Needle: Inside a Previously Undocumented Crimeware Platform Hidden Behind a Phorpiex Worm — With Wallet Drainers for 8 Blockchains, a Private Monero Mining Pool, and 960 Million Credential Servings

We beat the operator by 8 minutes. All 7 payloads captured. The 913KB JS bundle reveals a full MaaS platform with browser and desktop wallet spoofers, stealer, clipper, form grabber, builder, and Telegram C2.

PublishedApril 20, 2026

A single 11KB Phorpiex worm dropper hit MalwareBazaar at 02:10 UTC on April 20, 2026. Phorpiex has been around since 2010 — most analysts would triage this as routine and move on.

We didn't. We downloaded all 7 payloads from the C2 server before the operator noticed and pulled them approximately 8 minutes later. Behind the distribution server, we found Needle — a previously undocumented crimeware-as-a-service platform with browser and desktop wallet spoofers covering 8+ blockchains, a stealer, form grabber, clipper, builder system, launcher framework, and Telegram-integrated C2. Alongside it: a private Monero mining pool actively accepting workers, an exposed MySQL instance, and a spam coordination server that had served 120,000+ credential batches containing plaintext email:password pairs from victims across 15+ countries before being wiped the same day.

The operator handle TWIZT is hardcoded in one of the payloads. The panel is bilingual — full English and Russian translations. The Needle panel is still live at the time of publication.

The Entry Point: An 11KB Worm
The C2 Server: 178.16.54.109
7 Payloads, 8 Minutes
Needle: A Complete Crimeware Platform
The Private Monero Mining Pool
The Spam Server: 960 Million Credential Servings
The Sextortion Campaign
Actor Profile: TWIZT
Infrastructure Relationship Map
What This Report Adds
IOC Table
MITRE ATT&CK Mapping
Detection Signatures
Recommendations

The Entry Point

The sample is unremarkable at first glance:

Field	Value
SHA256	`d55ec8ebbf308993bbb517f0281fe4296c8e9864e43ff51ba5e0b639b840b085`
Filename	`8j5bsr.exe`
File Type	PE32 executable (GUI) Intel 80386
Size	11,264 bytes
First Seen	2026-04-20 02:10:21 UTC
Reporter	Bitsight
VT Detections	47/76
Compiler	Visual Studio 2008 SP1

An 11KB Win32 executable compiled with VS2008. No packing, no obfuscation. The .rdata section contains 7 hardcoded download URLs in UTF-16LE, all pointing to 178.16.54[.]109:

http://178[.]16[.]54[.]109/xmrget.exe
http://178[.]16[.]54[.]109/xmr.exe
http://178[.]16[.]54[.]109/peinf.exe
http://178[.]16[.]54[.]109/1.exe
http://178[.]16[.]54[.]109/2.exe
http://178[.]16[.]54[.]109/3.exe
http://178[.]16[.]54[.]109/4.exe

The dropper calls URLDownloadToFileW for each URL, saves to %TEMP%, then executes via ShellExecuteW. It drops d3333333333333333333333.txt to %TEMP% as an infection marker and checks IsDebuggerPresent before proceeding.

Standard Phorpiex. What it downloads is not.

The C2 Server

178.16.54[.]109 is hosted on AS202412 (Omegatech LTD) — a Seychelles-registered shell company with Netherlands IP allocation. The same ASN hosts the spam coordination server. This is dedicated bulletproof infrastructure.

Port	Service	Status
21	ProFTPD	Open, anonymous login disabled
22	OpenSSH 8.9p1 Ubuntu	Standard admin access
80	nginx 1.18.0	Payload distribution (all files now 404)
3000	nginx 1.29.8	Needle panel — LIVE
3306	MySQL 8.0.45	Exposed (`caching_sha2_password`)
6060	XMRig Stratum	Private Monero mining pool — LIVE

Six services, four of them interesting. The payload server on port 80 was serving all 7 binaries when we first accessed it. Within approximately 8 minutes, every file returned 404. The actor is monitoring access logs.

7 Payloads, 8 Minutes

We downloaded all 7 payloads before they were pulled. Here is the complete infection chain:

Phorpiex Dropper (11KB)
    |
    +-- Downloads from 178[.]16[.]54[.]109:
    |
    +-- xmrget.exe (12KB) -- XMR Mining Deployer
    |       Downloads xmrig.exe, drops as sysmgnrsv.exe
    |       Mines to :6060 (private pool), 25% CPU, 2 threads
    |       Persists: HKCU\Run\Windows Config
    |
    +-- xmr.exe (7MB) -- XMRig Miner Binary (PE32+ x64)
    |
    +-- peinf.exe (22KB) -- File Harvester ("TWIZTPEINF")
    |       Scans all drives, enumerates files by pattern
    |       Reads registry, exfiltrates to C2
    |
    +-- 1.exe (18KB) -- Phorpiex Propagation Module
    |       Compiled: 2026-04-19 05:14 UTC
    |
    +-- 2.exe (18KB) -- Spam Module (Campaign 2)
    |       Fetches creds from 130[.]12[.]180[.]190/2/
    |       Sends sextortion spam via victim SMTP
    |       Compiled: 2026-04-19 05:08 UTC
    |
    +-- 3.exe (18KB) -- Spam Module (Campaign 3)
    |       Compiled: 2026-04-19 05:16 UTC
    |
    +-- 4.exe (18KB) -- Spam Module (Campaign 4)
            Compiled: 2026-04-20 02:03 UTC (7 minutes before MBazaar submission)

File Hashes

File	SHA256	Size	Detections
Dropper	`d55ec8ebbf308993bbb517f0281fe4296c8e9864e43ff51ba5e0b639b840b085`	11,264	47/76
xmrget.exe	`01f64c61767bc41f039cf2080e61da49c96b14e4d558da6c03128e40ca816799`	12,288	53/75
xmr.exe	`9639f7ebc6a6d69d7bf5b8bc869e7783a1406088f192868624ad8919e9bfd1d4`	7,084,544	60/76
peinf.exe	`bcd5bdcd24000fddd5c512609692bdb62208a1c9c6081cbcfd08d53ea171824c`	22,528	57/76
1.exe	`30c1114e05874981661292fcca63241571eb0186175fcddc61cbc99fd3e52d7b`	18,432	55/76
2.exe	`0693d1659ff12cecfcc8ac404bec27c0eb9e2251c15a2049dc5e91268bf72e41`	18,432	—
3.exe	`0bc6aad1faad13f94a2bba6a927a648fc49327ac224d0abe51530f91eb2d1a1c`	18,432	—
4.exe	`90ffd0ad811d9a85496a7985315343c412bff004d788ccf6d5fec30b2befaff4`	18,432	53/76

The compilation timestamps tell a story. The propagation module and spam modules were compiled April 19. The fourth spam module (4.exe) was compiled at 02:03 UTC on April 20 — 7 minutes before the dropper appeared on MalwareBazaar. This is a freshly built campaign.

peinf.exe: The Actor's Signature

The file harvester contains the hardcoded string TWIZTPEINF — a compound of the actor handle TWIZT and the tool identifier PEINF (PE Info). This module enumerates all logical drives via GetLogicalDrives, recursively traverses the file system with FindFirstFileW/FindNextFileW, filters by pattern using PathMatchSpecW, and uses memory-mapped file access (MapViewOfFile) for efficient reading. It queries the registry for installed software paths and exfiltrates findings to the C2.

The mining deployer (xmrget.exe) is configured for stealth — 25% max CPU usage, 2 threads, priority 5. It renames the miner to system-sounding names (sysmgnrsv.exe, sysfrodolv.exe) and deletes the Zone.Identifier alternate data stream to bypass SmartScreen warnings.

Needle: A Complete Crimeware Platform

Port 3000 serves a React SPA titled simply "Needle." We downloaded the complete 913KB JavaScript bundle (index-ChPBnyA0.js, Vite-bundled) and extracted the full feature set from i18n strings, API route definitions, React component props, and service class methods.

Needle is not a botnet panel. It is a full-scale crimeware-as-a-service platform with capabilities that rival or exceed commercial stealers like Lumma, Vidar, or Raccoon — plus integrated wallet draining that those tools don't offer natively.

Browser Wallet Spoofer (v3)

The flagship module. Needle injects into browser cryptocurrency wallet extensions and automatically drains balances when the victim enters their password.

Targeted extensions (extracted from JS bundle): MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Keplr, OKX Wallet, Brave Wallet.

Supported blockchains: Ethereum, BSC (BNB Chain), Polygon, Solana, Tron, Bitcoin, Litecoin, Dogecoin, Avalanche, Arbitrum, Optimism, Base.

Drain verification: The panel includes links to blockchain explorers for each chain — etherscan.io/tx/, bscscan.com/tx/, polygonscan.com/tx/, solscan.io/tx/, tronscan.org/#/transaction/, mempool.space/tx/, litecoinspace.org/tx/, dogechain.info/tx/, blockchair.com/api — so operators can verify drain transactions in real time.

API key requirements (from settings panel):

Ankr API key (ETH / BSC / Polygon / Solana)
Blockchair API key (BTC / LTC / DOGE)
TronGrid API key (Tron)

Auto-withdrawal: When enabled, Needle automatically transfers drained cryptocurrency to operator-configured withdrawal addresses. No manual intervention required — the victim opens their wallet, enters their password, and Needle drains it.

The panel description, in the developer's own words:

"Browser Wallet Spoofer is a powerful platform for monitoring and managing cryptocurrency wallets. The system automatically collects data on all operations, providing you with full control and transparency over all processes."

And in Russian:

"Browser Wallet Spoofer — платформа для мониторинга и управления криптовалютными кошельками."

Desktop Wallet Spoofer (v2)

Targets native desktop wallet applications: Ledger, Trezor, Exodus, Atomic, Guarda, TonKeeper, Zelcore, Coinomi. Drains funds after the victim enters their seed phrase. Captures and stores mnemonics for later use. Has its own build system — "Desktop Wallet build finished" appears in the notification strings.

Needle Core

The base module set, described in the JS bundle as:

"Needle Core includes the basic functions of the entire system, such as Form Grabber, Clipper, and others."

Specifically:

Module	What It Steals
Passwords	Saved browser passwords from all profiles
Cookies	Browser cookies from all profiles
Credit Cards	Saved payment cards
Autofill	Browser autofill data
Tokens	Saved tokens from browser storage
History	Browsing history
Extensions	Browser extension data
Browser Keys	Encryption keys (v10/v20)
FTP Clients	FTP credentials
Telegram	Telegram session data
TXT/wallet.dat	Wallet files from disk (configurable scope)
Screenshots	Desktop screenshots
System Info	System fingerprinting
Form Grabber	Real-time form submission interception
Clipper	Clipboard cryptocurrency address replacement

Builder System

Needle includes a build generation system for creating custom payloads:

createBuild({
    filename: s.trim(),
    apiKey: d,
    platform: i,
    selfDestruct: p,
    baseExtension: F,
    waitForBrowserClose: S,
    pinReplacedExtensions: b,
    smartPinReplacedExtensions: k,
    wallets: R,
    interceptOriginalPassword: true
})

Build parameters include: filename, platform selection, self-destruct toggle, browser close detection, extension pinning (to prevent victim from noticing replaced extensions), and wallet target selection. Each build gets a unique API key for C2 authentication.

Launcher System

A separate launcher builder with additional options: download URL, wallet file injection, auto-run resources, design/icon customization, and Needle Core module toggles per launcher. This allows operators to create branded, targeted payloads.

Inject System

Browser extension injection capabilities — the panel has dedicated "Injects" and "Projects" sections for managing injected content across victim browsers.

Panel Administration

Multi-user system with roles (Administrator, standard user) and full CRUD operations
Telegram notifications: Configurable bot token + chat ID with notification types for stealer logs (v3), wallet spoofer hits (v2), and panel events. Supports Telegram topic-based routing for organized alert management.
Streamer mode: Hides sensitive panel data — designed for operators who stream or record their screens
Local lock: Hotkey-activated lockscreen with password/salt-based authentication (using Web Crypto SubtleCrypto.digest)
Session lifetime: Configurable session duration
API key management: Per-build API keys for C2 authentication
Password management: Current/new/confirm password flow with minimum length validation

Panel Authentication

The API uses Bearer token authentication:

Authorization: Bearer <token>

Confirmed endpoints that respond with 401 AUTH_UNAUTHORIZED (exist but require auth):

/api/v2/users
/api/v2/settings

Confirmed from JS bundle route definitions:

/api/v2/settings/session-lifetime
/api/v2/settings/telegram/validate-chat
/api/v2/settings/telegram/validate-token
/api/v2/launcher/builds
/api/v2/launcher/builds/wallet-file (POST — file upload)

The login flow uses username + password with a minimum display duration of 1 second (anti-brute-force UX pattern). Successful login returns a token and user object.

The Mining Pool

Port 6060 runs a private XMRig Stratum mining pool. When we connected and sent a login request with the actor's wallet address, the pool immediately responded:

{
  "result": {
    "id": "fd52aa227525a570",
    "job": {
      "algo": "rx/0",
      "height": 3656789,
      "seed_hash": "fad319ff77e891556552da9c4c70104fff244e1df19e6053c457e41e45136f86",
      "target": "f3220000"
    },
    "extensions": ["algo", "nicehash", "connect", "tls", "keepalive"],
    "status": "OK"
  }
}

Key observations:

Algorithm: rx/0 (RandomX) — Monero's current proof-of-work algorithm
Block height: 3,656,789 — confirmed Monero mainnet
Status: OK — the pool is actively mining and distributing work
No authentication: The pool accepted our login with zero verification. Any machine with the wallet address can connect and mine.
Private operation: Not tracked by public pool APIs. All proceeds go directly to the actor with no pool fees and no public hashrate visibility.

Wallet: 83h9mBvy1LL2qW6c2HeWczYVJQsFDF7RfVqDnaiSfFBdDcxfyJfWhRnZqZkY5chb5b6tmKZ1PPhuQbNgXggCdwTrMYWN8hi

The mining configuration is deliberately stealthy — 25% max CPU, 2 threads, normal priority. The miner drops as sysmgnrsv.exe or sysfrodolv.exe — consonant-heavy, system-sounding names designed to blend in with legitimate Windows processes.

The Spam Server: 960 Million Credential Servings

The second actor-controlled server at 130.12.180[.]190 (same AS202412) operated as a spam coordination hub. When ghost-remote first accessed it, nginx on port 80 was serving sequential credential batch files:

/1/n.txt    -- batch counter: 60,791
/2/n.txt    -- batch counter: 59,704
/1/[N].txt  -- ~8,000 email:password pairs per file
/2/[N].txt  -- ~8,000 email:password pairs per file

At least 4 campaign directories existed (/1/ through /4/). Each batch file contained approximately 8,000 plaintext email:password credential pairs.

Scale estimate: 120,000+ batches served across two campaigns alone. At ~8,000 credentials per batch, this represents approximately 960 million credential servings — though the actual unique credential count is lower due to reuse across batches.

Victim Provider Breakdown

From our sampled credential batches (~40,000 pairs):

Provider	Count	Country
web.de	13,231	Germany
videotron.ca	10,736	Canada
163.com	2,078	China
comcast.net	1,183	USA
yahoo.com	886	USA/Global
talktalk.net	681	UK
libero.it	597	Italy
windstream.net	560	USA
126.com	465	China
naver.com	273	South Korea
tiscali.co.uk	268	UK
shaw.ca	255	Canada
icloud.com	216	USA/Global
orange.fr	197	France
t-online.de	167	Germany
wp.pl	158	Poland
bigpond.com	155	Australia

German and Canadian email providers dominate — web.de alone accounts for a third of the sampled credentials. The geographic spread spans at least 10 countries.

The spam server was wiped clean by the time we re-probed. All paths return 404. The actor cleaned house after the payloads were pulled from the distribution server — same operational tempo.

The Sextortion Campaign

The spam modules (4.exe / 90ffd0ad...) contain the complete sextortion email template:

Subject: YOU PERVERT, I RECORDED YOU!

The email claims the sender infected the victim's device with a "private Trojan, R.A.T" and recorded them through their webcam. It demands $800 USD in Bitcoin to wallet 1LK753UYyYXPcUthYTrxgnaGC8qxXN8ZUK and references Binance, Bitrefill, Crypto.com, and KuCoin as purchase methods.

The Bitcoin wallet has zero transactions as of April 20, 2026 — either a fresh campaign or unsuccessful so far. The spam module forges Received headers to impersonate MailEnable ESMTP and uses a fake User-Agent with Chrome version 202 (not a real version).

The infection flow for spam: the module fetches the current batch counter from 130.12.180[.]190/[dir]/n.txt, downloads that batch of email:password pairs, then connects directly to victim email providers on port 25 (SMTP) to send sextortion emails from the victims' own compromised accounts.

Actor Profile

Attribute	Value	Evidence
Handle	TWIZT	Hardcoded string "TWIZTPEINF" in peinf.exe
Language	Russian	Full Cyrillic UI translations in Needle panel
Infrastructure	Bulletproof	Seychelles shell company (Omegatech LTD), NL VPS, AS202412
OPSEC	Active monitoring	Payloads pulled ~8 min after first access; spam server wiped same day
Revenue streams	3 concurrent	Crypto wallet draining (Needle), cryptomining (XMR), spam-as-a-service
Panel	Needle	Custom React SPA, bilingual EN/RU, Vite-bundled
Distribution	Phorpiex	Decade-old worm as payload delivery vehicle
Campaign age	Fresh	Payloads compiled Apr 19-20, 2026; BTC wallet has zero transactions

TWIZT operates a vertically integrated crimeware operation: Phorpiex worms spread via email and USB to deliver the initial dropper, which downloads a mining payload for passive XMR income, a file harvester for intelligence collection, spam modules for credential-stuffed sextortion campaigns, and — via the Needle platform — browser and desktop wallet spoofers for direct cryptocurrency theft.

The Needle panel's multi-user system with roles and API keys suggests TWIZT may operate this as a service, with customers (affiliates) generating custom builds through the panel's builder system. The presence of "Presets," "Templates," "Domains," "Lands" (landing pages), and "Redirects" sections in the navigation reinforces the MaaS model.

Infrastructure Relationship Map

Actor: TWIZT (Russian-speaking)
  |
  +-- AS202412 (Omegatech LTD, Seychelles / NL)
       |
       +-- 178[.]16[.]54[.]109 -- PRIMARY C2
       |    |-- :80   nginx 1.18.0 -- Payload distribution (7 files, now 404)
       |    |-- :3000 nginx 1.29.8 -- Needle panel (React SPA, LIVE)
       |    |-- :3306 MySQL 8.0.45 -- Database (exposed, auth required)
       |    |-- :6060 Stratum     -- Private XMR mining pool (LIVE)
       |    |-- :21   ProFTPD     -- File transfer
       |    +-- :22   OpenSSH     -- Admin access
       |
       +-- 130[.]12[.]180[.]190 -- SPAM COORDINATION (WIPED)
            |-- :80   nginx 1.18.0 -- Credential batch files (now 404)
            |    /1/ -- Campaign 1: 60,791 batches served
            |    /2/ -- Campaign 2: 59,704 batches served
            |    /3/ -- Campaign 3
            |    /4/ -- Campaign 4
            |-- :21   ProFTPD
            +-- :22   OpenSSH

What This Report Adds

Needle is previously undocumented. No public threat intelligence references this panel by name. The complete feature set — browser wallet spoofer, desktop wallet spoofer, stealer, form grabber, clipper, builder, launcher, inject framework, Telegram C2 — extracted from the JS bundle represents a novel contribution to the public record.
The Phorpiex-to-Needle pipeline is new. Phorpiex has been documented as a distribution vector for years, but its use as the delivery mechanism for a custom MaaS platform of this sophistication has not been publicly reported.
All 7 payloads captured before removal. The operator's 8-minute cleanup window confirms active monitoring, but we beat it.
The private mining pool is operational. We connected, authenticated, and received valid mining jobs — confirming active Monero mining on mainnet with no public pool visibility.
The credential exposure scale is documented. 120,000+ batches across multiple campaigns, with provider breakdowns enabling targeted CERT notifications across 10+ countries.

IOC Table

Network

Type	Indicator	Context
IPv4	`178[.]16[.]54[.]109`	Primary C2, Needle panel, mining pool
IPv4	`130[.]12[.]180[.]190`	Spam coordination server (wiped)
Port	`178[.]16[.]54[.]109:3000`	Needle panel
Port	`178[.]16[.]54[.]109:3306`	Exposed MySQL
Port	`178[.]16[.]54[.]109:6060`	Private XMR Stratum pool
ASN	AS202412	Omegatech LTD (bulletproof)

Files

File	SHA256	Size
Dropper	`d55ec8ebbf308993bbb517f0281fe4296c8e9864e43ff51ba5e0b639b840b085`	11,264
xmrget.exe	`01f64c61767bc41f039cf2080e61da49c96b14e4d558da6c03128e40ca816799`	12,288
xmr.exe	`9639f7ebc6a6d69d7bf5b8bc869e7783a1406088f192868624ad8919e9bfd1d4`	7,084,544
peinf.exe	`bcd5bdcd24000fddd5c512609692bdb62208a1c9c6081cbcfd08d53ea171824c`	22,528
1.exe	`30c1114e05874981661292fcca63241571eb0186175fcddc61cbc99fd3e52d7b`	18,432
2.exe	`0693d1659ff12cecfcc8ac404bec27c0eb9e2251c15a2049dc5e91268bf72e41`	18,432
3.exe	`0bc6aad1faad13f94a2bba6a927a648fc49327ac224d0abe51530f91eb2d1a1c`	18,432
4.exe	`90ffd0ad811d9a85496a7985315343c412bff004d788ccf6d5fec30b2befaff4`	18,432

Host Indicators

Type	Indicator
Filename	`sysmgnrsv.exe` (XMRig miner)
Filename	`sysfrodolv.exe` (alternate miner name)
Filename	`syswinprdrvc.exe` (alternate miner name)
Filename	`affaEFAfdfa.txt` (mining marker)
Filename	`d3333333333333333333333.txt` (Phorpiex infection marker)
Registry	`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Config`
Mutex	`e8e8f88e` (sextortion module)
String	`TWIZTPEINF` (actor handle in peinf.exe)

Cryptocurrency

Type	Value
XMR Wallet	`83h9mBvy1LL2qW6c2HeWczYVJQsFDF7RfVqDnaiSfFBdDcxfyJfWhRnZqZkY5chb5b6tmKZ1PPhuQbNgXggCdwTrMYWN8hi`
BTC Wallet	`1LK753UYyYXPcUthYTrxgnaGC8qxXN8ZUK` (sextortion — zero transactions)
Mining Pool	`178[.]16[.]54[.]109:6060` (private Stratum)

Needle Panel

Artifact	Value
Panel URL	`http://178[.]16[.]54[.]109:3000`
JS Bundle	`/assets/index-ChPBnyA0.js` (913KB)
CSS	`/assets/index-2sO1rQxW.css` (124KB)
Server	nginx 1.29.8
Framework	React (Vite)
Auth	Bearer token
Languages	English, Russian

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Attachment	T1566.001	Phorpiex worm delivery
Execution	User Execution: Malicious File	T1204.002	Dropper execution
Persistence	Boot or Logon Autostart: Registry Run Keys	T1547.001	`HKCU\Run\Windows Config`
Defense Evasion	Masquerading	T1036	System-sounding filenames
Defense Evasion	Mark-of-the-Web Bypass	T1553.005	Zone.Identifier deletion
Credential Access	Credentials from Password Stores: Web Browsers	T1555.003	Needle stealer module
Credential Access	Input Capture: Web Portal Capture	T1056.003	Form Grabber
Collection	Data from Local System	T1005	peinf.exe file harvester
Collection	Screen Capture	T1113	Needle screenshot module
Collection	Clipboard Data	T1115	Clipper module
Command and Control	Application Layer Protocol: Web	T1071.001	HTTP C2 to port 80/3000
Command and Control	Web Service: Dead Drop Resolver	T1102.001	Telegram bot notifications
Exfiltration	Exfiltration Over C2 Channel	T1041	Stealer data exfiltration
Impact	Resource Hijacking	T1496	XMRig cryptomining
Impact	Financial Theft	T1657	Wallet draining (browser + desktop)
Lateral Movement	Replication Through Removable Media	T1091	Phorpiex USB spreading

Detection Signatures

Network

# Needle C2 panel
178[.]16[.]54[.]109:3000

# Private mining pool (Stratum)
178[.]16[.]54[.]109:6060

# Spam coordination (if reactivated)
130[.]12[.]180[.]190

# Mining pool login pattern
{"method":"login","params":{"login":"83h9mBvy1LL2qW6c2HeWczYVJQsFDF7RfVqDnaiSfFBdDcxfyJfWhRnZqZkY5chb5b6tmKZ1PPhuQbNgXggCdwTrMYWN8hi"}}

Host

# Phorpiex infection marker
%TEMP%\d3333333333333333333333.txt

# Mining persistence
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Config

# Miner filenames
sysmgnrsv.exe
sysfrodolv.exe
syswinprdrvc.exe

# Mining state marker
affaEFAfdfa.txt

YARA

rule TWIZT_Peinf_FileHarvester {
    meta:
        description = "Detects TWIZT actor's peinf.exe file harvester"
        author = "Breakglass Intelligence"
        date = "2026-04-20"
        hash = "bcd5bdcd24000fddd5c512609692bdb62208a1c9c6081cbcfd08d53ea171824c"
    strings:
        $actor = "TWIZTPEINF" ascii wide
        $marker = "d3333333333333333333333" ascii wide
        $miner1 = "sysmgnrsv" ascii wide
        $miner2 = "sysfrodolv" ascii wide
    condition:
        uint16(0) == 0x5A4D and any of them
}

Recommendations

Immediate Blocking

Target	Action
`178[.]16[.]54[.]109`	Block all ports — active C2, panel, mining pool
`130[.]12[.]180[.]190`	Block — spam coordination (may reactivate)
AS202412	Consider ASN-level blocking — bulletproof provider

Endpoint Hunting

Search for sysmgnrsv.exe, sysfrodolv.exe, syswinprdrvc.exe in running processes and file system
Check HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Config
Search for d3333333333333333333333.txt and affaEFAfdfa.txt in %TEMP%
Monitor for outbound connections to port 6060 (non-standard Stratum)

CERT Notifications

The credential exposure affects email providers across 10+ countries. Recommended notifications:

CERT	Country	Affected Providers
BSI / CERT-Bund	Germany	web.de (~13,000+), t-online.de
CCCS	Canada	videotron.ca (~10,700+), shaw.ca
US-CERT / IC3	USA	comcast.net, windstream.net, yahoo.com, icloud.com
NCSC	UK	talktalk.net, tiscali.co.uk
CNAIPIC	Italy	libero.it
ANSSI / CERT-FR	France	orange.fr, wanadoo.fr
CERT Polska	Poland	wp.pl
ACSC	Australia	bigpond.com
JPCERT	Japan	yahoo.co.jp
KrCERT	South Korea	naver.com
CNCERT	China	163.com, 126.com

Investigation by Breakglass Intelligence. All indicators defanged with [.] notation. Payloads available to verified researchers upon request.

Table of Contents

The Entry Point

The C2 Server

7 Payloads, 8 Minutes

File Hashes

peinf.exe: The Actor's Signature

Needle: A Complete Crimeware Platform

Browser Wallet Spoofer (v3)

Desktop Wallet Spoofer (v2)

Needle Core

Builder System

Launcher System

Inject System

Panel Administration

Panel Authentication

The Mining Pool

The Spam Server: 960 Million Credential Servings

Victim Provider Breakdown

The Sextortion Campaign

Actor Profile

Infrastructure Relationship Map

What This Report Adds

IOC Table

Network

Files

Host Indicators

Cryptocurrency

Needle Panel

MITRE ATT&CK Mapping

Detection Signatures

Network

Host

YARA

Recommendations

Immediate Blocking

Endpoint Hunting

CERT Notifications