Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

Latest chains C2 nodes Domains Entry to payload Drops payload Actor contains UAC More examples + docs

17chains

11actors

142entities

7relation types

IIMQL query

13 chains found

24 raw match rows before grouping. Results link back to the public feed view.

JSON API

confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3

c2 · domain · commercial VPS-hosted direct C2 infrastructure (exact addresses not published) · IIM-T002

confirmed 13 entities 13 relations

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

UAC-0010

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entryentrystagingstagingpayloadredirectorredirectorredirector +5

redirector · domain · document-downloads.ddns.net · IIM-T008, IIM-T011

likely 9 entities 11 relations

UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care

UAT-10027

Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.

entrystagingstagingstagingpayloadc2redirectorc2 +1

redirector · domain · cloudflare-dns.com DoH resolver over HTTPS/443 · no technique

c2 · domain · MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool · IIM-T001, IIM-T011

likely 12 entities 13 relations

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

UAT-10362

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.

entryredirectorstagingstagingstagingstagingpayloadc2 +4

c2 · domain · d.2fcc7078.digimg.store · no technique

likely 8 entities 8 relations

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

unknown

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entrystagingstagingstagingpayloadc2c2c2

c2 · domain · herokuapp.com based C2 endpoint · IIM-T002c2 · domain · operator-supplied replacement C2 domain from #HOST command · IIM-T011

confirmed 5 entities 4 relations

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

Webworm

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payloadc2c2payloadstaging

c2 · domain · graph.microsoft.com / Microsoft Graph API · IIM-T006, IIM-T018c2 · domain · onedrive.live.com / OneDrive-backed storage · IIM-T006, IIM-T018staging · domain · wamanharipethe.s3.ap-south-1.amazonaws[.]com · IIM-T002, IIM-T006

confirmed 4 entities 3 relations

Webworm GitHub staging to EchoCreep Discord C2

Webworm

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

stagingpayloadc2redirector

staging · domain · github[.]com/anjsdgasdf/WordPress · IIM-T006c2 · domain · discord[.]com / Discord API · IIM-T006, IIM-T018

confirmed 5 entities 4 relations

UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev

UAT-8302

UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.

entrystagingpayloadc2c2

c2 · domain · image.update-kaspersky.workers[.]dev · IIM-T005, IIM-T006c2 · domain · update-kaspersky.workers[.]dev · IIM-T005, IIM-T006

confirmed 6 entities 7 relations

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

UAT-8302

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payloadredirectorredirectorc2c2c2

redirector · domain · github[.]com / public dead-drop resolver · IIM-T006, IIM-T013redirector · domain · gamespot[.]com / public dead-drop resolver · IIM-T006, IIM-T013c2 · domain · www.drivelivelime[.]com · IIM-T010, IIM-T011c2 · domain · msiidentity[.]com · IIM-T010, IIM-T011

confirmed 4 entities 3 relations

UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2

UAT-8302

Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.

entrypayloadc2c2

c2 · domain · graph.microsoft.com / Microsoft Graph API · IIM-T006, IIM-T018c2 · domain · onedrive.live.com / OneDrive-backed C2 storage · IIM-T006, IIM-T018

likely 7 entities 7 relations

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

UAC-0057

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entrystagingstagingpayloadpayloadc2payload

c2 · domain · Cloudflare-fronted .icu C2 domain cluster · IIM-T001, IIM-T010, IIM-T011

confirmed 4 entities 3 relations

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

UAC-0057

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

stagingpayloadc2c2

c2 · domain · best-seller.lavanille[.]buzz · IIM-T010, IIM-T011c2 · domain · lavanille[.]buzz · IIM-T010

confirmed 14 entities 13 relations

UAC-0247 - UKRVARTA FPV

UAC-0247

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entryentrystagingstagingstagingpayloadpayloadstaging +6

staging · domain · ukrvarta.online · IIM-T002, IIM-T019, IIM-T026