebd.com'
      - 'clo4shara.xyz'
    DestinationIp:
      - '103.241.66.238'
      - '5.101.84.202'
  condition: selection
falsepositives:
  - None, these are malicious domains
level: critical
tags:
  - attack.command_and_control
  - attack.t1071.001

KQL (Microsoft Sentinel)

// Hunt for suspicious process execution patterns related to infostealers // Looks for PowerShell with encoded commands or unusual child processes DeviceProcessEvents | where Timestamp > ago(7d) | where (ProcessCommandLine has "FromBase64String" or ProcessCommandLine has "IEX " or ProcessCommandLine has "Invoke-Expression") or (InitiatingProcessFileName has "powershell.exe" and ProcessCommandLine has "-enc ") | extend ParsedCommandLine = parse_command_line(ProcessCommandLine, "windows") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256 | summarize count() by DeviceName, FileName, ProcessCommandLine

// Hunt for network connections to known malicious domains/IPs DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any ("fanonlyatn.xyz", "livemicrosft.com", "everycarebd.com", "clo4shara.xyz") or RemoteIP in ("103.241.66.238", "5.101.84.202") | project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine | summarize count() by DeviceName, RemoteUrl, RemoteIP

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for TwizAdmin and Lazarus Mach-O Man Activity
# This script checks for file artifacts and suspicious network connections.

Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan

# Define malicious hashes from OTX pulses
$maliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e"
)

$cleanScan = $true

# Check for malicious file hashes on common user directories
$userDirs = @("C:\Users\*", "C:\ProgramData\")
foreach ($dir in $userDirs) {
    Write-Host "Scanning $dir for known malicious files..." -ForegroundColor Yellow
    Get-ChildItem -Path $dir -Recurse -ErrorAction SilentlyContinue |
    ForEach-Object {
        $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($fileHash -in $maliciousHashes) {
            Write-Host "ALERT: Malicious file found at $($_.FullName) with hash $fileHash" -ForegroundColor Red
            $cleanScan = $false
        }
    }
}

# Check for suspicious network connections
Write-Host "Checking for active network connections to known C2 infrastructure..." -ForegroundColor Yellow
$c2Hosts = @("103.241.66.238", "5.101.84.202")
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($conn in $connections) {
    if ($conn.RemoteAddress -in $c2Hosts) {
        $owningProcess = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "ALERT: Active connection to C2 IP $($conn.RemoteAddress) from process $($owningProcess.ProcessName) (PID: $($conn.OwningProcess))" -ForegroundColor Red
        $cleanScan = $false
    }
}

# Check for suspicious persistence mechanisms (common locations)
Write-Host "Checking common persistence locations..." -ForegroundColor Yellow
$runKeys = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($key in $runKeys) {
    if (Test-Path $key) {
        Get-ItemProperty -Path $key -ErrorAction SilentlyContinue | 
        Get-Member -MemberType NoteProperty | 
        Where-Object {$_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName" -and $_.Name -ne "PSDrive" -and $_.Name -ne "PSProvider"} | 
        ForEach-Object {
            $value = (Get-ItemProperty -Path $key).$($_.Name)
            # Simple heuristic: look for base64-like strings or suspicious paths
            if ($value -match "[A-Za-z0-9+/]{50,}={0,2}" -or $value -match "\\AppData\\Roaming\\.*\.exe" -and $value -notmatch "Program Files") {
                Write-Host "WARNING: Suspicious Run key found at $key\$($_.Name): $value" -ForegroundColor Yellow
                $cleanScan = $false
            }
        }
    }
}

if ($cleanScan) {
    Write-Host "No known IOCs or suspicious artifacts found." -ForegroundColor Green
} else {
    Write-Host "Hunt complete. Potential threats were detected." -ForegroundColor Red
}


# Response Priorities

**Immediate Actions:**
*   **Block IOCs:** Immediately ingest and block all listed domains, URLs, and IP addresses at the network perimeter (firewall, secure web gateway, DNS filter).
*   **Quarantine Malicious Files:** Use EDR capabilities to isolate any endpoints with identified file hashes.
*   **Hunt for Persistence:** Initiate the provided PowerShell script or KQL queries across the enterprise fleet to identify active infections.

**24-Hour Actions:**
*   **Credential Audit:** Since both campaigns are credential theft-focused, assume potential compromise for accounts used on impacted endpoints. Initiate forced password resets and multi-factor authentication (MFA) challenges for high-privilege and finance-related accounts.
*   **Investigate Lateral Movement:** Analyze network logs for any lateral movement from potentially compromised devices.
*   **User Awareness:** Issue a security advisory to users, specifically warning against unexpected FedEx notifications and fake meeting links, especially those requesting terminal commands.

**1-Week Actions:**
*   **Application Control:** Implement or refine application control policies (e.g., AppLocker) to restrict the execution of unsigned binaries and scripts from user directories.
*   **Web Filtering:** Update web filtering categories to block newly identified malicious TLDs and domains.
*   **Phishing Simulation:** Conduct phishing simulations to train users on identifying social engineering tactics like ClickFix and credential harvesting lures.
*   **Patch Management:** Verify all systems are patched against relevant CVEs (like the one mentioned in the Ghost CMS pulse, if applicable to your environment).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminmach-o-maninfostealerlazarus-groupcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action