TWIZT

TWIZT is an operator handle associated with a criminal ecosystem centered on the previously undocumented Needle platform. The handle is directly linked through the hardcoded string "TWIZTPEINF" found in the peinf.exe file harvester payload. Reported activity ties this actor to a Phorpiex-delivered operation that combined credential harvesting, sextortion spam, cryptomining, and cryptocurrency theft. The observed campaign used a Phorpiex worm dropper to retrieve seven payloads from 178.16.54[.]109. These included an XMRig-based Monero mining deployer and miner, a file harvester, and spam modules. The harvester enumerated logical drives, recursively traversed files, queried the registry for installed software paths, and exfiltrated findings to command-and-control infrastructure. The mining component deployed XMRig with stealth-oriented settings and persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Config, and connected to a private Monero mining pool hosted on the same infrastructure. The broader Needle platform was described as a crimeware-as-a-service offering with a live panel, exposed MySQL instance, builder and launcher systems, and Telegram-integrated administration in English and Russian. Needle supported browser wallet spoofing for MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Keplr, OKX Wallet, and Brave Wallet; desktop wallet spoofing for Ledger, Trezor, Exodus, Atomic, Guarda, TonKeeper, Zelcore, and Coinomi; and theft capabilities including passwords, cookies, credit cards, autofill data, tokens, browser history, extension data, browser keys, FTP credentials, Telegram sessions, wallet files, screenshots, system information, form grabbing, and clipboard hijacking. It also supported cryptocurrency theft across Ethereum, BSC, Polygon, Solana, Tron, Bitcoin, Litecoin, Dogecoin, Avalanche, Arbitrum, Optimism, and Base. A second actor-controlled server at 130.12.180[.]190 coordinated spam campaigns using large batches of plaintext email credentials. The spam modules sent sextortion emails through victims’ own SMTP accounts using harvested credentials. Researchers observed signs of active operator monitoring, as payloads were removed shortly after access and the spam server was wiped the same day. No nation-state attribution is indicated in the provided content. No additional aliases or sub-groups beyond the operator handle TWIZT are directly supported by the content.