Back to Intelligence

TwizAdmin, Mach-O Man & KICS Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 24, 2026
6 min read

Threat Summary

Recent intelligence from AlienVault OTX reveals a convergence of sophisticated credential theft and financial fraud operations. The landscape is dominated by the Lazarus Group deploying the new "Mach-O Man" macOS malware via ClickFix social engineering, and the emergence of TwizAdmin, a complex multi-stage operation combining crypto-clipping, infostealing, and ransomware capabilities. Simultaneously, a critical supply chain compromise of the Checkmarx KICS tool (TeamPCP) and a steganography-based campaign (PureLogs) highlight the evolution of delivery mechanisms aimed at bypassing traditional detection. These campaigns collectively target financial assets, cryptocurrency wallets, and intellectual property across Windows, macOS, and containerized environments.

Threat Actor / Malware Profile

1. TwizAdmin (DataBreachPlus)

  • Type: Multi-stage Malware-as-a-Service (MaaS).
  • Distribution: Phishing lures impersonating FedEx and logistics entities.
  • Payload: Modular loader featuring a crypto-clipper (supporting 8 blockchains), BIP-39 seed phrase thief, and the crpx0 ransomware module.
  • C2: FastAPI-based panel on port 1337, utilizing a license key system for operator management.

2. Mach-O Man / PyLangGhostRAT (Lazarus Group)

  • Type: macOS Targeted Attack.
  • Distribution: "ClickFix" attacks via Telegram; fake meeting invites leading to fraudulent collaboration pages (Zoom/Teams).
  • Payload: Mach-O binaries and Python-based RAT.
  • Behavior: Triggers users to execute terminal commands; performs browser credential theft and exfiltration via Telegram.

3. TeamPCP (KICS Compromise)

  • Type: Supply Chain Attack.
  • Vector: Poisoned Docker Hub images (alpine, v2.1.20, v2.1.21) and VS Code extensions (v1.17.0, v1.19.0) for Checkmarx KICS.
  • Payload: mcpAddon.js, Canister Worm.
  • Objective: Exfiltrates encrypted scan reports containing credentials and secrets from Infrastructure-as-Code (IaC) scans.

4. PureLogs (PawsRunner)

  • Type: Steganography Loader.
  • Distribution: Phishing emails with TXZ archives (invoice themes).
  • Payload: .NET Infostealer.
  • Behavior: Uses PowerShell to decode and extract malicious payloads hidden within PNG image files, leveraging environment variables to obfuscate commands.

5. FrostyNeighbor

  • Type: Cyberespionage (Belarus-linked).
  • Target: Government, Defense, Telecommunications in Ukraine, Poland, Lithuania.
  • Tools: PicassoLoader, Cobalt Strike.
  • Technique: Spearphishing with exploits for CVE-2023-38831 and CVE-2024-42009.

IOC Analysis

The provided IOCs span multiple layers of the infrastructure:

  • Domains/URLs: Key delivery domains include fanonlyatn.xyz (TwizAdmin), livemicrosft.com (Lazarus typo-squatting), and everycarebd.com (PureLogs). These should be immediately blocked at the perimeter and DNS layer.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes are provided for the trojanized KICS binaries and malware loaders.
  • Operationalization: SOC teams should ingest the SHA256 hashes (e.g., 06299676b437...) into EDR solutions for immediate scanning. The Docker image tags for KICS should be pulled from any internal registries and images re-built using verified versions.

Detection Engineering

Sigma Rules

YAML
title: PureLogs Steganography PowerShell Activity
description: Detects PowerShell commands indicative of the PawsRunner loader decoding image files, associated with PureLogs infostealer.
status: experimental
date: 2026/05/24
tags:
  - attack.defense_evasion
  - attack.t1027
logsource:
  product: windows
  category: process_creation
detection:
  selection_pwsh:
    Image|endswith: '\powershell.exe'
  selection_keywords:
    CommandLine|contains:
      - 'System.Drawing.Bitmap'
      - 'FromBase64String'
      - 'PNG'
  condition: all of selection_*
falsepositives:
  - Legitimate image processing scripts
level: high
---
title: KICS Supply Chain Compromise Execution
id: 4a6b8f2c-1d9e-4b2a-8f7c-9d1e2f3a4b5c
description: Detects execution of the compromised Checkmarx KICS binary or related processes (kics) with known malicious MD5 hashes or from suspicious contexts.
status: experimental
date: 2026/05/24
references:
  - https://socket.dev/blog/checkmarx-supply-chain-compromise
logsource:
  product: linux
  category: process_creation
detection:
  selection_img:
    Image|endswith: '/kics'
  selection_hashes:
    Hashes|contains:
      - 'd47de3772f2d61a043e7047431efcf4' # MD5
      - 'e1023db24a29ab0229d99764e2c8deba' # MD5
  condition: all of selection_*
level: critical
---
title: Lazarus Mach-O Man ClickFix Terminal Execution
description: Detects suspicious terminal execution patterns often seen in macOS ClickFix attacks where a curl command pipes directly to bash or python, typical of Mach-O Man distribution.
status: experimental
date: 2026/05/24
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  product: macos
category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '/Telegram'
      - '/Google Chrome'
      - '/Safari'
  selection_cli:
    CommandLine|contains:
      - 'curl | bash'
      - 'curl | python'
      - 'curl | sh'
  condition: all of selection_*
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for domains and IPs associated with TwizAdmin, PureLogs, and Lazarus
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("fanonlyatn.xyz", "livemicrosft.com", "everycarebd.com", "alexavegas.icu", "needbinding.icu") 
   or RemoteIP in ("5.101.84.202", "103.241.66.238")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend URL_Host = tostring(parse_url(RemoteUrl).Host))

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for TwizAdmin, PureLogs, and KICS Malware.
.DESCRIPTION
    Scans the file system for specific file hashes found in the OTX Pulse.
#>

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9",
    "d47de3772f2d61a043e7047431efcf4", # MD5 KICS
    "e1023db24a29ab0229d99764e2c8deba"  # MD5 KICS
)

Write-Host "[+] Scanning for known malicious IOCs (TwizAdmin, Lazarus, KICS)..." -ForegroundColor Cyan

# Get fixed drives
$Drives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -gt 0 }

foreach ($Drive in $Drives) {
    $Path = $Drive.Root
    Write-Host "[Scanning] $Path" -ForegroundColor Yellow
    
    try {
        # Using Get-ChildItem with -Recurse can be slow; limit to common temp/appdata paths for speed in production
        $Files = Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue -File
        
        foreach ($File in $Files) {
            $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MATCH FOUND: $($File.FullName) (SHA256: $Hash)" -ForegroundColor Red
            }
            
            # Quick check for MD5 for KICS specific IoCs if file is named 'kics'
            if ($File.Name -eq 'kics') {
                $MD5 = (Get-FileHash -Path $File.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
                if ($TargetHashes -contains $MD5) {
                    Write-Host "[!] MATCH FOUND: $($File.FullName) (MD5: $MD5)" -ForegroundColor Red
                }
            }
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Green

Response Priorities

Immediate

  • Block Network IOCs: Block all domains and IPs listed in the analysis (fanonlyatn.xyz, livemicrosft.com, 5.101.84.202, etc.) at the firewall and proxy.
  • Container Quarantine: Identify and stop any containers running the compromised Checkmarx KICS Docker tags (v2.1.20, v2.1.21, alpine). Remove VS Code extension versions 1.17.0 and 1.19.0 immediately.
  • Hunt for Artifacts: Run the provided PowerShell script to scan endpoints for TwizAdmin and Lazarus binaries.

24 Hours

  • Credential Reset: If credential theft (PureLogs, TwizAdmin, Mach-O Man) is suspected in the environment, force a password reset for privileged accounts and revoke/re-issue cryptocurrency API keys.
  • Session Review: Audit logs for access to livemicrosft.com (typo-squatting) or suspicious PowerShell activity involving image decoding.

1 Week

  • Supply Chain Hardening: Implement SBOM (Software Bill of Materials) scanning for all internal Docker images and verify the integrity of third-party VS Code extensions before deployment.
  • macOS Hardening: Restrict the execution of unsigned Mach-O binaries and educate high-value targets (Finance/Tech) on "ClickFix" social engineering via Telegram.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialstwizadminlazarus-groupsupply-chain-attacksteganographyinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action