Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

Latest chains C2 nodes Domains Entry to payload Drops payload Actor contains UAC More examples + docs

17chains

11actors

142entities

7relation types

IIMQL query

6 chains found

6 raw match rows before grouping. Results link back to the public feed view.

JSON API

confirmed 13 entities 13 relations

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

UAC-0010

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entryentrystagingstagingpayloadredirectorredirectorredirector +5

chain match

likely 7 entities 7 relations

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

UAC-0057

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entrystagingstagingpayloadpayloadc2payload

chain match

confirmed 4 entities 3 relations

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

UAC-0057

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

stagingpayloadc2c2

chain match

confirmed 9 entities 8 relations

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

UAC-0057

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entrystagingstagingstagingpayloadc2payloadpayload +1

chain match

confirmed 14 entities 13 relations

UAC-0247 - UKRVARTA FPV

UAC-0247

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entryentrystagingstagingstagingpayloadpayloadstaging +6

chain match

confirmed 15 entities 20 relations

UAC-0184: Pseudo PNG Passmark

UAC-0184

Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.

entryentrystagingstagingstagingstagingstagingstaging +7

chain match