OTX Pulse data for 2026-05-22 reveals a convergence of high-impact campaigns targeting financial assets and regional infrastructure. A new Malware-as-a-Service (MaaS) platform dubbed TwizAdmin is actively deploying crypto-clippers and ransomware, while the Lazarus Group has resumed macOS operations using "Mach-O Man" malware delivered via ClickFix social engineering. Simultaneously, a massive mapping of 1,350+ C2 servers in the Middle East—mostly hosted by STC in Saudi Arabia—exposes a hub of activity for threat actors including APT28, Energetic Bear, and Eagle Werewolf.
Threat Summary
The intelligence landscape is dominated by three distinct but concerning vectors:
-
DataBreachPlus Operation: A sophisticated MaaS platform (TwizAdmin) is targeting Windows and macOS users via shipping-themed lures (e.g., FedEx). The malware features a modular design including clipboard hijacking for 8 different cryptocurrency chains, BIP-39 seed phrase theft, and a ransomware module (crpx0) managed via a FastAPI C2 panel.
-
Lazarus macOS Campaign: The Lazarus Group is targeting the Finance and Technology sectors with a macOS toolkit called "Mach-O Man". The attack chain utilizes Telegram to distribute fake meeting invitations for Zoom or Teams, leading to a "ClickFix" attack where users are tricked into executing terminal commands that install PyLangGhostRAT.
-
Regional C2 Proliferation: Infrastructure analysis reveals that 981 C2 servers (72.4% of regional malicious infra) are hosted by Saudi Telecom (STC). These servers support diverse malware families ranging from commodity loaders (AsyncRAT, Phorpiex) to nation-state tools (Cobalt Strike, Sliver) linked to actors like APT28 and Energetic Bear.
Threat Actor / Malware Profile
DataBreachPlus (TwizAdmin / crpx0)
- Distribution: Phishing emails with shipping themes (FedEx). Delivers payloads for both Windows and macOS.
- Behavior: Multi-stage payload. Initial focus is cryptocurrency theft via clipboard replacement (hijacking 8 chains) and theft of BIP-39 seed phrases. It also exfiltrates browser credentials.
- C2: Utilizes a FastAPI-based panel accessible via specific ports (e.g., 1337), requiring a license key, indicating a MaaS model.
- Persistence: Not explicitly detailed in pulse, but likely via scheduled tasks or launch agents given the cross-platform nature.
Lazarus Group (Mach-O Man / PyLangGhostRAT)
- Distribution: "ClickFix" social engineering via Telegram. Victims receive fake collaboration platform links (Zoom, MS Teams).
- Behavior: The lure instructs the user to run a terminal command, often involving
curlorbash, to install a fake update. This deploys the Mach-O Man payload and PyLangGhostRAT. - C2/Exfil: Uses Telegram for exfiltration of stolen credentials and session data.
- Targeting: Specifically aimed at Fintech and Technology sectors utilizing macOS.
APT Infrastructure (APT28 / Energetic Bear / Eagle Werewolf)
- Infrastructure: Heavily reliant on hosting providers in the Middle East, specifically STC. Infrastructure overlaps between APT groups and commodity ransomware (LockBit Black).
- Tooling: Wide use of "Living off the Land" binaries combined with specific RATs (Sliver, AsyncRAT, NetSupport RAT).
IOC Analysis
The provided IOCs include infrastructure and payload artifacts critical for detection:
- Domains:
fanonlyatn.xyz- Associated with the TwizAdmin FastAPI panel and payload delivery.livemicrosft.com- A typo-squatted domain used in the Lazarus Mach-O Man campaign to impersonate Microsoft.
- IPs (Middle East C2): A range of IPs (e.g.,
37.32.15.8,197.51.170.131,94.252.245.193) identified as hosting C2 infrastructure for multiple APT groups. - File Hashes (SHA256): Numerous hashes for the Mach-O binaries targeting macOS and the TwizAdmin payloads.
Operational Guidance:
SOC teams should immediately block the domains and IPs at the perimeter. The file hashes should be uploaded to EDR solutions for scanning. The typo-squatting nature of livemicrosft.com suggests a need for DNS filtering that catches character substitutions.
Detection Engineering
---
title: Potential Lazarus Mach-O Man ClickFix Activity
description: Detects suspicious terminal execution spawned by browsers on macOS, typical of ClickFix attacks used by Lazarus Group.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
- https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
- attack.initial_access
- attack.t1189
- attack.execution
- attack.t1059.004
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|endswith:
- '/Safari'
- '/Google Chrome'
- '/Firefox'
Image|endswith:
- '/bin/bash'
- '/bin/sh'
- '/usr/bin/osascript'
- '/usr/bin/curl'
CommandLine|contains:
- 'curl'
- 'bash -c'
- 'powershell' # rare on mac but possible in emu
condition: selection
falsepositives:
- Legitimate developer tools or user scripts
level: high
---
title: TwizAdmin C2 Infrastructure Connection
description: Detects network connections to known TwizAdmin C2 domains or specific FastAPI panel ports.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
- https://intel.breakglass.tech/post/twizadmin-103-241-66
tags:
- attack.command_and_control
- attack.c2
- attack.t1071.001
logsource:
category: network_connection
detection:
selection_domain:
DestinationHostname|contains:
- 'fanonlyatn.xyz'
selection_port:
DestinationPort: 1337
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
---
title: Middle East APT C2 Traffic Detection
description: Detects outbound connections to IP addresses identified as hosting C2 infrastructure for multiple APT groups in the Middle East.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
- https://hunt.io/blog/middle-east-malicious-infrastructure-report
tags:
- attack.command_and_control
- attack.g0049
- attack.g0085
logsource:
category: network_connection
detection:
selection:
DestinationIp|in:
- '37.32.15.8'
- '197.51.170.131'
- '5.109.182.231'
- '93.113.62.247'
- '94.252.245.193'
condition: selection
falsepositives:
- Legitimate traffic to the region (unlikely for these specific IPs)
level: high
kql
// Hunt for ClickFix indicators and suspicious process chains on macOS
DeviceProcessEvents
| where Timestamp > ago(1d)
| where OSPlatform == "macOS"
| where InitiatingProcessFileName in ("Safari", "Google Chrome", "firefox")
| where FileName in ("bash", "sh", "curl", "osascript")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend ClickFixRisk = iif(ProcessCommandLine contains "livemicrosft.com" or ProcessCommandLine contains "meeting" or ProcessCommandLine contains "zoom", "High", "Medium")
// Hunt for network connections to Middle East C2 Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("37.32.15.8", "197.51.170.131", "5.109.182.231", "93.113.62.247", "94.252.245.193")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
// Hunt for TwizAdmin Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "fanonlyatn.xyz"
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessAccountName, InitiatingProcessFileName
powershell
# PowerShell IOC Hunt Script for TwizAdmin & ME C2 Infrastructure
# Requires Admin Privileges
Write-Host "Starting Threat Hunt for TwizAdmin and Middle East C2 IOCs..." -ForegroundColor Cyan
# 1. Check for established network connections to malicious IPs
$maliciousIPs = @(
"37.32.15.8",
"197.51.170.131",
"5.109.182.231",
"93.113.62.247",
"94.252.245.193"
)
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($ip in $maliciousIPs) {
$found = $connections | Where-Object { $_.RemoteAddress -eq $ip }
if ($found) {
Write-Host "[ALERT] Active connection to C2 IP detected: $ip" -ForegroundColor Red
Write-Host $found | Format-Table
}
}
# 2. Check DNS Cache for TwizAdmin / Lazarus domains
$domains = @("fanonlyatn.xyz", "livemicrosft.com")
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $domains) {
$found = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
if ($found) {
Write-Host "[WARNING] DNS cache entry found for suspicious domain: $domain" -ForegroundColor Yellow
Write-Host $found | Format-Table
}
}
# 3. Scan specific User Downloads folders for suspicious file extensions (MacOS specific logic adapted for Win check)
# This serves as a placeholder for cross-environment awareness
Write-Host "Hunt complete. Review alerts above." -ForegroundColor Green
# Response Priorities
**Immediate (0-24h):**
* Block all listed IP addresses and domains (`fanonlyatn.xyz`, `livemicrosft.com`) at the firewall and proxy level.
* Initiate a hunt for file hashes associated with "Mach-O Man" and "TwizAdmin" across all endpoints.
* Isolate any devices showing network connections to the Middle Eastern C2 IPs.
**Within 24h:**
* Identify and reset credentials for users who may have interacted with the "ClickFix" lures or crypto-clipping malware.
* Review browser history and session tokens for Finance/Technology team members, given the Lazarus targeting.
* Investigate any FedEx-related phishing reports in the last 30 days.
**1 Week:**
* Enhance email filtering to block shipping-themed lures and typo-squatted domains.
* Conduct security awareness training specifically focusing on "ClickFix" and fake software update prompts.
* Review egress filtering policies to limit communication to known high-risk hosting regions.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.