IIMQL Search deep search for infra chains

Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

39chains
19actors
406entities
8relation types

IIMQL query

29 chains found

79 raw match rows before grouping. Results link back to the public feed view.

JSON API
likely 13 entities 13 relations

GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool

GREYVIBE

WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.

entryredirectorstagingstagingpayloadpayloadstagingc2 +5
c2 · domain · nycpartnersenterprise.com · IIM-T011c2 · domain · chiselworksenterprise.com · IIM-T011c2 · domain · newrentalsenterprise.com · IIM-T011c2 · domain · bluelagoonaenterprise.com · IIM-T011
confirmed 5 entities 4 relations

Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN

unknown

IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.

entryentrystagingpayloadc2
c2 · domain · <campaign C2 endpoint> · no technique
confirmed 5 entities 4 relations

ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer

ClearFake

IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.

entryredirectorstagingpayloadc2
entry · domain · <compromised website with injected JS> · IIM-T004c2 · domain · <ACR Stealer C2 endpoint> · no technique
likely 4 entities 3 relations

Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access

unknown

IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.

entryredirectorstagingc2
c2 · domain · <ScreenConnect relay endpoint> · no technique
confirmed 4 entities 3 relations

HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends

unknown

IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.

entryredirectorredirectorpayload
payload · domain · <Tycoon 2FA AiTM credential endpoint> · no technique
confirmed 5 entities 4 relations

SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access

unknown

IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.

entryredirectorstagingpayloadc2
redirector · domain · gruta.com[.]mx · IIM-T004staging · domain · server.cubatiendaalimentos.com[.]mx · IIM-T004c2 · domain · <SimpleHelp/ScreenConnect RMM relay endpoint> · no technique
confirmed 21 entities 21 relations

Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure

BlueNoroff

IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.

entrypayloadpayloadstagingpayloadpayloadstagingc2 +13
c2 · domain · check02id.com · IIM-T011c2 · domain · uw04webzoom.us · IIM-T011c2 · domain · uw05webzoom.us · IIM-T011c2 · domain · uw03webzoom.us · IIM-T011
confirmed 14 entities 20 relations

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

unknown

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entryentryentrystagingstagingstagingstagingstaging +6
c2 · domain · note1ggbbhggdwa1.blob.core.windows.net · IIM-T002, IIM-T006, IIM-T013, IIM-T018
confirmed 19 entities 18 relations

Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2

SideCopy

IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.

entryentrystagingstagingstagingstagingstagingstaging +11
staging · domain · abimj.edu.af · IIM-T004
confirmed 13 entities 14 relations

Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer

unknown

IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.

entryentrypayloadpayloadpayloadc2c2payload +5
entry · domain · openew.app · no technique
confirmed 26 entities 33 relations

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

unknown

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

entryentrystagingstagingstagingpayloadpayloadpayload +18
entry · domain · pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published) · no techniquestaging · domain · urush1bar4.online · IIM-T010c2 · domain · 5d14vnfb.space · IIM-T009, IIM-T011c2 · domain · r7mvjl67.space · IIM-T009, IIM-T011
confirmed 16 entities 25 relations

BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain

BlackToad

IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.

entrystagingstagingstagingstagingstagingstagingstaging +8
c2 · domain · pmitm.ddns.net · IIM-T008, IIM-T011c2 · domain · lordtoad.duckdns.org · IIM-T008, IIM-T011c2 · domain · toadshit.ddnsfree.com · IIM-T008, IIM-T011
confirmed 16 entities 16 relations

JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain

JINX-0164

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.

entryentrystagingpayloadpayloadpayloadpayloadstaging +8
c2 · domain · datahub.ink · IIM-T011c2 · domain · cloud-sync.online · IIM-T011c2 · domain · byte-io.us · IIM-T011
confirmed 15 entities 17 relations

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

JINX-0164

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

entryentrystagingstagingstagingstagingpayloadpayload +7
c2 · domain · datahub.ink · IIM-T011c2 · domain · cloud-sync.online · IIM-T011c2 · domain · byte-io.us · IIM-T011
confirmed 8 entities 7 relations

Malware-Slop npm package to GitHub Contents API exfiltration chain

unknown

IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.

entrypayloadstagingredirectorc2c2stagingstaging
redirector · domain · github.com · IIM-T006
confirmed 20 entities 23 relations

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

unknown

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.

entrystagingstagingstagingstagingstagingpayloadpayload +12
entry · domain · attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published) · IIM-T011staging · domain · direct-download.gleeze.com · IIM-T008, IIM-T024staging · domain · start-download.gleeze.com · IIM-T008, IIM-T024staging · domain · direct-downloads.giize.com · IIM-T008, IIM-T024
confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3
c2 · domain · commercial VPS-hosted direct C2 infrastructure (exact addresses not published) · IIM-T002
confirmed 13 entities 13 relations

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

UAC-0010

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entryentrystagingstagingpayloadredirectorredirectorredirector +5
redirector · domain · document-downloads.ddns.net · IIM-T008, IIM-T011
likely 9 entities 11 relations

UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care

UAT-10027

Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.

entrystagingstagingstagingpayloadc2redirectorc2 +1
redirector · domain · cloudflare-dns.com DoH resolver over HTTPS/443 · no techniquec2 · domain · MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool · IIM-T001, IIM-T011
likely 12 entities 13 relations

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

UAT-10362

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.

entryredirectorstagingstagingstagingstagingpayloadc2 +4
c2 · domain · d.2fcc7078.digimg.store · no technique
likely 8 entities 8 relations

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

unknown

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entrystagingstagingstagingpayloadc2c2c2
c2 · domain · herokuapp.com based C2 endpoint · IIM-T002c2 · domain · operator-supplied replacement C2 domain from #HOST command · IIM-T011
confirmed 5 entities 4 relations

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

Webworm

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payloadc2c2payloadstaging
c2 · domain · graph.microsoft.com / Microsoft Graph API · IIM-T006, IIM-T018c2 · domain · onedrive.live.com / OneDrive-backed storage · IIM-T006, IIM-T018staging · domain · wamanharipethe.s3.ap-south-1.amazonaws[.]com · IIM-T002, IIM-T006
confirmed 4 entities 3 relations

Webworm GitHub staging to EchoCreep Discord C2

Webworm

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

stagingpayloadc2redirector
staging · domain · github[.]com/anjsdgasdf/WordPress · IIM-T006c2 · domain · discord[.]com / Discord API · IIM-T006, IIM-T018
confirmed 5 entities 4 relations

UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev

UAT-8302

UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.

entrystagingpayloadc2c2
c2 · domain · image.update-kaspersky.workers[.]dev · IIM-T005, IIM-T006c2 · domain · update-kaspersky.workers[.]dev · IIM-T005, IIM-T006
confirmed 6 entities 7 relations

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

UAT-8302

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payloadredirectorredirectorc2c2c2
redirector · domain · github[.]com / public dead-drop resolver · IIM-T006, IIM-T013redirector · domain · gamespot[.]com / public dead-drop resolver · IIM-T006, IIM-T013c2 · domain · www.drivelivelime[.]com · IIM-T010, IIM-T011c2 · domain · msiidentity[.]com · IIM-T010, IIM-T011