Back to Intelligence

TwizAdmin, Mach-O Man & Void Dokkaebi: Multi-Platform MaaS & Supply Chain Threats

SA
Security Arsenal Team
April 22, 2026
6 min read

Active APT campaigns detected: DataBreachPlus TwizAdmin MaaS, Lazarus Mach-O Man macOS malware, and Void Dokkaebi repo poisoning targeting crypto & finance. Urgency: High.

Threat Summary

OTX pulse data for late April 2026 reveals a convergence of sophisticated, financially motivated threats utilizing Malware-as-a-Service (MaaS) frameworks and supply chain infiltration. Three distinct actors—DataBreachPlus, Lazarus Group, and WageMole (Void Dokkaebi)—are actively conducting campaigns characterized by complex delivery mechanisms. The primary objectives across these campaigns are cryptocurrency theft (via clippers and seed phrase stealers), credential harvesting for lateral movement, and ransomware deployment. Notably, there is a significant shift towards cross-platform capabilities (Windows and macOS) and the exploitation of developer workflows (Git repositories and VS Code) to propagate malware.

Threat Actor / Malware Profile

DataBreachPlus / TwizAdmin

  • Malware Families: TwizAdmin, crpx0
  • Distribution Method: Malicious payloads disguised as shipping/fedex deliveries leading to exposed C2 panels.
  • Payload Behavior: Multi-stage operation starting with a clipboard hijacker supporting eight cryptocurrency chains. Includes a BIP-39 seed phrase thief and browser credential exfiltrator.
  • C2 Communication: Managed via a FastAPI-based panel located at 103.241.66[.]238:1337 with a license key system, enabling the deployment of a Java RAT builder and the crpx0 ransomware module.
  • Persistence: Likely achieved via scheduled tasks or startup entries managed by the Java RAT component.

Lazarus Group / Mach-O Man

  • Malware Families: Mach-O Man, PyLangGhostRAT
  • Distribution Method: "ClickFix" social engineering. Attackers send fake meeting invitations via Telegram, redirecting victims to phishing sites impersonating Zoom, Microsoft Teams, or Google Meet.
  • Payload Behavior: Victims are tricked into running terminal commands to install a collaboration tool, resulting in the execution of a Python-based RAT and Mach-O binaries.
  • C2 Communication: Uses Telegram for exfiltration of stolen credentials and data.
  • Persistence: Uses LaunchAgents or hidden background processes common to macOS malware.

WageMole / Void Dokkaebi

  • Malware Families: DEV#POPPER RAT, InvisibleFerret, OtterCookie, OmniStealer, BeaverTail
  • Distribution Method: Fake job interview lures targeting software developers. Victims are asked to clone malicious Git repositories.
  • Payload Behavior: Self-propagating supply chain attack. Malicious VS Code task configurations and Git history tampering turn the victim's machine into an infection vector for other developers.
  • C2 Communication: Connections to hardcoded C2 IPs for data exfiltration and further payload delivery.
  • Persistence: Exploits VS Code workspace trust and task automation to maintain execution.

IOC Analysis

The provided indicators span the attack chain, offering high-fidelity detection opportunities:

  • Network Infrastructure (IPv4): C2 servers such as 31.31.198.206 (TwizAdmin) and a cluster of IPs associated with Void Dokkaebi (e.g., 166.88.4.2, 85.239.62.36). SOC teams should block these immediately at the perimeter.
  • Domains: Typosquatting and fraudulent domains like livemicrosft.com (Lazarus) and fanonlyatn.xyz (TwizAdmin). These should be added to DNS sinkholes.
  • File Hashes (SHA256): Multiple samples for Mach-O binaries and Windows payloads. These should be loaded into EDR threat feeds to quarantine files on disk.
  • URLs: Distribution paths for malware payloads, often hosted on seemingly benign subdirectories.

Operationalization involves ingesting these hashes into EDR solutions (CrowdStrike, SentinelOne) and blocking IPs/domains in firewalls (Palo Alto, Fortinet) and Secure Web Gateways.

Detection Engineering

Sigma Rules

YAML
---
title: Potential TwizAdmin C2 Panel Connection
id: 4a8b9c1d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects outbound connections to known TwizAdmin C2 infrastructure identified in OTX pulses.
status: experimental
author: Security Arsenal
date: 2026/04/22
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationIp:
            - '31.31.198.206'
            - '103.241.66.238'
    condition: selection
falsepositives:
    - Legitimate traffic to these IPs (unlikely given their malicious nature)
level: critical
---
title: macOS ClickFix Terminal Execution via Browser
id: b1c2d3e4-f5a6-b7c8-d9e0-f1a2b3c4d5e6
description: Detects potential ClickFix activity where a browser process spawns a Terminal or Shell on macOS.
status: experimental
author: Security Arsenal
date: 2026/04/22
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
product: macos
detection:
    parent:
        Image|endswith:
            - '/Google Chrome'
            - '/Firefox'
            - '/Safari'
    child:
        Image|contains:
            - '/Terminal'
            - '/bin/bash'
            - '/bin/sh'
            - '/bin/zsh'
    condition: parent and child
falsepositives:
    - Legitimate developer workflows launching terminal from browser
level: high
---
title: VS Code Task Execution from Git Directory
id: c2d3e4f5-a6b7-c8d9-e0f1-a2b3c4d5e6f7
description: Detects execution of suspicious binaries or scripts triggered by VS Code tasks often associated with Void Dokkaebi repo poisoning.
status: experimental
author: Security Arsenal
date: 2026/04/22
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
product: windows
detection:
    selection:
        ParentImage|contains: 'Code.exe'
        CommandLine|contains:
            - 'node.exe'
            - 'python.exe'
        CurrentWorkingDirectory|contains: '.git'
    condition: selection
falsepositives:
    - Legitimate build processes using VS Code tasks
level: medium

KQL Hunt

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to Void Dokkaebi and TwizAdmin Infrastructure
DeviceNetworkEvents
| where RemoteIP in ("31.31.198.206", "166.88.4.2", "85.239.62.36", "23.27.20.143", "23.27.202.27", "154.91.0.196")
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName

// Hunt for Mach-O Man ClickFix behavior on macOS (if collecting syslog or equivalent)
DeviceProcessEvents 
| where Timestamp > ago(1d) 
| where OSType == "MacOS" 
| where InitiatingProcessFileName in~ ("Google Chrome", "firefox", "Safari") 
| where FileName in~ ("osascript", "Terminal", "bash", "sh", "zsh") 
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

// Hunt for file hash presence
DeviceFileEvents
| where SHA256 in ("06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90")
| project Timestamp, DeviceName, FolderPath, FileName, SHA256

PowerShell Hunt Script

PowerShell
# IOC Hunter for TwizAdmin and Void Dokkaebi C2 IPs
$MaliciousIPs = @(
    "31.31.198.206",
    "166.88.4.2",
    "85.239.62.36",
    "23.27.20.143",
    "23.27.202.27"
)

$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($IP in $MaliciousIPs) {
    $Hits = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Hits) {
        Write-Warning "[!] Suspicious connection found to $IP"
        $Hits | ForEach-Object {
            $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "PID: $($_.OwningProcess) Process: $($Process.ProcessName) LocalPort: $($_.LocalPort)"
        }
    }
}

# Scan for specific file hashes in common download directories
$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90"
)

$Paths = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop", "C:\Temp")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Warning "[!] Malicious file found: $($_.FullName)"
            }
        }
    }
}

Response Priorities

  • Immediate: Block all listed IPs and domains at the firewall and proxy level. Quarantine endpoints matching the provided file hashes.
  • 24h: Initiate credential resets for finance and development teams due to the prevalence of infostealers (OmniStealer, TwizAdmin credential module). Investigate Git repositories for signs of tampering (supply chain audit).
  • 1 week: Implement strict application allowlisting for VS Code extensions and tasks. Harden macOS endpoints against "ClickFix" by restricting terminal execution spawned by browsers and educating users on fake meeting lures.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadminmach-o-manvoid-dokkaebisupply-chaincredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action