Date: 06/01/2026
Severity: Critical
Summary
In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update. When users tried to stream content, a prompt claimed their plugin was outdated and blocked playback until the malicious update was installed.
Indicators of Compromise (IOC) List
Domains/URLs : | twizt.net |
IP Address : | 193.233.132.177 |
Hash : | a861d931cbeb1541193c8707a7114e21daf4ad6d45099427b99a9d0982d976ae
05ca9f97a27b675d24edf621b716159ddebff4f16f70b15b2ca68fc7203308b7
01cd4320fa28bc47325ccbbce573ed5c5356008ab0dd1f450017e042cb631239
C2dcdab49f620d41cdff93c58a50c760906ea2565001145564a149 1defec08f4
r263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb
5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "twizt.net" or url like "twizt.net" or siteurl like "twizt.net" |
Detection Query 2 : | dstipaddress IN ("193.233.132.177") or srcipaddress IN ("193.233.132.177") |
Detection Query 3 : | sha256hash IN ("5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8","01cd4320fa28bc47325ccbbce573ed5c5356008ab0dd1f450017e042cb631239","a861d931cbeb1541193c8707a7114e21daf4ad6d45099427b99a9d0982d976ae","c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4","05ca9f97a27b675d24edf621b716159ddebff4f16f70b15b2ca68fc7203308b7","r263a597dc2155f65423edcee57ac56eb7229bdf56109915f7cb52c8120d03efb")
|
Reference:
https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader