TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation
A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing.
AI Analysis
Technical Summary
TwizAdmin is a multi-platform malware operation combining several malicious capabilities: cryptocurrency clipboard hijacking for eight different chains, theft of BIP-39 seed phrases, browser credential theft, ransomware deployment (crpx0), and a Java RAT builder. It is controlled through a FastAPI-based panel that includes a license key system, indicating a commercial MaaS model. The malware uses social engineering themed around FedEx and OnlyFans to lure victims. The ransomware communicates with three Russian domains resolving to an IP hosted by REG.RU, operated by an adversary known as DataBreachPlus. The operation includes exposed source code and multiple cryptocurrency wallet addresses, suggesting an organized and monetized campaign. No CVE or patch information is available, and no exploits in the wild are currently known.
Potential Impact
The malware can steal sensitive information including cryptocurrency wallet data (clipboard hijacking and seed phrase theft) and browser credentials, potentially leading to financial theft and account compromise. The ransomware module can encrypt victim files, causing data loss or operational disruption. The presence of a RAT builder further increases the risk of persistent remote access and additional malicious activities. The exposed source code and MaaS model suggest potential widespread distribution and ongoing development.
Mitigation Recommendations
There is no official patch or remediation available for this malware operation. Organizations should focus on detection and prevention by monitoring for the provided indicators of compromise (IPs, domains, URLs, and file hashes). User education to recognize social engineering lures themed around FedEx and OnlyFans is recommended. Since this is a MaaS operation with exposed source code, vigilance against new variants is necessary. Incident response should include isolating infected systems and restoring from backups if ransomware is deployed.
Indicators of Compromise
- ip: 31.31.198.206
- domain: fanonlyatn.xyz
- url: https://fanonlyatn.xyz/files/
- url: https://fanonlyatn.xyz
- hash: 06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092
- hash: 3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4
- hash: 584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527
- hash: 74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150
- hash: 9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec
- hash: aa11f154b17a4f81f951dbeaab78b58ea012f5b6ea16e4f894bd90971e01bae4
- hash: f7ddba605e3d04e06d2f7b0fc4a38027ae58ca65a69d800dd2f43c8e94ca8396
- url: http://fanonlyatn.xyz/files/
- url: https://beboss34.ru/crpx0/notify.php
- url: https://caribb.ru/crpx0/notify.php
- url: https://fanonlyatn.xyz/api.php
- url: https://fanonlyatn.xyz/api_address_match.php
- url: https://fanonlyatn.xyz/api_dropper_log.php
- url: https://fanonlyatn.xyz/builds/
- url: https://mekhovaya-shuba.ru/crpx0/notify.php
- domain: beboss34.ru
- domain: caribb.ru
- domain: mekhovaya-shuba.ru
- domain: secure-shard-091.of-cdn.com
- domain: www.fanonlyatn.xyz
TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation
Description
A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
TwizAdmin is a multi-platform malware operation combining several malicious capabilities: cryptocurrency clipboard hijacking for eight different chains, theft of BIP-39 seed phrases, browser credential theft, ransomware deployment (crpx0), and a Java RAT builder. It is controlled through a FastAPI-based panel that includes a license key system, indicating a commercial MaaS model. The malware uses social engineering themed around FedEx and OnlyFans to lure victims. The ransomware communicates with three Russian domains resolving to an IP hosted by REG.RU, operated by an adversary known as DataBreachPlus. The operation includes exposed source code and multiple cryptocurrency wallet addresses, suggesting an organized and monetized campaign. No CVE or patch information is available, and no exploits in the wild are currently known.
Potential Impact
The malware can steal sensitive information including cryptocurrency wallet data (clipboard hijacking and seed phrase theft) and browser credentials, potentially leading to financial theft and account compromise. The ransomware module can encrypt victim files, causing data loss or operational disruption. The presence of a RAT builder further increases the risk of persistent remote access and additional malicious activities. The exposed source code and MaaS model suggest potential widespread distribution and ongoing development.
Mitigation Recommendations
There is no official patch or remediation available for this malware operation. Organizations should focus on detection and prevention by monitoring for the provided indicators of compromise (IPs, domains, URLs, and file hashes). User education to recognize social engineering lures themed around FedEx and OnlyFans is recommended. Since this is a MaaS operation with exposed source code, vigilance against new variants is necessary. Incident response should include isolating infected systems and restoring from backups if ransomware is deployed.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://intel.breakglass.tech/post/twizadmin-103-241-66"]
- Adversary
- DataBreachPlus
- Pulse Id
- 69e8c1fb96869b14e2c565a2
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip31.31.198.206 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainfanonlyatn.xyz | — | |
domainbeboss34.ru | — | |
domaincaribb.ru | — | |
domainmekhovaya-shuba.ru | — | |
domainsecure-shard-091.of-cdn.com | — | |
domainwww.fanonlyatn.xyz | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://fanonlyatn.xyz/files/ | — | |
urlhttps://fanonlyatn.xyz | — | |
urlhttp://fanonlyatn.xyz/files/ | — | |
urlhttps://beboss34.ru/crpx0/notify.php | — | |
urlhttps://caribb.ru/crpx0/notify.php | — | |
urlhttps://fanonlyatn.xyz/api.php | — | |
urlhttps://fanonlyatn.xyz/api_address_match.php | — | |
urlhttps://fanonlyatn.xyz/api_dropper_log.php | — | |
urlhttps://fanonlyatn.xyz/builds/ | — | |
urlhttps://mekhovaya-shuba.ru/crpx0/notify.php | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092 | — | |
hash3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4 | — | |
hash584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527 | — | |
hash74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150 | — | |
hash9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec | — | |
hashaa11f154b17a4f81f951dbeaab78b58ea012f5b6ea16e4f894bd90971e01bae4 | — | |
hashf7ddba605e3d04e06d2f7b0fc4a38027ae58ca65a69d800dd2f43c8e94ca8396 | — |
Threat ID: 69e8e9b919fe3cd2cdc8829a
Added to database: 4/22/2026, 3:31:05 PM
Last enriched: 4/22/2026, 3:46:43 PM
Last updated: 4/23/2026, 12:33:42 AM
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.