TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation
Essential information
- Published
- 22/04/2026 12:41
- Modified
- 22/04/2026 15:32
- Tags
- 2026-04-22 crpx0 crypto clipper cryptocurrency theft infostealer maas multi-platform ransomware russian-speaking twizadmin
- Related entities
- 19 observables, 1 intrusion sets (apt), 2 malware, 5 others
Description
A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing.