Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

Latest chains C2 nodes Domains Entry to payload Drops payload Actor contains UAC More examples + docs

17chains

11actors

142entities

7relation types

IIMQL query

6 chains found

6 raw match rows before grouping. Results link back to the public feed view.

JSON API

confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3

staging · file · Glassworm downloader / installer stage · no technique

likely 12 entities 13 relations

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

UAT-10362

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.

entryredirectorstagingstagingstagingstagingpayloadc2 +4

staging · file · LucidPawn dropper DismCore.dll · no technique

likely 7 entities 7 relations

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

UAC-0057

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entrystagingstagingpayloadpayloadc2payload

staging · file · OYSTERFRESH JavaScript · no technique

confirmed 4 entities 3 relations

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

UAC-0057

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

stagingpayloadc2c2

staging · file · EdgeTaskMachine.js · no technique

confirmed 9 entities 8 relations

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

UAC-0057

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entrystagingstagingstagingpayloadc2payloadpayload +1

staging · url · hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg · IIM-T001, IIM-T010

confirmed 15 entities 20 relations

UAC-0184: Pseudo PNG Passmark

UAC-0184

Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.

entryentrystagingstagingstagingstagingstagingstaging +7

staging · file · filter.bin · IIM-T025