{ "name": "TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation", "slug": "twizadmin-multi-stage-crypto-clipper-infostealer-ransomware-operation", "description": "A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing.", "published": "2026-04-22T10:41:31+00:00", "created_at": "2026-04-22T10:41:31+00:00", "modified_at": "2026-04-22T13:32:09+00:00", "created_at_opencti": "2026-04-22T10:41:31+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-22", "crpx0", "crypto clipper", "cryptocurrency theft", "infostealer", "maas", "multi-platform", "ransomware", "russian-speaking", "twizadmin" ], "related_entities": { "observables": [ { "id": "", "name": "31.31.198.206" }, { "id": "", "name": "http://fanonlyatn.xyz/files/" }, { "id": "", "name": "https://beboss34.ru/crpx0/notify.php" }, { "id": "", "name": "https://mekhovaya-shuba.ru/crpx0/notify.php" }, { "id": "", "name": "https://fanonlyatn.xyz/api.php" }, { "id": "", "name": "https://fanonlyatn.xyz/builds/" }, { "id": "", "name": "https://fanonlyatn.xyz/files/" }, { "id": "", "name": "https://fanonlyatn.xyz/api_address_match.php" }, { "id": "", "name": "www.fanonlyatn.xyz" }, { "id": "", "name": "https://fanonlyatn.xyz/api_dropper_log.php" }, { "id": "", "name": "https://caribb.ru/crpx0/notify.php" }, { "id": "", "name": "https://fanonlyatn.xyz" }, { "id": "", "name": "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec" }, { "id": "", "name": "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527" }, { "id": "", "name": "f7ddba605e3d04e06d2f7b0fc4a38027ae58ca65a69d800dd2f43c8e94ca8396" }, { "id": "", "name": "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4" }, { "id": "", "name": "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150" }, { "id": "", "name": "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092" }, { "id": "", "name": "aa11f154b17a4f81f951dbeaab78b58ea012f5b6ea16e4f894bd90971e01bae4" } ], "malware": [ { "id": "legacy:malware:24e7f7567597a43c", "name": "crpx0", "slug": "crpx0" }, { "id": "legacy:malware:825043acdd24e421", "name": "TwizAdmin", "slug": "twizadmin" } ], "intrusion_sets": [ { "id": "19180644-855d-421e-909f-e3556a0abead", "name": "DataBreachPlus", "slug": "databreachplus" } ], "others": [ { "id": "", "name": "mekhovaya-shuba.ru" }, { "id": "", "name": "secure-shard-091.of-cdn.com" }, { "id": "", "name": "caribb.ru" }, { "id": "", "name": "beboss34.ru" }, { "id": "", "name": "fanonlyatn.xyz" } ] }, "external_refs": [ "https://intel.breakglass.tech/post/twizadmin-103-241-66", "https://otx.alienvault.com/pulse/69e8c1fb96869b14e2c565a2" ] }