Back to Intelligence

TwizAdmin MaaS & TeamPCP Supply Chain: Multi-Vector Credential Theft Campaign

SA
Security Arsenal Team
April 24, 2026
7 min read

OTX Pulse data from April 2026 indicates a convergence of sophisticated credential theft tactics. The threat landscape is defined by two primary vectors: the expansion of Malware-as-a-Service (MaaS) operations like TwizAdmin targeting crypto-wallets and browser data, and a surge in TeamPCP-led supply chain compromises against developer tools (KICS, Trivy).

Simultaneously, ClickFix campaigns are facilitating the delivery of commodity stealers (Lumma, Vidar, Redline) via social engineering, while Trigona ransomware affiliates (actor Rhantus) have adopted custom exfiltration tools to streamline data theft. The collective objective of these campaigns is the mass harvesting of credentials—ranging from cryptocurrency seed phrases and browser cookies to CI/CD infrastructure tokens—for monetization on dark web markets or double-extortion ransomware operations.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin)

  • Profile: Russian-speaking MaaS operator.
  • Malware: TwizAdmin (Multi-platform Infostealer), crpx0 (Ransomware).
  • Distribution: Phishing campaigns impersonating logistics (FedEx) and software updates.
  • Behavior:
    • Clipboard hijacking for 8+ cryptocurrency chains.
    • Theft of BIP-39 seed phrases and browser credentials.
    • Modular architecture includes a Java RAT and a FastAPI-based C2 panel requiring license keys.
    • C2: 103.241.66[.]238:1337.

TeamPCP

  • Profile: Supply chain threat actors targeting the developer ecosystem.
  • Malware: Canister Worm, mcpAddon.js, compromised Trivy/KICS binaries.
  • Distribution: Poisoned Docker Hub images and VS Code extensions.
  • Behavior:
    • Injection of credential harvesters into trusted CI/CD tools.
    • Exfiltration of scan reports and secrets (API keys, tokens).
    • Use of NPM propagation mechanisms to spread the Canister Worm.

ClickFix Clusters

  • Profile: Social engineering operators utilizing "Living Off The Land" techniques.
  • Malware: Vidar, Lumma Stealer, Odyssey Stealer, Redline Stealer.
  • Distribution: Fake browser error prompts instructing users to run malicious "fix" commands via CMD or PowerShell.
  • Behavior: Bypasses traditional email gateway controls by abusing native system tools trusted by the user.

Rhantus (Trigona Affiliates)

  • Profile: Ransomware affiliates evolving tactics.
  • Malware: Trigona, uploader_client (Custom Go tool).
  • Behavior: Replacing off-the-shelf tools (Rclone) with custom uploader_client.exe featuring parallel streams and connection rotation to evade network monitoring during data exfiltration.

IOC Analysis

The provided indicators reveal a hybrid infrastructure utilizing C2 servers, typosquatting domains, and poisoned software repositories.

  • Network Infrastructure (C2 & Exfil):
    • IPs like 31.31.198.206 (TwizAdmin) and 94.154.172.43 (TeamPCP) serve as direct C2 nodes.
    • Typosquatting is heavily used by TeamPCP (e.g., aquasecurtiy.org mimicking aquasecurity.org, checkmarx.zone) to blend in with legitimate traffic.
  • Domains:
    • TwizAdmin utilizes dynamic DNS or less reputable TLDs (fanonlyatn.xyz).
    • ClickFix campaigns use a mix of compromised legitimate domains and recently registered domains (ustazazharidrus.com, elive123go.com).
  • File Hashes:
    • Numerous SHA256 and MD5 hashes correspond to the trojanized binaries (KICS, Trivy), stealer payloads (TwizAdmin), and the custom Trigona exfiltration utility.
  • Operationalization: SOC teams should immediately block the identified Typosquatting domains and IP addresses at the perimeter. File hashes should be loaded into EDR solutions for detection and quarantine. The Typosquatting domains are critical high-fidelity IOCs due to their low likelihood of false positives.

Detection Engineering

YAML
---
title: Potential ClickFix Social Engineering Activity
id: 6d8c4a12-8b2c-4f3d-9e1a-1c5b6d7e8f9a
description: Detects suspicious PowerShell or CMD execution often triggered by ClickFix campaigns where users are tricked into running "fix" commands via browser prompts.
status: experimental
author: Security Arsenal
date: 2026/04/24
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'copy'
            - 'paste'
            - 'regsvr32'
    filter_legit:
        CommandLine|contains:
            - 'Microsoft'
            - 'Windows'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative scripts launched from browser downloads
level: high
---
title: TeamPCP Supply Chain Compromise - Suspicious KICS/Trivy Network Connection
id: 7e9f1a2b-3c4d-5e6f-7g8h-9i0j1k2l3m4n
description: Detects network connections from compromised developer tools (KICS, Trivy) to known TeamPCP typosquatting domains or non-standard ports associated with data exfiltration.
status: experimental
author: Security Arsenal
date: 2026/04/24
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: network_connection
    product: windows
detection:
    selection_process:
        Image|contains:
            - 'kics'
            - 'trivy'
    selection_suspicious_dest:
        DestinationHostname|contains:
            - 'aquasecurtiy.org' # Typosquat
            - 'checkmarx.zone'
        or
        DestinationPort:
            - 1337
            - 4444
            - 8080
    condition: selection_process and selection_suspicious_dest
falsepositives:
    - Connections to legitimate internal repositories on non-standard ports
level: critical
---
title: TwizAdmin Java RAT and FastAPI C2 Activity
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects execution patterns associated with TwizAdmin malware, specifically Java processes connecting to FastAPI C2 panels or the presence of specific clipper mechanisms.
status: experimental
author: Security Arsenal
date: 2026/04/24
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection_java:
        Image|endswith: '\java.exe'
        DestinationPort: 1337
    selection_cli:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'clip'
        DestinationHostname|contains: '.xyz'
    condition: 1 of selection_*
falsepositives:
    - Legitimate Java applications communicating with internal APIs on port 1337
level: high


kql
// Hunt for ClickFix related process execution and TeamPCP supply chain IOCs
// Combines process creation and network events
let SuspiciousDomains = dynamic(['ustazazharidrus.com', 'account-help.info', 'quiptly.com', 'elive123go.com', 'aquasecurtiy.org', 'checkmarx.zone', 'fanonlyatn.xyz']);
let SuspiciousIPs = dynamic(['31.31.198.206', '94.154.172.43', '103.241.66.238']);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (SuspiciousDomains) or RemoteIP has_any (SuspiciousIPs)
| extend FullURL = strcat('https://', RemoteUrl, RemotePort)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, ActionType
| union (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where ProcessCommandLine has_any ("copy", "paste", "regsvr32") and InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
)
| order by Timestamp desc


powershell
# IOC Hunt Script for TwizAdmin, Trigona Exfiltration Tool, and TeamPCP Artifacts
# Requires administrative privileges

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "d47de3772f2d61a043e7047431ef4cf4",
    "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"
)

$SuspiciousFiles = @(
    "uploader_client.exe",
    "mcpAddon.js",
    "kics.exe", # Check for version if possible, otherwise verify hash
    "trivy"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Scan C:\ drive for specific hashes
foreach ($hash in $TargetHashes) {
    $result = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
        Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
        Where-Object { $_.Hash -eq $hash }
    
    if ($result) {
        Write-Host "[!] MALICIOUS FILE FOUND: $($result.Path) (Hash: $($result.Hash))" -ForegroundColor Red
    }
}

Write-Host "[+] Scanning for suspicious filenames..." -ForegroundColor Cyan

foreach ($file in $SuspiciousFiles) {
    $paths = Get-ChildItem -Path C:\ -Filter $file -Recurse -ErrorAction SilentlyContinue -Force
    foreach ($path in $paths) {
        Write-Host "[!] SUSPICIOUS FILENAME FOUND: $($path.FullName)" -ForegroundColor Yellow
    }
}

Write-Host "[+] Checking for TwizAdmin/TeamPCP related scheduled tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*java*" -or 
    $_.Actions.Execute -like "*powershell*" -and 
    $_.TaskName -like "*Update*" 
} | Format-Table TaskName, TaskPath, State -AutoSize

Write-Host "[+] Hunt complete." -ForegroundColor Green


# Response Priorities

Immediate (0-24h)

  1. Block IOCs: Implement immediate blocks on the provided TeamPCP typosquatting domains (aquasecurtiy.org, checkmarx.zone) and C2 IPs (103.241.66.238, 31.31.198.206) at firewalls and proxies.
  2. Hunt for Malware: Execute the provided PowerShell script across endpoints to locate uploader_client.exe (Trigona) and mcpAddon.js (TeamPCP).
  3. Supply Chain Remediation: If using Checkmarx KICS (v2.1.20, v2.1.21, alpine) or Trivy (versions released ~March 19, 2026), immediately revert to clean, verified backups and scan infrastructure for exposed credentials.

Short Term (24-48h)

  1. Credential Rotation: Assume compromise for any credentials stored in environments where the compromised KICS or Trivy tools were executed. Rotate API keys, CI/CD tokens, and repository secrets.
  2. Browser Hygiene: If impacted by ClickFix or TwizAdmin, force password resets for users on high-value targets (Finance, Admin) and revoke active browser sessions.

Medium Term (1 Week+)

  1. Developer Hardening: Implement software bill of materials (SBOM) validation and integrity checks for all internal tooling pulled from Docker Hub or GitHub Releases.
  2. Application Control: Deploy application whitelisting (AppLocker) to prevent the execution of unsigned binaries in user directories, a common TTP for ClickFix-delivered payloads.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminteampcpclickfixsupply-chain-attacktrigona

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action