IIMQL Search deep search for infra chains

Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

39chains
19actors
406entities
8relation types

IIMQL query

15 chains found

20 raw match rows before grouping. Results link back to the public feed view.

JSON API
confirmed 11 entities 13 relations

Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2

APT43

ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2.

entrystagingstagingredirectorstagingstagingpayloadpayload +3
staging · url · https://download.birdriver.org/download.php?id=393156 · no technique
confirmed 5 entities 4 relations

Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN

unknown

IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.

entryentrystagingpayloadc2
staging · url · hxxps://<subdomain>.b-cdn[.]net/<path> · IIM-T001
confirmed 5 entities 4 relations

ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer

ClearFake

IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.

entryredirectorstagingpayloadc2
staging · url · <remote payload-retrieval host> · no technique
confirmed 13 entities 15 relations

Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool

unknown

IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.

entrystagingstagingstagingpayloadpayloadstagingpayload +5
staging · file · winp.zip portable Python RAT bundle in %AppData% · IIM-T024staging · file · winp.zip portable Python RAT bundle in %AppData% · IIM-T024staging · file · winp.zip portable Python RAT bundle in %AppData% · IIM-T024
confirmed 19 entities 18 relations

Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2

SideCopy

IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.

entryentrystagingstagingstagingstagingstagingstaging +11
staging · file · ayui.vmxx encrypted/compressed next-stage blob · no technique
confirmed 26 entities 33 relations

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

unknown

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

entryentrystagingstagingstagingpayloadpayloadpayload +18
staging · file · ZIP archive containing HLS Installer.874.exe and malicious DLL · IIM-T024
confirmed 16 entities 25 relations

BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain

BlackToad

IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.

entrystagingstagingstagingstagingstagingstagingstaging +8
staging · file · diniuvw.ikp · no technique
confirmed 15 entities 17 relations

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

JINX-0164

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

entryentrystagingstagingstagingstagingpayloadpayload +7
staging · hash · c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e · no techniquestaging · hash · c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e · no techniquestaging · hash · 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460 · no techniquestaging · hash · 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460 · no technique
confirmed 20 entities 23 relations

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

unknown

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.

entrystagingstagingstagingstagingstagingpayloadpayload +12
staging · file · malicious ZIP archive containing legitimate utility executable plus autorun.dll · IIM-T024
confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3
staging · file · Glassworm downloader / installer stage · no technique
likely 12 entities 13 relations

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

UAT-10362

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.

entryredirectorstagingstagingstagingstagingpayloadc2 +4
staging · file · LucidPawn dropper DismCore.dll · no technique
likely 7 entities 7 relations

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

UAC-0057

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entrystagingstagingpayloadpayloadc2payload
staging · file · OYSTERFRESH JavaScript · no technique
confirmed 9 entities 8 relations

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

UAC-0057

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entrystagingstagingstagingpayloadc2payloadpayload +1
staging · url · hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg · IIM-T001, IIM-T010
confirmed 15 entities 20 relations

UAC-0184: Pseudo PNG Passmark

UAC-0184

Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.

entryentrystagingstagingstagingstagingstagingstaging +7
staging · file · filter.bin · IIM-T025