Back to Intelligence

TwizAdmin MaaS & Lazarus Mach-O Man: OTX Pulse Analysis — Multi-Platform C2 & ClickFix Detection Pack

SA
Security Arsenal Team
May 22, 2026
6 min read

Threat Summary

Current OTX pulses indicate a convergence of financially motivated malware-as-a-service (MaaS) operations and state-sponsored activity targeting multi-platform environments. The TwizAdmin campaign (attributed to DataBreachPlus) represents a sophisticated evolution in crypto-clipping, integrating ransomware modules (crpx0) and Java RAT capabilities managed via a FastAPI C2 panel. Simultaneously, the Lazarus Group has expanded its "ClickFix" social engineering toolkit to macOS with the Mach-O Man malware, specifically targeting the fintech and technology sectors. These campaigns are supported by a massive malicious infrastructure shift, with intelligence revealing over 1,350 C2 servers concentrated in the Middle East (72.4% hosted by Saudi Arabia's STC), facilitating operations for APT28, Energetic Bear, and various commodity RAT families.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Type: Multi-Stage MaaS (Crypto Clipper, Infostealer, Ransomware)
  • Distribution: Phishing lures impersonating logistics/FedEx; Drive-by downloads.
  • Capabilities: Clipboard hijacking for 8 distinct cryptocurrency chains, BIP-39 seed phrase theft, browser credential exfiltration.
  • C2 Infrastructure: FastAPI-based panel at 103.241.66[.]238:1337 requiring license keys.
  • Persistence: Uses scheduled tasks and run-key registry modifications.
  • Target: Windows and macOS users involved in cryptocurrency trading.

Mach-O Man (Lazarus Group)

  • Type: macOS Malware / Remote Access Trojan (PyLangGhostRAT)
  • Distribution: Telegram-originated fake meeting invitations (Zoom, Microsoft Teams, Google Meet).
  • Attack Vector: "ClickFix" technique—tricking users into copying and pasting malicious PowerShell/Bash commands into the terminal.
  • Capabilities: Browser data stealing, Telegram exfiltration, credential theft.
  • Infrastructure: Typosquatting domains (e.g., livemicrosft.com).
  • Target: Finance and Technology sectors.

IOC Analysis

The provided intelligence delivers a mix of network and file-based indicators critical for defensive operations:

  • Domains & URLs: SOC teams should immediately block fanonlyatn.xyz (TwizAdmin payload host) and livemicrosft.com (Lazarus lure). These domains resolve to infrastructure facilitating payload delivery.
  • IPv4 Addresses: A specific cluster of Middle Eastern IPs (e.g., 37.32.15.8, 197.51.170.131) are identified as active C2 nodes for diverse threat actors including APT28 and GrayCharlie. These should be added to firewall blocklists and monitored for outbound connection attempts.
  • File Hashes (SHA256): Multiple binaries associated with TwizAdmin and Mach-O Man are provided. EDR solutions should be configured to alert on execution matches for these hashes.
  • CVEs: CVE-2025-11953 is explicitly referenced in the infrastructure report, suggesting potential exploitation for initial access or persistence.

Operational Note: Decoding the TwizAdmin C2 traffic requires inspecting FastAPI requests, typically observed on non-standard ports (e.g., 1337).

Detection Engineering

Sigma Rules

YAML
title: Potential TwizAdmin C2 Connection
id: 5c8a2d1a-1e4f-4c2e-9b3a-8d6f7a5b4c3d
description: Detects outbound connections to known TwizAdmin C2 infrastructure domains or IPs.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
        DestinationIp|startswith:
            - '103.241.66.'
    condition: selection
falsepositives:
    - Legitimate traffic to specific IP ranges (unlikely)
level: high
---
title: Lazarus Mach-O Man ClickFix Pattern macOS
date: 2026/05/22
id: 9e1b4f2a-3d5e-4f6a-8b7c-9d0e1f2a3b4c
description: Detects suspicious terminal execution spawned by communication applications consistent with ClickFix attacks targeting macOS.
status: experimental
author: Security Arsenal
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: macos
detection:
    selection_parent:
        ParentImage|endswith:
            - '/Telegram'
            - '/Microsoft Teams'
            - '/Zoom'
            - '/Google Chrome'
            - '/Safari'
    selection_child:
        Image|endswith:
            - '/bash'
            - '/sh'
            - '/zsh'
            - '/osascript'
        CommandLine|contains:
            - 'curl'
            - 'launchctl'
    condition: all of selection_*
falsepositives:
    - Legitimate developer activity using terminal from browsers/apps
level: high
---
title: Middle East C2 Infrastructure Beaconing
date: 2026/05/22
id: b2c3d4e5-f6a7-8b9c-0d1e-2f3a4b5c6d7e
description: Detects outbound connections to identified C2 servers hosting threat actor infrastructure in the Middle East.
status: experimental
author: Security Arsenal
references:
    - https://hunt.io/blog/middle-east-malicious-infrastructure-report
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp:
            - '37.32.15.8'
            - '197.51.170.131'
            - '5.109.182.231'
            - '93.113.62.247'
            - '94.252.245.193'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TwizAdmin and Lazarus Mach-O Man Network Indicators
let IoC_Domains = dynamic(["fanonlyatn.xyz", "livemicrosft.com"]);
let IoC_IPs = dynamic(["37.32.15.8", "197.51.170.131", "5.109.182.231", "93.113.62.247", "94.252.245.193", "103.241.66.238"]);
DeviceNetworkEvents
| where (RemoteUrl has_any (IoC_Domains) or RemoteIP in (IoC_IPs))
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine
| extend IoC_Type = iff(RemoteIP in (IoC_IPs), "IP Address", "Domain")


kql
// Hunt for Mach-O Man related process creation on macOS (via Microsoft Sentinel/Defender for Endpoint)
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where OSType == "macOS"
| where InitiatingProcessFileName in~ ("Telegram", "Microsoft Teams", "zoom.us", "Google Chrome", "Safari")
| where FileName in~ ("bash", "sh", "zsh", "osascript", "python")
| where ProcessCommandLine has_any ("curl", "wget", "pip", "launchctl")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine

PowerShell Hunt Script

PowerShell
# IOC Hunter for TwizAdmin and Middle East Infrastructure
# Requires Administrator privileges

$IoC_IPs = @(
    "37.32.15.8",
    "197.51.170.131",
    "5.109.182.231",
    "93.113.62.247",
    "94.252.245.193"
)

$IoC_Domains = @(
    "fanonlyatn.xyz",
    "livemicrosft.com"
)

Write-Host "[+] Checking for established network connections to known C2 IPs..." -ForegroundColor Yellow

$activeConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($ip in $IoC_IPs) {
    $matches = $activeConnections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($matches) {
        Write-Host "[!!!] ALERT: Connection found to C2 IP $ip" -ForegroundColor Red
        $matches | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
    }
}

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Yellow

$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $IoC_Domains) {
    $matches = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
    if ($matches) {
        Write-Host "[!!!] ALERT: DNS cache entry found for $domain" -ForegroundColor Red
        $matches | Select-Object Entry, Data, TimeToLive
    }
}

Write-Host "[+] Scan Complete. If alerts are found, isolate the host immediately." -ForegroundColor Cyan

Response Priorities

  • Immediate: Block all listed IOCs (IPs and Domains) at the perimeter firewall and proxy. Isolate any endpoints alerting on connections to 103.241.66[.]238 or the Middle Eastern IP range.
  • 24h: Initiate credential rotation for users identified as potentially impacted by the infostealer components (TwizAdmin/Mach-O Man). Specifically, prioritize users in Finance/Tech sectors who utilize cryptocurrency wallets.
  • 1 Week: Conduct a review of macOS security configurations (Gatekeeper settings) and implement application whitelisting to prevent the execution of unsigned binaries. Update security awareness training to cover "ClickFix" social engineering tactics involving terminal commands.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadminmach-o-manlazarus-groupclickfixmiddle-east-c2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action