Back to Intelligence

TwizAdmin MaaS & Lazarus Mach-O Man: Crypto Clipping, macOS ClickFix, and Middle East C2 Surge — Detection Pack

SA
Security Arsenal Team
May 24, 2026
6 min read

Threat Summary

Recent OTX pulses reveal a converging threat landscape involving financially motivated cybercrime and state-sponsored espionage. The TwizAdmin operation (actor: DataBreachPlus) is actively marketing a sophisticated Malware-as-a-Service (MaaS) platform, blending cryptocurrency clipboard hijacking (clipping) across eight chains with the crpx0 ransomware module and Java RAT capabilities. Simultaneously, the Lazarus Group is aggressively targeting the Finance and Technology sectors with a new macOS malware toolkit, Mach-O Man, delivered via ClickFix social engineering attacks. These campaigns are underpinned by a massive expansion of hostile infrastructure, with over 1,350 C2 servers identified in the Middle East alone, facilitating operations for actors ranging from APT28 to commodity malware distributors.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Type: Cybercrime / MaaS
  • Malware Families: TwizAdmin (Clipper/Infostealer), crpx0 (Ransomware), Java RAT.
  • Distribution: Phishing campaigns impersonating logistics brands (e.g., FedEx) to deliver multi-stage payloads targeting Windows and macOS.
  • Capabilities:
    • Crypto Clipping: Monitors clipboard to replace wallet addresses on 8 different blockchains.
    • Infostealing: Exfiltrates browser credentials and BIP-39 seed phrases.
    • C2: FastAPI-based panel with license key management, accessible via exposed ports (e.g., 1337).

Lazarus Group (Mach-O Man)

  • Type: Nation-State APT
  • Malware Families: Mach-O Man, PyLangGhostRAT.
  • Targeting: Finance, Technology, Fintech.
  • Distribution (ClickFix): Initial contact via Telegram fake meeting invitations, redirecting to fraudulent collaboration sites (impersonating Zoom/Teams). Victims are tricked into running terminal commands to "join" the meeting.
  • Capabilities:
    • Payload: Mach-O binaries bundled in Python-based environments.
    • Exfiltration: Uses Telegram for C2 communication and data theft.
    • Persistence: Utilizes macOS LaunchAgents to maintain access.

Infrastructure Landscape

  • Middle East C2 Surge: A report mapping 1,350+ C2 servers reveals high concentrations of malicious infrastructure on Saudi Telecom (STC). This infrastructure supports a wide array of malware including Phorpiex, AsyncRAT, Cobalt Strike, and Mirai, indicating a regional hub for offensive operations.

IOC Analysis

The provided IOCs span multiple tactics, requiring a multi-layered detection approach:

  • Domains & URLs:
    • fanonlyatn.xyz (TwizAdmin payload distribution).
    • livemicrosft.com (Lazarus typosquatting for ClickFix).
    • Action: Immediate blocklisting on DNS proxies and Secure Web Gateways (SWG). These domains host initial droppers and C2 check-in logic.
  • File Hashes (SHA256):
    • Multiple hashes provided for TwizAdmin (Windows/macOS) and Mach-O Man payloads.
    • Action: Import into EDR solutions for immediate quarantine. These indicators are critical for confirming active infections.
  • IPv4 Addresses:
    • Specific IPs (e.g., 37.32.15.8, 197.51.170.131) associated with Middle East C2 infrastructure.
    • Action: Block inbound/outbound connections to these IPs at the perimeter firewall. correlate with NetFlow data to identify potential beaconing activity.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ClickFix Activity - PowerShell via Browser
id: 5f8f4b3e-3c2a-4b1e-9f0d-1a2b3c4d5e6f
description: Detects suspicious PowerShell execution initiated by common browsers or office applications, a pattern consistent with ClickFix attacks used by Lazarus Group.
status: experimental
date: 2026/05/25
author: Security Arsenal
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.execution
    - attack.t1059.001
    - attack.initial_access
    - attack.t1566.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
            - '\OUTLOOK.EXE'
            - '\WINWORD.EXE'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate automation scripts
level: high
---
title: TwizAdmin C2 Network Connection
id: 6a9g5c4f-4d3b-5c2f-0g1e-2b3c4d5e6f7a
description: Detects network connections to known TwizAdmin C2 infrastructure or domains associated with the DataBreachPlus campaign.
status: experimental
date: 2026/05/25
author: Security Arsenal
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Suspicious macOS LaunchAgent Persistence
id: 7b0h6d5e-5e4c-6d3g-1h2f-3c4d5e6f7a8b
description: Detects creation of LaunchAgents in user library, a common persistence mechanism for macOS malware like Mach-O Man and PyLangGhostRAT.
status: experimental
date: 2026/05/25
author: Security Arsenal
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.persistence
    - attack.t1543.001
logsource:
    category: file_event
    product: macos
detection:
    selection:
        TargetFilename|contains: '/Library/LaunchAgents/'
        TargetFilename|endswith: '.plist'
    filter:
        TargetFilename|contains:
            - 'com.apple.'
            - 'com.microsoft.'
    condition: selection and not filter
falsepositives:
    - Legitimate software installation
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TwizAdmin and Lazarus Indicators
let IoC_Domains = dynamic(["fanonlyatn.xyz", "livemicrosft.com"]);
let IoC_IPs = dynamic(["37.32.15.8", "197.51.170.131", "5.109.182.231", "93.113.62.247", "94.252.245.193"]);
let IoC_Hashes = dynamic(["06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90"]);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteIP in (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IoCType = iff(RemoteUrl in (IoC_Domains), "Domain", "IP")
// File Creation / Process Execution
| union (DeviceProcessEvents
| where SHA256 in (IoC_Hashes)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256
| extend IoCType = "Hash")
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for TwizAdmin artifacts and potential ClickFix execution traces.
.DESCRIPTION
    Checks for file artifacts associated with TwizAdmin C2 and recent suspicious PowerShell executions.
#>

$TwizAdminDomains = @("fanonlyatn.xyz")
$RiskPaths = @("$env:TEMP", "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup")

# Check for recent PowerShell processes spawned by Browsers
Write-Host "[*] Checking for ClickFix-like parent-child process relationships..."
$parentProcs = @("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe")
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -ErrorAction SilentlyContinue | 
Where-Object { 
    $_.Message -match "NewProcessName.*powershell.exe" -and 
    ($parentProcs | Where-Object { $_.Message -match "ParentProcessName.*$_" })
} | Select-Object TimeCreated, Message | Format-List

# Scan for known malicious file hashes in user directories
Write-Host "[*] Scanning for known IOCs in user directories..."
$knownHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4"
)

foreach ($path in $RiskPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
        Where-Object { $knownHashes -contains $_.Hash } | 
        Select-Object Path, Hash
    }
}

Response Priorities

  • Immediate: Block all identified domains (fanonlyatn.xyz, livemicrosft.com) and IPs at the perimeter. Quarantine endpoints matching the provided SHA256 hashes.
  • 24h: Initiate credential resets for users in high-risk sectors (Finance/Tech) if credential-thealing malware (TwizAdmin/Mach-O Man) is suspected. Review browser history and Telegram logs for evidence of fake meeting invites.
  • 1 Week: Conduct architecture hardening to prevent ClickFix attacks. Implement strict application whitelisting for PowerShell (Constrained Language Mode) and macOS Gatekeeper enforcement to block unsigned Mach-O binaries.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadminlazarus-groupmach-o-manclickfixc2-infrastructure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action