Back to Intelligence

TwizAdmin, Mach-O Man & Void Dokkaebi: Multi-Platform Infostealer & Supply Chain Attacks

SA
Security Arsenal Team
April 22, 2026
6 min read

Excerpt

Active campaigns by Lazarus & DataBreachPlus target devs & macOS via ClickFix & repo poisoning to steal credentials and crypto assets.

Threat Summary

Recent OTX pulses reveal a convergence of state-sponsored (Lazarus Group, Void Dokkaebi) and cybercriminal (DataBreachPlus) operations aggressively targeting credentials and digital assets. These campaigns collectively utilize "ClickFix" social engineering (fake CAPTCHAs/meeting invites), supply chain compromises (poisoned Git repositories), and multi-platform malware loaders (Windows/macOS) to deploy infostealers like TwizAdmin, Mach-O Man, and BeaverTail. The primary objectives are the theft of cryptocurrency seed phrases, browser session cookies, and corporate developer credentials, leveraging both FastAPI C2 panels and Telegram for exfiltration.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Type: Malware-as-a-Service (MaaS) / Multi-Stage Payload
  • Distribution: FedEx-themed lures delivering executables.
  • Capabilities: Combines a crypto clipper (8 chains), BIP-39 seed phrase thief, browser credential stealer, and a ransomware module (crpx0). Managed via a FastAPI C2 panel on port 1337.

Mach-O Man (Lazarus Group)

  • Type: macOS Targeted Malware
  • Distribution: ClickFix attacks via fake Telegram meeting invitations redirecting to fraudulent collaboration sites (Zoom/Teams). Victims are tricked into running terminal commands.
  • Capabilities: Deploys PyLangGhostRAT for data exfiltration via Telegram. Focuses on stealing browser data and system information.

Void Dokkaebi (WageMole)

  • Type: Supply Chain / Developer Targeting
  • Distribution: Fake job interviews on LinkedIn/Telegram leading to cloning of malicious Git repositories.
  • Capabilities: Uses malicious VS Code tasks (tasks.) to execute malware (DEV#POPPER RAT, InvisibleFerret) upon opening the project. Tampering with Git history for persistence.

macOS ClickFix (Unknown)

  • Type: Phishing / Infostealer
  • Distribution: Fake CAPTCHA pages triggering AppleScript execution.
  • Capabilities: Harverst keychain databases, credentials, and cookies from 12 browsers, 200+ extensions, and 16 crypto wallets.

StepDrainer

  • Type: Crypto Drainer MaaS
  • Capabilities: Smart contract abuse targeting ERC-20 tokens and NFTs across 20+ blockchains.

IOC Analysis

The provided indicators span multiple infrastructure types supporting these operations:

  • IPv4 Addresses: Includes C2 servers for TwizAdmin (103.241.66.238) and ClickFix panels (172.94.9.250). SOC teams should firewall these immediately.
  • Domains: A mix of typosquatting (e.g., livemicrosft.com for Lazarus) and dynamic DNS used for payload hosting (e.g., fanonlyatn.xyz, spot-wave.fun). These should be blocked at the DNS layer.
  • File Hashes: Mostly SHA256 for sophisticated payloads (Mach-O binaries, Python RATs) and MD5 for simpler AppleScript droppers. Use EDR to scan for these specific hashes.
  • URLs: Direct paths to malware payloads (/files/) and PHP gateways for drainer services.

Operational Guidance: Ingest all IOCs into SIEM for correlation. Focus on network logs (Firewall/Proxy) for the domains and IPs, and EDR alerts for the file hashes. The specific IP 103.241.66.238 on port 1337 is a strong indicator of TwizAdmin C2 activity.

Detection Engineering

YAML
---
title: Potential macOS ClickFix Terminal Command Execution
id: 8c7b3d1a-5e2f-4a1c-9b0e-1f2a3b4c5d6e
description: Detects suspicious execution patterns often associated with macOS ClickFix attacks where a curl command pipes into bash or osascript, commonly seen in Mach-O Man and Fake Capcha campaigns.
status: experimental
date: 2026/04/22
author: Security Arsenal
logsource:
  product: macos
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/osascript'
      - '/zsh'
    CommandLine|contains:
      - 'curl '
      - 'wget '
  condition: selection | count(CommandLine) > 3
falsepositives:
  - Legitimate software installation scripts
level: high
tags:
  - attack.execution
  - attack.t1059.004
  - osx.clickfix
---
title: VS Code Task Executing Suspicious Processes
id: 9d8c4e2b-6f3a-5b2d-0c1f-2a3b4c5d6e7f
description: Detects exploitation of VS Code tasks as used by Void Dokkaebi. Identifies code.exe or electron spawning shell processes like powershell or cmd in the context of a project directory.
status: experimental
date: 2026/04/22
author: Security Arsenal
logsource:
  product: windows
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '\Code.exe'
      - '\Applications\Visual Studio Code.app\Contents\MacOS\Electron'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '/bin/bash'
      - '/bin/sh'
    CommandLine|contains:
      - 'npm'
      - 'node'
      - 'python'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate developer build tasks
level: medium
tags:
  - attack.execution
  - attack.t1204
  - supply.chain.attack
---
title: TwizAdmin C2 Network Connection
id: 0e1f2a3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b
description: Detects outbound connections to non-standard HTTP ports associated with TwizAdmin FastAPI C2 panels (Port 1337) or known specific IPs from the pulse.
status: experimental
date: 2026/04/22
author: Security Arsenal
logsource:
  category: network_connection
detection:
  selection_port:
    DestinationPort: 1337
  selection_ip:
    DestinationIp|contains:
      - '103.241.66'
      - '31.31.198'
  condition: 1 of selection*
falsepositives:
  - Legitimate use of port 1337 for local development (rare externally)
level: critical
tags:
  - attack.command_and_control
  - attack.c2
  - malware.twizadmin


kql
// Hunt for network connections to known C2 infrastructure and malicious domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 1337 
   or RemoteUrl has "fanonlyatn.xyz" 
   or RemoteUrl has "livemicrosft.com"
   or RemoteUrl has "bull-run.fun"
   or RemoteUrl has "spot-wave.fun"
   or RemoteUrl has "scanclaw.live"
   or RemoteUrl has "moonscan.live"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCMatch = "TwizAdmin / Lazarus / ClickFix"


powershell
# IOC Hunt Script for Windows Environments
# Checks for presence of malicious file hashes and specific network connections

$maliciousHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "e12285f507c847b986233991b86b22e3" # MD5 from macOS pulse, checking Windows just in case
)

$maliciousDomains = @(
    "fanonlyatn.xyz",
    "livemicrosft.com",
    "bull-run.fun",
    "spot-wave.fun"
)

Write-Host "[+] Scanning for TwizAdmin and Lazarus related IOCs..." -ForegroundColor Cyan

# Check Active Connections
$activeConnections = Get-NetTCPConnection -State Established | Select-Object LocalPort, RemoteAddress, OwningProcess
foreach ($conn in $activeConnections) {
    try {
        $process = Get-Process -Id $conn.OwningProcess -ErrorAction Stop
        $remoteIP = $conn.RemoteAddress
        
        # Check against specific IP ranges mentioned in intel
        if ($remoteIP -like "103.241.66.*" -or $remoteIP -like "31.31.198.*" -or $remoteIP -like "172.94.9.*") {
            Write-Host "[!] Suspicious Connection Found: $remoteIP (Port $($conn.LocalPort)) owned by $($process.ProcessName) (PID: $($conn.OwningProcess))" -ForegroundColor Red
        }
    } catch {
        # Ignore access errors for system processes
    }
}

# Check DNS Cache (requires admin)
try {
    $dnsCache = Get-DnsClientCache | Where-Object { $maliciousDomains -contains $_.Entry }
    if ($dnsCache) {
        Write-Host "[!] Malicious Domain found in DNS Cache:" -ForegroundColor Red
        $dnsCache | Format-Table Entry, Data, TimeToLive
    } else {
        Write-Host "[-] No malicious domains found in local DNS cache." -ForegroundColor Green
    }
} catch {
    Write-Host "[-] Could not access DNS cache. Run as Administrator." -ForegroundColor Yellow
}

Write-Host "[+] Hunt Complete."

Response Priorities

Immediate

  • Block all listed IOCs at the firewall, proxy, and EDR levels.
  • Isolate any endpoints communicating with 103.241.66.238 or 172.94.9.250.
  • Scan for the presence of the provided SHA256 file hashes.

24 Hours

  • Initiate credential resets for developer accounts and users with suspected crypto wallet access.
  • Audit recent Git repository clones and package. or tasks. files for malicious injections (Void Dokkaebi).
  • Review macOS logs for terminal execution history triggered by non-technical users (ClickFix).

1 Week

  • Implement strict allowlisting for terminal applications on macOS endpoints.
  • Harden VS Code environments: disable automatic task execution and trust only signed repositories.
  • Conduct security awareness training focused on identifying "ClickFix" social engineering and fake job recruitment scams.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerclickfixsupply-chainlazarus-groupcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action