Back to Intelligence

TwizAdmin MaaS, Lazarus Mach-O Man & Ghost CMS Supply Chain: OTX Pulse Analysis

SA
Security Arsenal Team
May 22, 2026
6 min read

Recent OTX Pulse data reveals a convergence of high-risk credential theft campaigns targeting both Windows and macOS ecosystems. A sophisticated Malware-as-a-Service (MaaS) operation, TwizAdmin, is actively distributing a multi-stage payload combining crypto-clipping and ransomware capabilities. Simultaneously, the Lazarus Group has escalated macOS-focused attacks using the "Mach-O Man" malware kit via "ClickFix" social engineering.

Parallel to these actor-specific campaigns, a mass compromise event involving Ghost CMS (CVE-2026-26980) is fueling a secondary wave of infections, delivering malicious DLLs (installer.dll, NotepadPlusPlus.dll) to over 700 compromised domains. Additionally, the PureLogs infostealer campaign is leveraging steganography within PNG files to evade detection. Collectively, these pulses indicate a shift toward complex delivery chains—steganography, supply chain poisoning, and fake collaboration platforms—to harvest cryptocurrency seeds, browser credentials, and session tokens.

Threat Actor / Malware Profile

1. TwizAdmin (DataBreachPlus)

  • Type: Multi-stage MaaS (Crypto Clipper, Infostealer, Ransomware).
  • Distribution: Phishing lures impersonating logistics (FedEx).
  • Payload Behavior: Hijacks clipboard for 8 cryptocurrency chains, steals BIP-39 seed phrases, exfiltrates browser credentials. Includes a ransomware module (crpx0) and Java RAT.
  • C2: FastAPI-based panel located at 103.241.66[.]238:1337.

2. Lazarus Group (Mach-O Man)

  • Type: APT / Cyber Espionage.
  • Distribution: "ClickFix" attacks via Telegram; fake meeting invites leading to fraudulent collaboration sites (Zoom/Teams clones).
  • Payload Behavior: "Mach-O Man" kit targets macOS; uses PyLangGhostRAT. Triggers victims to run terminal commands, leading to credential theft and data exfiltration via Telegram.

3. PureLogs (PawsRunner)

  • Type: Infostealer / Steganography Loader.
  • Distribution: Phishing emails with .TXZ archives containing invoice-themed lures.
  • Payload Behavior: Uses obfuscated JavaScript to launch PowerShell. PawsRunner decrypts malicious payloads hidden inside PNG image files (steganography) to evade AV.

4. Ghost CMS Compromise Actors

  • Type: Mass Website Compromise / Supply Chain.
  • Distribution: Exploitation of CVE-2026-26980 (SQL Injection) in Ghost CMS.
  • Payload Behavior: Injects malicious JavaScript into compromised sites (SEO poisoning). Delivers fake installers (UtilifySetup.exe) and malicious DLLs (installer.dll, NotepadPlusPlus.dll) that function as information stealers.

IOC Analysis

The provided indicators highlight a diverse set of infrastructure:

  • **Domains/URLs:**大量的钓鱼和C2域名,如 fanonlyatn.xyz (TwizAdmin), livemicrosft.com (Lazarus - 注意拼写错误), everycarebd.com (PureLogs), 以及 jalwat.com, cloud-verification.com (Ghost CMS)。SOC应将这些域名加入DNS Sinkhole。
  • File Hashes: 混合了SHA256 (针对macOS恶意软件和.NET Stealer) 和 MD5 (针对Ghost CMS相关的DLL)。建议在EDR中配置基于哈希的阻断规则。
  • IPs: 5.101.84.202 (PureLogs C2), 103.241.66[.]238 (TwizAdmin Panel)。
  • Operationalization: Tools like Cortex XSOAR, Splunk, or The Hive can ingest these IOCs. Analysts should prioritize the MD5 hashes for the Ghost CMS campaign as they represent a mass-exploitation event currently active.

Detection Engineering

Sigma rules targeting the specific behaviors of PureLogs steganography, Ghost CMS malicious DLLs, and TwizAdmin C2 communication.

YAML
title: Potential PureLogs Steganography Loader via PowerShell
id: 6c8a1e2b-3d4f-4b5e-8f6a-7b8c9d0e1f2a
description: Detects PowerShell scripts loading .NET assemblies associated with image processing (System.Drawing) often used in steganography loaders like PawsRunner.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6601e3a8e12b8
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'System.Drawing'
            - 'Bitmap'
            - 'FromImage'
    condition: selection
falsepositives:
    - Legitimate image processing scripts
level: high
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
---
title: Ghost CMS Malicious DLL Execution (installer.dll / NotepadPlusPlus.dll)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects execution of specific DLL filenames associated with the Ghost CMS mass compromise campaign loading from non-standard paths.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/665d3a3e7e8b8
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\installer.dll'
            - '\NotepadPlusPlus.dll'
        Image|contains:
            - '\AppData\'
            - '\Temp\'
            - '\Downloads\'
    condition: selection
falsepositives:
    - Rare, legitimate software installers (verify path)
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - attack.persistence
---
title: TwizAdmin C2 Communication Indicator
id: 9f8e7d6c-5b4a-3e2d-1c0b-9a8f7e6d5c4b
description: Detects network connections to the TwizAdmin C2 infrastructure identified in OTX Pulse.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6649e2e7e5b8
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
        DestinationPort:
            - '1337'
            - '443'
            - '80'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.c2
    - attack.t1071
    - attack.command_and_control

KQL (Microsoft Sentinel)

Hunt for network connections to the known C2 and phishing domains identified in the pulses.

KQL — Microsoft Sentinel / Defender
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "fanonlyatn.xyz",
    "livemicrosft.com",
    "everycarebd.com",
    "jalwat.com",
    "cloud-verification.com",
    "clo4shara.xyz",
    "cdnupdatenews.top",
    "script-dev.buzz"
)
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, InitiatingProcessFileName
| order by Count desc

PowerShell Hunt Script

Scans endpoints for the specific malicious artifacts associated with the Ghost CMS and TwizAdmin campaigns.

PowerShell
<#
    Security Arsenal Threat Hunt - IOC Scanner
    Scans for specific file hashes and names from TwizAdmin and Ghost CMS Pulses.
#>

$TargetPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
$SuspiciousFiles = @("installer.dll", "NotepadPlusPlus.dll", "UtilifySetup.exe")
$TwizAdminHashes = @( 
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527"
)

Write-Host "[+] Starting Hunt for Ghost CMS and TwizAdmin Artifacts..." -ForegroundColor Cyan

# Hunt by Filename
foreach ($Path in $TargetPaths) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path for suspicious filenames..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $SuspiciousFiles -contains $_.Name } | 
        Select-Object FullName, Length, LastWriteTime
    }
}

# Hunt by Hash (High CPU/IO usage - use with caution)
Write-Host "[+] Scanning for known TwizAdmin Payloads..." -ForegroundColor Yellow
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.Length -gt 0kb -and $_.Length -lt 10mb } | 
ForEach-Object {
    $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($TwizAdminHashes -contains $Hash) {
        Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
    }
}

Response Priorities

Immediate (0-24h)

  1. Blocking: Block all domains and IOCs listed in the IOC Analysis section at the perimeter firewall, proxy, and DNS resolver.
  2. Hunting: Execute the provided PowerShell script on critical assets to detect dropped installer.dll or NotepadPlusPlus.dll files.
  3. Isolation: Isolate any endpoints with confirmed connections to fanonlyatn.xyz or livemicrosft.com.

24h

  1. Credential Reset: Force a password reset and token revocation for users who may have interacted with the phishing lures (invoice-themed .txz files or fake meeting invites).
  2. Investigation: Review browser history and download folders on macOS endpoints for recent downloads of "meeting" installers or disk images (.dmg) related to Zoom/Teams.

1 Week

  1. Patch Management: Apply patches for CVE-2026-26980 (Ghost CMS) immediately across all public-facing web properties.
  2. Web Hardening: Implement WAF rules to block SQL injection attempts and malicious JavaScript injection patterns observed in the Ghost CMS campaign.
  3. User Awareness: Conduct targeted security awareness training regarding "ClickFix" attacks (fake error pages requiring terminal commands) and steganography in unexpected attachments.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminmach-o-manpurelogsghost-cmsclickfix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action