IIMQL Search deep search for infra chains

Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

39chains
19actors
406entities
8relation types

IIMQL query

8 chains found

14 raw match rows before grouping. Results link back to the public feed view.

JSON API
confirmed 5 entities 4 relations

Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints

unknown

IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.

entrystagingpayloadc2c2
entry · file · Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9 · no technique
confirmed 5 entities 4 relations

Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN

unknown

IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.

entryentrystagingpayloadc2
entry · file · government-project-themed Word document (VBA macro dropper) · no techniqueentry · file · PDF with fake Adobe Reader lure · no technique
confirmed 21 entities 21 relations

Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure

BlueNoroff

IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.

entrypayloadpayloadstagingpayloadpayloadstagingc2 +13
entry · file · Zoom SDK Update.scpt · no technique
confirmed 14 entities 20 relations

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

unknown

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entryentryentrystagingstagingstagingstagingstaging +6
entry · file · _計畫申請審查結果通知單.exe · no technique
confirmed 9 entities 11 relations

Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2

UAC-0226

Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\ProgramData\cv4. cv4 reads C:\ProgramData\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.

entrystagingstagingstagingpayloadpayloadc2c2 +1
entry · file · Ukraine-themed CVE-2025-8088 archive attachment / container not submitted · IIM-T024entry · file · Ukraine-themed CVE-2025-8088 archive attachment / container not submitted · IIM-T024
confirmed 16 entities 16 relations

JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain

JINX-0164

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.

entryentrystagingpayloadpayloadpayloadpayloadstaging +8
entry · url · https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac · IIM-T010, IIM-T020entry · url · https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac · IIM-T010, IIM-T020
confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3
entry · file · Trojanized VS Code / OpenVSX extension package · IIM-T006entry · file · Compromised npm package with postinstall hook · IIM-T006entry · file · Compromised Python package with setup script · IIM-T006entry · url · github://poisoned-default-branches/more-than-300-repositories · IIM-T006