BreakglassIntelligence
Back to reports
highPhishing

TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation

InvestigatedApril 4, 2026PublishedApril 4, 2026
Threat Actors:who:ProfileAssessmentTimelineregistration patterns: Navicosoft + Cloudflare NS)
twizadminc2ratmaasransomwarestealerclippertelegramtor

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Multi-Function Malware-as-a-Service (MaaS) Source: @malwrhunterteam -- "TwizAdmin panel here" (2026-04-03) Status: INFRASTRUCTURE LIVE AT TIME OF ANALYSIS

Executive Summary

A fully exposed TwizAdmin C2 panel at 103.241.66[.]238:1337 was identified hosting a sophisticated multi-stage malware operation combining cryptocurrency clipboard hijacking (clipper), BIP-39 seed phrase theft, browser cookie/credential exfiltration, a ransomware module ("crpx0"), and a Java RAT builder -- all managed through a FastAPI-based panel with a license key system. The operation targets both Windows and macOS using social engineering lures themed as FedEx shipping documents and OnlyFans account dumps. The threat actor operates through the domain fanonlyatn[.]xyz with complete open directory exposure of all source code, payloads, and builder scripts. The ransomware component communicates with three Russian .ru domains (all resolving to 31.31.198[.]206 at REG.RU hosting) and uses the ransomware-as-a-service identity "DataBreachPlus" with Telegram, qTox, and ProtonMail contact channels. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from the stealer configuration.

Key Findings

  • LIVE C2 panel at 103.241.66[.]238:1337 running FastAPI/Uvicorn with Swagger docs (/docs) publicly accessible -- full API schema exposed
  • Complete source code for stealer (v1.21, 115KB), scanner (v2.2, 37KB), ransomware crypter (3.7MB), and 7+ macOS builder scripts downloaded from open directory at fanonlyatn[.]xyz/files/ and /builds/
  • 10 crypto clipper wallet addresses extracted (BTC Legacy, BTC P2SH, BTC Bech32, ETH, TRX, DOGE, LTC, SOL, XRP, BCH)
  • Ransomware module "crpx0" using Fernet (AES-128-CBC) encryption, drops ransom notes in English, Russian, and Chinese
  • Three Russian C2 domains for ransomware (caribb[.]ru, mekhovaya-shuba[.]ru, beboss34[.]ru) -- all resolving to 31.31.198[.]206 (REG.RU shared hosting)
  • Social engineering lures: FedEx shipping details (bundle ID com.fedex.delivery.details) and OnlyFans account dumps (bundle ID com.onlyfans.secure.access)
  • macOS persistence via LaunchAgent (com.sys32.data.plist and com.cryptoprice.guard.plist)
  • Windows persistence via %APPDATA%\sys32data\ with portable Python 3.11.5 + embedded pip
  • API secret leaked: 26i$MyYe@r (used for dashboard authentication via Bearer token)
  • License key system with 3-day, weekly, monthly, and lifetime tiers -- indicates MaaS operation
  • Ransomware operator identity: "DataBreachPlus" -- @DataBreachPlus on Telegram, databreachplus@proton[.]me, qTox ID 17EB54B8455144E088C7E77F88A97221C319F0CFE4FE306853EEB113EE8DB5607BB6EE481C7C

What Was Found vs. What Was Known

AspectPrior ReportingOur Findings
InfrastructureOne IP (panel)Panel IP + delivery domain + 3 Russian ransomware C2s + shared hosting IP
Malware Family"TwizAdmin panel" (name only)Full source: clipper + seed scanner + infostealer + ransomware + RAT builder
VictimsUnknownLicense key system indicates multiple buyers/operators
AttributionUnknownRussian-speaking actor using REG.RU, Navicosoft registrar, ProtonMail, qTox
CapabilitiesUnknown8-chain crypto clipper, BIP-39 scanner, Fernet ransomware, macOS/Windows dual-platform

Attack Chain

DELIVERY                    EXPLOITATION                     PERSISTENCE
[Social Eng Lure]  ------>  [Mac .app / Win .cmd]  ------>  [LaunchAgent / Registry]
  FedEx / OnlyFans             curl | bash                     com.sys32.data.plist
                               Portable Python                 %APPDATA%\sys32data
                                    |
                                    v
                            INSTALLATION
                        [call2.py orchestrator]
                          Downloads + patches:
                          - sys32.py (clipper)
                          - finder.py (scanner)
                                    |
                    +---------------+---------------+
                    |               |               |
               CLIPPER         SCANNER          TASKING
           [sys32.py v1.21]  [finder.py v2.2]  [C2 check_tasks]
           Clipboard monitor  BIP-39 seed       Download & exec
           Crypto addr swap   File scanning     crypter.py
           8 chains (BTC,     Upload seeds      (on demand)
            ETH, TRX, DOGE,   to C2                  |
            LTC, SOL, XRP,                            v
            BCH)                                 RANSOMWARE
                    |               |           [crpx0 module]
                    v               v           Fernet encrypt
               C2 EXFIL        C2 EXFIL        Drop ransom note
           fanonlyatn.xyz   fanonlyatn.xyz     (EN/RU/ZH)
           /api.php         /api.php           caribb.ru / etc

Infrastructure Analysis

Network Infrastructure

IPASNProviderPortsServicesStatusRole
103.241.66[.]238Unknown (APNIC->RIPE transfer)Unknown1337/tcpFastAPI/UvicornLIVEC2 Panel
172.67.147[.]155AS13335 (Cloudflare)Cloudflare80,443LiteSpeed + CloudflareLIVEPayload delivery
104.21.28[.]214AS13335 (Cloudflare)Cloudflare80,443LiteSpeed + CloudflareLIVEPayload delivery
31.31.198[.]206REG.RUREG.RU shared hosting80,443PHP backendLIVERansomware C2

Domain Infrastructure

DomainRegistrarCreatedNSPurpose
fanonlyatn[.]xyzNavicosoft Pty Ltd (IANA 4147)2026-03-12beth.ns.cloudflare.com / devin.ns.cloudflare.comPrimary C2 + payload delivery
caribb[.]ruREGRU-RU2025-11-14ns1.hosting.reg.ru / ns2.hosting.reg.ruRansomware C2
mekhovaya-shuba[.]ruREGRU-RU2026-01-06ns1.hosting.reg.ru / ns2.hosting.reg.ruRansomware C2
beboss34[.]ruREGRU-RU2025-07-11ns1.hosting.reg.ru / ns2.hosting.reg.ruRansomware C2

Certificate Analysis

All certificates for fanonlyatn[.]xyz issued on 2026-03-13 (one day after domain registration):

Multiple CAs on the same day suggests Cloudflare Universal SSL + origin server cert setup.

Web Server Stack

The payload delivery server runs LiteSpeed Web Server behind Cloudflare with autoindex enabled (full directory listing). The C2 panel runs FastAPI 0.1.0 on Uvicorn (Python ASGI).

Malware Analysis

Component Overview

ComponentFileSizeVersionSHA256Purpose
Stealer/Clipperv1.1.py115KBv1.21f7ddba605e3d04e06d2f7b0fc4a38027ae58ca65a69d800dd2f43c8e94ca8396Crypto clipper + dashboard logging
Seed Scannerfinder.py37KBv2.2_ULTRA_STRICT9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaecBIP-39 seed phrase scanner
Orchestratorcall2.py10KB-(from server)Download, patch, persistence, launch
Ransomwarecrypter.py3.7MB-(from server)File encryption (.crpx0), ransom note
Win Launcherlauncher.cmd2.6KB-584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527Windows portable Python setup
Mac Loadermac_loader.sh1.2KB-3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4macOS Python setup + exec

Extracted Configuration

API Configuration:

  • C2 Domain: hxxps://fanonlyatn[.]xyz
  • Dashboard API: hxxps://fanonlyatn[.]xyz/api.php
  • Address Match API: hxxps://fanonlyatn[.]xyz/api_address_match.php
  • Dropper Log API: hxxps://fanonlyatn[.]xyz/api_dropper_log.php
  • API Secret: 26i$MyYe@r
  • Bearer Token: Base64 of API secret

Crypto Clipper Replacement Addresses:

CodeChainReplacement Address
A1BTC Legacy1KC2kXDeyBH9yocYSQy6DQ1ou5hRRRBtpZ
A2BTC P2SH3887CPBvo96AZAm5Gn339isJTXVjdaFogR
A3BTC Bech32bc1qhwxpvjpdlyz7ekmjq6y67t2m2m2e5jq62ykfl4
BEthereum0x835270cEd14bfdAaeF8F8Fa0e532A244cfDe8b52
CTronTDtxY9ZHNffj14Ci9qhBjkpR2AAhCaHuXs
DDogecoinD91Sb1JyWoLb43F2XHFjUL9QJj7iLm6cUR
ELitecoinltc1qadnhqpyj97wjhv2e502n3w207zy2r30pgejq8p
FSolanaFQPxYxm4y7D6PFjFcGeKcPe42kUfbDnbRsaeLoPYmxYQ
GRipplerBuqUShtAdijJxchFaEXcMij1VVRMY2JWY
HBitcoin Cashqrl73me6ndr7a5sxuyxgn5aflrefyu4c6uzamhu9ar

Additional BTC address from API response: bc1qs24qevh60nv3r5aqt8ssh7wettczjagz24vest

Ransomware Configuration:

  • Encrypted extension: .crpx0
  • Encryption: Python cryptography.fernet.Fernet (AES-128-CBC with HMAC)
  • Recovery note: HOW TO RECOVER.txt (English, Russian, Chinese versions)
  • Ransom note C2 domains:
    • hxxps://caribb[.]ru/crpx0/notify.php
    • hxxps://mekhovaya-shuba[.]ru/crpx0/notify.php
    • hxxps://beboss34[.]ru/crpx0/notify.php
  • Contact channels:
    • Telegram: @DataBreachPlus / hxxps://t[.]me/DataBreachPlus
    • Email: databreachplus@proton[.]me
    • qTox: 17EB54B8455144E088C7E77F88A97221C319F0CFE4FE306853EEB113EE8DB5607BB6EE481C7C

Persistence Mechanisms:

  • macOS: ~/Library/LaunchAgents/com.sys32.data.plist (RunAtLoad + KeepAlive)
  • macOS: ~/Library/LaunchAgents/com.cryptoprice.guard.plist (alternate)
  • Windows: Registry Run key CryptoGuard -> pythonw.exe sys32.py
  • Windows: Scheduled Task CryptoUpdate -> pythonw.exe sys32.py
  • Working directory: ~/.sys32data (macOS), %APPDATA%\sys32data (Windows)

Social Engineering Lures

Two primary lure themes with native macOS app bundles:

  1. FedEx Shipping Details (Shipping_Details.app):

    • Bundle ID: com.fedex.delivery.details
    • Access key prompt: pass2021#
    • Decoy: Fake FedEx tracking document
    • Uses system ClippingText.icns as spoofed icon

  2. OnlyFans Account Dump (OnlyFansAccounts.app):

    • Bundle ID: com.onlyfans.secure.access
    • Access key prompt: pass2021#
    • Decoy: Fake list of 50 OnlyFans email/password combos
    • Connects to fake CDN: secure-shard-091.of-cdn.com

Both build as Universal Binaries (ARM64 + x86_64) via C stub + lipo.

Panel API Endpoints (from OpenAPI schema)

Payload/C2 Endpoints (no auth required for most):

  • POST /build-jar -- Build Java RAT payload
  • GET /download-jar/{userid} -- Download built JAR
  • GET /payload?userid= -- Get payload for user
  • GET /verify-key?userid= -- License key verification
  • GET /api/verify/{key} -- License verification (payload startup check)
  • POST /send-discord -- Exfiltrate Discord tokens
  • POST /send-token -- Exfiltrate tokens
  • POST /send-info -- Exfiltrate system info
  • POST /send-cookies -- Exfiltrate browser cookies
  • POST /send-operagx -- Exfiltrate Opera GX data
  • POST /send-opera -- Exfiltrate Opera data
  • POST /send-wallets-auth -- Exfiltrate wallet credentials
  • POST /send-telegram -- Exfiltrate Telegram data
  • POST /send-minecraft -- Exfiltrate Minecraft credentials
  • POST /send-steam -- Exfiltrate Steam credentials
  • POST /send-v20-cookies -- Exfiltrate Chrome v20 cookies
  • POST /send-backup-codes -- Exfiltrate 2FA backup codes
  • POST /send-screenshot -- Upload victim screenshot
  • POST /send-logs -- Upload log files
  • POST /send-progress -- Report task progress
  • POST /upload -- Generic file upload
  • GET /download-cookies -- Returns output.exe not found (binary builder)

Admin Endpoints (Bearer auth required):

  • GET /api/stats -- Victim count, active users, pending keys
  • GET /api/victims -- Full victim log
  • GET /api/keys -- License key list
  • POST /api/keys -- Generate new license key
  • DELETE /api/keys/{key} -- Delete license key
  • POST /login -- Admin authentication

Code Quality / OPSEC Analysis

The source code reveals an actor who:

  • Uses AI-assisted development (BACKGROUND_B64 in crypter.py has C2PA content provenance metadata from ChatGPT/GPT-4 + Truepic Lens CLI -- the wallpaper image was generated by AI)
  • Has moderate Python skills but makes amateur mistakes (syntax errors that call2.py has to patch, disabling pyautogui because it doesn't work headlessly)
  • Actively iterates and debugs the malware (old/ directory with previous versions, debug logging, env checks)
  • Targets multiple platforms (Windows + macOS) with growing sophistication (evolved from AppleScript to native C stub universal binaries)
  • Operates a license-based distribution model with buyer management

Threat Actor Profile

Attribution Assessment

  • Confidence: MEDIUM-HIGH
  • Country/Region: Russia / Russian-speaking
  • Evidence:
    • All three ransomware C2 domains are .ru TLD, registered via REGRU-RU
    • Domain name mekhovaya-shuba.ru translates to "fur coat" in Russian
    • Ransom notes include native Russian translations (not machine-translated -- uses proper legal terminology, idiomatic phrasing)
    • Chinese translation also provided (suggests targeting Chinese-speaking victims)
    • caribb.ru suggests "Caribbean" theme (common in Russian underground naming)
    • beboss34.ru -- "be boss" -- aspirational operator name
  • Motivation: Financial -- cryptocurrency theft via clipper + ransomware extortion
  • Sophistication: MODERATE -- custom-built tools, multi-platform, but amateur OPSEC (open directories, exposed API docs, leaked API secrets)
  • Ransomware Identity: "DataBreachPlus" -- possible emerging RaaS brand

Actor Timeline

DateEvent
2025-07-11beboss34.ru registered (earliest known infrastructure)
2025-11-14caribb.ru registered
2026-01-06mekhovaya-shuba.ru registered
2026-02-08launcher.cmd created (Windows variant)
2026-03-12fanonlyatn.xyz domain registered (Navicosoft/Cloudflare)
2026-03-13SSL certificates issued for fanonlyatn.xyz
2026-03-13call1.py (v1 orchestrator)
2026-03-15py.txt uploaded (14.5MB -- portable Python?)
2026-03-16launchertracking.vbs created, launcher.vbs updated
2026-03-17v1.0.py -> v1.1.py stealer evolution (same day), call2.py updated
2026-03-17finder.py scanner created, finderx.zip / last.zip packed
2026-03-18All macOS builder scripts created (app, pkg, pro, ultimate, vault, accounts, stealth)
2026-03-26crypter.py ransomware module uploaded
2026-04-03Panel exposed by @malwrhunterteam, LIVE at time of our analysis

OPSEC Failures

  1. FastAPI /docs endpoint exposed -- full API schema publicly accessible without authentication
  2. Open directory listing on LiteSpeed server -- all source code, payloads, and scripts downloadable
  3. API secret hardcoded in multiple source files: 26i$MyYe@r
  4. Development artifacts retained -- old/ directory with previous versions, debug logging enabled
  5. AI-generated content with provenance metadata -- BACKGROUND_B64 contains C2PA metadata identifying ChatGPT/GPT-4 as the generator and Truepic Lens CLI as the signing tool
  6. Consistent infrastructure patterns -- all Russian domains on same registrar, same hosting IP, same nameservers
  7. pass2021# hardcoded as the lure access key -- possibly a reused personal password or year reference

MITRE ATT&CK Mapping

TacticTechniqueIDApplication
Initial AccessPhishing: Spearphishing LinkT1566.002FedEx/OnlyFans lure distribution
ExecutionCommand and Scripting Interpreter: Unix ShellT1059.004bash one-liner -> curl -> bash
ExecutionCommand and Scripting Interpreter: PythonT1059.006All payloads are Python scripts
ExecutionCommand and Scripting Interpreter: Visual BasicT1059.005VBS launchers for Windows
PersistenceBoot or Logon Autostart Execution: Launch AgentT1547.011com.sys32.data.plist
PersistenceBoot or Logon Autostart Execution: Registry Run KeysT1547.001CryptoGuard run key
PersistenceScheduled Task/Job: Scheduled TaskT1053.005CryptoUpdate task
Defense EvasionMasquerading: Match Legitimate NameT1036.005sys32data, com.fedex.delivery.details
Defense EvasionObfuscated Files: Software PackingT1027.002Base64 encoded bash in loader scripts
Defense EvasionIndicator Removal: File DeletionT1070.004Cleanup of download artifacts
Defense EvasionHide Artifacts: Hidden Files and DirectoriesT1564.001~/.sys32data hidden directory
Credential AccessCredentials from Password StoresT1555Browser cookies, saved passwords
Credential AccessSteal Application Access TokenT1528Discord tokens, Telegram sessions, Steam
CollectionClipboard DataT1115Crypto address clipboard monitoring
CollectionData from Local SystemT1005BIP-39 seed phrase file scanning
CollectionScreen CaptureT1113/send-screenshot endpoint
ExfiltrationExfiltration Over C2 ChannelT1041HTTP POST to fanonlyatn.xyz
ImpactData Encrypted for ImpactT1486crpx0 Fernet encryption
ImpactFinancial TheftT1657Crypto clipper address substitution

IOC Summary

Network Indicators

C2 Panel:

  • 103.241.66[.]238:1337 (FastAPI/Uvicorn TwizAdmin panel)

Payload Delivery:

  • fanonlyatn[.]xyz (Cloudflare: 172.67.147[.]155, 104.21.28[.]214)
  • hxxps://fanonlyatn[.]xyz/files/
  • hxxps://fanonlyatn[.]xyz/builds/
  • hxxps://fanonlyatn[.]xyz/api.php
  • hxxps://fanonlyatn[.]xyz/api_address_match.php
  • hxxps://fanonlyatn[.]xyz/api_dropper_log.php

Ransomware C2:

  • caribb[.]ru (31.31.198[.]206)
  • mekhovaya-shuba[.]ru (31.31.198[.]206)
  • beboss34[.]ru (31.31.198[.]206)
  • hxxps://caribb[.]ru/crpx0/notify.php
  • hxxps://mekhovaya-shuba[.]ru/crpx0/notify.php
  • hxxps://beboss34[.]ru/crpx0/notify.php

Contact Channels:

  • Telegram: @DataBreachPlus / hxxps://t[.]me/DataBreachPlus
  • Email: databreachplus@proton[.]me
  • qTox: 17EB54B8455144E088C7E77F88A97221C319F0CFE4FE306853EEB113EE8DB5607BB6EE481C7C

File Indicators

Hash (SHA256)FilenameType
f7ddba605e3d04e06d2f7b0fc4a38027ae58ca65a69d800dd2f43c8e94ca8396v1.1.py (stealer)Python
9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaecfinder.py (scanner)Python
3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4mac_loader.shBash
584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527launcher.cmdBatch
74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150mac_pro_builder.shBash
aa11f154b17a4f81f951dbeaab78b58ea012f5b6ea16e4f894bd90971e01bae4mac_app_builder.shBash
06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092payload_last.zipZIP

Behavioral Indicators

Persistence Artifacts:

  • ~/Library/LaunchAgents/com.sys32.data.plist
  • ~/Library/LaunchAgents/com.cryptoprice.guard.plist
  • ~/.sys32data/ (macOS hidden directory)
  • %APPDATA%\sys32data\ (Windows)
  • %APPDATA%\sys32data\bin\python.exe (portable Python)
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CryptoGuard
  • Scheduled Task: CryptoUpdate

File Artifacts:

  • sys32.py -- main stealer payload
  • finder.py -- seed phrase scanner
  • call2.py -- orchestrator
  • call2_debug.txt -- execution log
  • payload_err.txt -- error log
  • .hwid -- hardware ID persistence file
  • dropper_state.json -- dropper state file
  • HOW TO RECOVER.txt -- English ransom note
  • HOW TO RECOVER_RU.txt -- Russian ransom note (inferred)
  • HOW TO RECOVER_ZH.txt -- Chinese ransom note (inferred)
  • scan_report.json -- ransomware file inventory
  • *.crpx0 -- encrypted file extension

Network Artifacts:

  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  • Bearer token: Base64 of 26i$MyYe@r
  • Python downloaded from: github.com/indygreg/python-build-standalone (legitimate project abused)

Cryptocurrency Indicators

ChainAddressPurpose
BTC (Legacy)1KC2kXDeyBH9yocYSQy6DQ1ou5hRRRBtpZClipper replacement
BTC (P2SH)3887CPBvo96AZAm5Gn339isJTXVjdaFogRClipper replacement
BTC (Bech32)bc1qhwxpvjpdlyz7ekmjq6y67t2m2m2e5jq62ykfl4Clipper replacement
Ethereum0x835270cEd14bfdAaeF8F8Fa0e532A244cfDe8b52Clipper replacement
TronTDtxY9ZHNffj14Ci9qhBjkpR2AAhCaHuXsClipper replacement
DogecoinD91Sb1JyWoLb43F2XHFjUL9QJj7iLm6cURClipper replacement
Litecoinltc1qadnhqpyj97wjhv2e502n3w207zy2r30pgejq8pClipper replacement
SolanaFQPxYxm4y7D6PFjFcGeKcPe42kUfbDnbRsaeLoPYmxYQClipper replacement
RipplerBuqUShtAdijJxchFaEXcMij1VVRMY2JWYClipper replacement
Bitcoin Cashqrl73me6ndr7a5sxuyxgn5aflrefyu4c6uzamhu9arClipper replacement
BTC (Bech32)bc1qs24qevh60nv3r5aqt8ssh7wettczjagz24vestAPI match response

Immediate (24-48 hours)

  • Block all IOC domains and IPs at perimeter firewalls
  • Search for com.sys32.data.plist, com.cryptoprice.guard.plist, .sys32data/, sys32data\ across endpoints
  • Search for .crpx0 file extensions (ransomware indicator)
  • Monitor for clipboard monitoring processes
  • Check for portable Python installations in %APPDATA%\sys32data\
  • Report fanonlyatn[.]xyz to Cloudflare abuse and Navicosoft registrar
  • Report caribb.ru, mekhovaya-shuba.ru, beboss34.ru to REG.RU abuse

Short-term (1-2 weeks)

  • Submit samples to MalwareBazaar with "TwizAdmin" tag
  • Submit C2 indicators to ThreatFox
  • Monitor the 10 cryptocurrency addresses for transaction activity
  • Report @DataBreachPlus Telegram channel
  • Check bc1qhwxpvjpdlyz7ekmjq6y67t2m2m2e5jq62ykfl4 and other wallets on blockchain explorers for victim funds

Medium-term (1-3 months)

  • Monitor for domain rotation (actor registration patterns: Navicosoft + Cloudflare NS)
  • Track the "DataBreachPlus" ransomware brand for leak site emergence
  • Correlate 31.31.198[.]206 REG.RU shared hosting for additional campaigns

References

  • @malwrhunterteam tweet (2026-04-03): "TwizAdmin panel here"
  • FastAPI documentation auto-generated at hxxp://103.241.66[.]238:1337/docs
  • All source code retrieved from open directory at fanonlyatn[.]xyz
  • Ransom note content extracted from crypter.py

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."

Share