TwizAdmin, Mach-O Man & KICS Supply Chain Compromise: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Recent OTX pulses indicate a convergence of financially motivated credential theft campaigns and state-sponsored espionage operations targeting critical infrastructure and technology sectors.

The DataBreachPlus group is actively pushing the multi-stage TwizAdmin malware, which combines crypto-clipping (targeting 8 chains), BIP-39 seed phrase theft, and a crpx0 ransomware module managed via a FastAPI C2 panel. Concurrently, the Lazarus Group has resurfaced with the Mach-O Man malware kit, employing "ClickFix" social engineering via Telegram to distribute PyLangGhostRAT on macOS, specifically targeting financial institutions and tech firms.

A significant supply chain compromise has been identified in the official Checkmarx KICS Docker Hub repository and VS Code extensions by the TeamPCP actor. The Canister Worm and mcpAddon.js artifacts are trojanizing build pipelines to exfiltrate credentials from infrastructure-as-code scans. On the espionage front, FrostyNeighbor is leveraging CVE-2023-38831 and CVE-2024-42009 to deliver PicassoLoader and Cobalt Strike to government entities in Ukraine, Poland, and Lithuania. Finally, the PureLogs infostealer campaign is utilizing PawsRunner steganography to hide payloads within benign PNG images delivered via invoice-themed phishing.

Threat Actor / Malware Profile

Actor / Malware	Distribution Method	Payload Behavior	C2 Communication	Persistence
TwizAdmin (DataBreachPlus)	FedEx-themed phishing lures; multi-platform (Win/macOS).	Clipboard hijacking, BIP-39 seed theft, browser credential exfil, Java RAT, crpx0 ransomware.	FastAPI panel (Port 1337); exfiltrates stolen crypto keys and browser data.	Scheduled tasks / LaunchAgents (macOS).
Mach-O Man (Lazarus)	Telegram "ClickFix" attacks; fake meeting invites (Zoom/Teams).	PowerShell/Bash script execution; PyLangGhostRAT deployment; credential theft.	Exfiltration via Telegram channels.	Cron jobs / Launch Daemons.
TeamPCP (Canister Worm)	Supply Chain: Poisoned Docker Hub images (v2.1.20+), VS Code Extensions.	Infects KICS binary; encrypts and exfiltrates scan reports containing secrets/creds.	Unauthorized external endpoints (encrypted).	Containerized persistence; VS Code extension auto-load.
PureLogs (PawsRunner)	Phishing with TXZ archives; Invoice lures.	Steganography loader decrypts .NET infostealer from PNG files; env variable obfuscation.	HTTP/HTTPS to C2 domains (e.g., everycarebd.com).	Registry Run keys / Startup folder.
FrostyNeighbor	Spearphishing with weaponized archives (CVE-2023-38831).	PicassoLoader execution; Cobalt Strike Beacon deployment.	Standard Cobalt Strike HTTP/S Beacons.	Service creation; WMI event subscription.

IOC Analysis

The provided indicators span multiple categories requiring immediate operationalization:

Domains & URLs: Key indicators include fanonlyatn.xyz (TwizAdmin C2/Loader), livemicrosft.com (Lazarus typosquatting), and everycarebd.com (PureLogs C2). SOC teams should immediately add these to DNS blocklists (RPZ) and web proxy deny lists.
File Hashes: A significant volume of SHA256 hashes are provided for the TwizAdmin and Mach-O Man binaries. These must be uploaded to EDR solutions for "Block File" policies. Notably, MD5 and SHA1 hashes are provided for the compromised KICS Docker images; CI/CD pipelines must scan artifacts against these hashes before build.
Network IPs: 5.101.84.202 (PureLogs) and 103.241.66[.]238 (TwizAdmin) should be blocked at the perimeter firewall.
Hostnames: FrostyNeighbor uses various dynamic DNS subdomains (e.g., *.alexavegas.icu, *.needbinding.icu). Regex-based blocking for these parent domains is recommended.

Detection Engineering

Sigma Rules

YAML

title: Suspicious PowerShell Command Line Base64 Decode
description: Detects PowerShell commands with base64 decoding often used by PureLogs PawsRunner and other loaders.
references:
  - https://otx.alienvault.com/pulse/664d7e63e8c7b31ac7418608
tags:
  - attack.defense_evasion
  - attack.t1027
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'FromBase64String'
      - 'FromBase64CharArray'
      - ' -enc '
      - ' -encodedcommand '
  condition: selection
falsepositives:
  - Administrative scripts
level: high

date: 2026/05/23
---
title: TwizAdmin C2 Network Connection
description: Detects network connections to known TwizAdmin C2 infrastructure fanonlyatn.xyz.
references:
  - https://otx.alienvault.com/pulse/664d7e63e8c7b31ac7418608
tags:
  - attack.command_and_control
  - attack.c2
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationHostname|contains:
      - 'fanonlyatn.xyz'
  condition: selection
falsepositives:
  - Unknown
level: critical

date: 2026/05/23
---
title: Potential CVE-2023-38831 Exploitation WinRAR
description: Detects suspicious process creation patterns indicative of WinRAR exploit chain used by FrostyNeighbor.
references:
  - https://otx.alienvault.com/pulse/664d7e63e8c7b31ac7418608
tags:
  - attack.initial_access
  - attack.t1203
  - cve.2023.38831
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    Image|endswith:
      - '\WinRAR.exe'
      - '\rar.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate archive extraction scripts
level: high

date: 2026/05/23

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for TwizAdmin and Lazarus C2 Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("fanonlyatn.xyz", "livemicrosft.com", "everycarebd.com") 
   or RemoteUrl contains "alexavegas.icu" 
   or RemoteUrl contains "needbinding.icu"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend ThreatActor = case(
    RemoteUrl contains "fanonlyatn", "TwizAdmin",
    RemoteUrl contains "livemicrosft", "Lazarus/Mach-O Man",
    RemoteUrl contains "everycarebd", "PureLogs",
    RemoteUrl contains "icu", "FrostyNeighbor",
    "Unknown"
)

// Hunt for Steganography/PowerShell Loader behavior (PureLogs)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "FromBase64String" or ProcessCommandLine has "-enc"
| where ProcessCommandLine has "System.Drawing" or ProcessCommandLine has "Bitmap" 
   // Common in steganography loaders like PawsRunner
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell

# IOC Hunt for TwizAdmin, Mach-O Man, and Supply Chain Artifacts
$ErrorActionPreference = "SilentlyContinue"

Write-Host "[*] Starting IOC Hunt for OTX Pulse Activity..." -ForegroundColor Cyan

# 1. Check for specific file hashes mentioned in pulses
Write-Host "\n[+] Scanning for Malicious File Hashes..." -ForegroundColor Yellow
$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", # TwizAdmin
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90", # Mach-O Man (Conceptual check)
    "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b"  # KICS Malicious
)

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Hash in $TargetHashes) {
    foreach ($Drive in $Drives) {
        Write-Host "   Checking for hash $Hash on $Drive..."
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $_.Hash -eq $Hash } | Select-Object Path, Hash | Format-Table -AutoSize
    }
}

# 2. Check for Persistence Mechanisms (Scheduled Tasks)
Write-Host "\n[+] Checking Scheduled Tasks for suspicious triggers..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -and $_.Actions.Arguments -like "*enc*" } | Select-Object TaskName, TaskPath, Actions | Format-List

# 3. Check Host File Entries for Typosquatting
Write-Host "\n[+] Checking Hosts file for Lazarus Typosquatting..." -ForegroundColor Yellow
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    Select-String -Path $HostsPath -Pattern "livemicrosft|fanonlyatn|everycarebd" -SimpleMatch
}

Write-Host "\n[*] Hunt Complete." -ForegroundColor Green

Response Priorities

Immediate:
- Block all listed IOCs (Domains: fanonlyatn.xyz, livemicrosft.com, everycarebd.com, *.icu FQDNs) at the firewall, proxy, and DNS layers.
- Isolate any endpoints with confirmed hits on the provided SHA256 hashes or Sigma rules.
- Identify and quarantine instances of the compromised Checkmarx KICS Docker images (v2.1.20, v2.1.21, alpine) and update to clean versions immediately.
24 Hours:
- Initiate credential reset for privileged accounts and users identified in the infostealer logs (TwizAdmin/PureLogs).
- Review browser extension logs for the compromised VS Code extensions (versions 1.17.0, 1.19.0) within the organization.
- Conduct memory forensics on endpoints showing signs of PicassoLoader or Cobalt Strike (FrostyNeighbor) to identify lateral movement.
1 Week:
- Harden CI/CD pipelines: implement image scanning for Docker Hub pulls and verify signatures for VS Code extensions.
- Enforce application control (AppLocker) to prevent unsigned/unknown PowerShell execution and terminal commands triggered by social engineering (ClickFix).
- Review and patch systems against CVE-2023-38831 and CVE-2024-42009 used by FrostyNeighbor.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

TwizAdmin, Mach-O Man & KICS Supply Chain Compromise: OTX Pulse Analysis — Enterprise Detection Pack