Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

Latest chains C2 nodes Domains Entry to payload Drops payload Actor contains UAC More examples + docs

17chains

11actors

142entities

7relation types

IIMQL query

16 chains found

30 raw match rows before grouping. Results link back to the public feed view.

JSON API

confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3

payload · file · GlasswormRAT Node.js remote access tool · no techniquepayload · file · GlasswormRAT Node.js remote access tool · no technique

confirmed 13 entities 13 relations

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

UAC-0010

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entryentrystagingstagingpayloadredirectorredirectorredirector +5

payload · file · Pteranodon Stage-2 loader · no techniquepayload · file · Pteranodon Stage-2 loader · no technique

likely 9 entities 11 relations

UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care

UAT-10027

Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.

entrystagingstagingstagingpayloadc2redirectorc2 +1

payload · file · Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll · no techniquepayload · file · Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll · no technique

likely 12 entities 13 relations

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

UAT-10362

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.

entryredirectorstagingstagingstagingstagingpayloadc2 +4

payload · file · LucidRook DLL stager written as DismCore.dll · no techniquepayload · file · LucidRook DLL stager written as DismCore.dll · no techniquepayload · file · LucidRook DLL stager written as DismCore.dll · no technique

likely 8 entities 8 relations

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

unknown

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entrystagingstagingstagingpayloadc2c2c2

payload · file · PowMix PowerShell botnet payload · no techniquepayload · file · PowMix PowerShell botnet payload · no techniquepayload · file · PowMix PowerShell botnet payload · no technique

likely 11 entities 11 relations

Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain

Silver Fox

Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.

entryredirectorstagingstagingstagingpayloadc2payload +3

payload · file · ValleyRAT Login module / Winos 4.0 payload · no technique

confirmed 5 entities 4 relations

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

Webworm

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payloadc2c2payloadstaging

payload · file · GraphWorm payload · no techniquepayload · file · GraphWorm payload · no technique

confirmed 4 entities 3 relations

Webworm GitHub staging to EchoCreep Discord C2

Webworm

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

stagingpayloadc2redirector

payload · file · EchoCreep DLL · no technique

confirmed 5 entities 4 relations

UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev

UAT-8302

UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.

entrystagingpayloadc2c2

payload · file · VSHELL payload · no techniquepayload · file · VSHELL payload · no technique

confirmed 6 entities 7 relations

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

UAT-8302

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payloadredirectorredirectorc2c2c2

payload · file · CloudSorcerer v3 side-loaded DLL triad · no techniquepayload · file · CloudSorcerer v3 side-loaded DLL triad · no techniquepayload · file · CloudSorcerer v3 side-loaded DLL triad · no technique

confirmed 4 entities 3 relations

UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2

UAT-8302

Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.

entrypayloadc2c2

payload · file · NetDraft / FringePorch backdoor · no techniquepayload · file · NetDraft / FringePorch backdoor · no technique

likely 7 entities 7 relations

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

UAC-0057

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entrystagingstagingpayloadpayloadc2payload

payload · file · OYSTERBLUES registry-staged payload · no technique

confirmed 4 entities 3 relations

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

UAC-0057

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

stagingpayloadc2c2

payload · file · EdgeSystemConfig.dll · no technique

confirmed 9 entities 8 relations

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

UAC-0057

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entrystagingstagingstagingpayloadc2payloadpayload +1

payload · file · Update.js / PicassoLoader · no techniquepayload · file · ViberPC.dll / Cobalt Strike Beacon · no technique

confirmed 14 entities 13 relations

UAC-0247 - UKRVARTA FPV

UAC-0247

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entryentrystagingstagingstagingpayloadpayloadstaging +6

payload · hash · b1d765f50f5c53702658b7a59a9bd05cfb042ea6b2d150191a84c53d373b9e4a · no technique

confirmed 15 entities 20 relations

UAC-0184: Pseudo PNG Passmark

UAC-0184

Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.

entryentrystagingstagingstagingstagingstagingstaging +7

payload · file · input.dll · no techniquepayload · file · input.dll · no technique