IIMQL Search deep search for infra chains

Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

39chains
19actors
406entities
8relation types

IIMQL query

37 chains found

110 raw match rows before grouping. Results link back to the public feed view.

JSON API
confirmed 11 entities 13 relations

Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2

APT43

ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2.

entrystagingstagingredirectorstagingstagingpayloadpayload +3
c2 · url · http://hdrgdrfes.chickenkiller.com/index.php · no technique
likely 13 entities 13 relations

GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool

GREYVIBE

WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.

entryredirectorstagingstagingpayloadpayloadstagingc2 +5
c2 · domain · nycpartnersenterprise.com · IIM-T011c2 · domain · chiselworksenterprise.com · IIM-T011c2 · domain · newrentalsenterprise.com · IIM-T011c2 · domain · bluelagoonaenterprise.com · IIM-T011
confirmed 9 entities 9 relations

CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access

unknown

IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.

entryentryentryentryredirectorstagingpayloadpayload +1
c2 · file · VPN-assigned internal-network access after successful cookie authentication (subset of victims) · no technique
confirmed 5 entities 4 relations

Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints

unknown

IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.

entrystagingpayloadc2c2
c2 · url · http://85.217.222.185/static.php · no techniquec2 · url · http://85.217.222.185/index.php · no technique
confirmed 5 entities 4 relations

Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN

unknown

IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.

entryentrystagingpayloadc2
c2 · domain · <campaign C2 endpoint> · no technique
confirmed 5 entities 4 relations

ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer

ClearFake

IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.

entryredirectorstagingpayloadc2
c2 · domain · <ACR Stealer C2 endpoint> · no technique
likely 4 entities 3 relations

Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access

unknown

IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.

entryredirectorstagingc2
c2 · domain · <ScreenConnect relay endpoint> · no technique
confirmed 5 entities 4 relations

SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access

unknown

IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.

entryredirectorstagingpayloadc2
c2 · domain · <SimpleHelp/ScreenConnect RMM relay endpoint> · no technique
confirmed 13 entities 17 relations

Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control

unknown

IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.

entryredirectorredirectorredirectorredirectorstagingstagingpayload +5
c2 · url · <compromised WordPress site> POST / with cookie DEpjndDbNc · IIM-T004c2 · url · <compromised WordPress site> POST / with cookie tEcaKKXEsb and parameter new_code · IIM-T004
confirmed 21 entities 21 relations

Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure

BlueNoroff

IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.

entrypayloadpayloadstagingpayloadpayloadstagingc2 +13
c2 · domain · check02id.com · IIM-T011c2 · domain · uw04webzoom.us · IIM-T011c2 · domain · uw05webzoom.us · IIM-T011c2 · domain · uw03webzoom.us · IIM-T011
confirmed 13 entities 15 relations

Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool

unknown

IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.

entrystagingstagingstagingpayloadpayloadstagingpayload +5
c2 · ip · 45.61.136.94 · no techniquec2 · ip · 64.95.12.238 · no techniquec2 · ip · 162.33.179.149 · no techniquec2 · ip · 64.95.13.76 · no technique
confirmed 14 entities 20 relations

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

unknown

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entryentryentrystagingstagingstagingstagingstaging +6
c2 · domain · note1ggbbhggdwa1.blob.core.windows.net · IIM-T002, IIM-T006, IIM-T013, IIM-T018c2 · url · https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin · IIM-T002, IIM-T018
confirmed 19 entities 18 relations

Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2

SideCopy

IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.

entryentrystagingstagingstagingstagingstagingstaging +11
c2 · ip · 185.235.137.106 · IIM-T003
confirmed 13 entities 14 relations

Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer

unknown

IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.

entryentrypayloadpayloadpayloadc2c2payload +5
c2 · url · http://188.137.246.189/laravel.php?api=api&hash=<redacted>&message=<redacted> · no techniquec2 · ip · 188.137.246.189 · no techniquec2 · ip · 192.253.248.181 · no techniquec2 · ip · 172.94.9.250 · no technique
confirmed 26 entities 33 relations

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

unknown

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

entryentrystagingstagingstagingpayloadpayloadpayload +18
c2 · domain · 5d14vnfb.space · IIM-T009, IIM-T011c2 · domain · r7mvjl67.space · IIM-T009, IIM-T011c2 · domain · zgj1tam9.space · IIM-T009, IIM-T011c2 · domain · jeaw520i.space · IIM-T009, IIM-T011
confirmed 9 entities 11 relations

Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2

UAC-0226

Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\ProgramData\cv4. cv4 reads C:\ProgramData\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.

entrystagingstagingstagingpayloadpayloadc2c2 +1
c2 · url · https://151.158.1.229:11861/AHH_bY/ · no techniquec2 · url · https://151.158.1.229:11861/pQWhYy/ · no techniquec2 · ip · 151.158.1.229 · no technique
confirmed 16 entities 25 relations

BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain

BlackToad

IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.

entrystagingstagingstagingstagingstagingstagingstaging +8
c2 · domain · pmitm.ddns.net · IIM-T008, IIM-T011c2 · domain · lordtoad.duckdns.org · IIM-T008, IIM-T011c2 · domain · toadshit.ddnsfree.com · IIM-T008, IIM-T011c2 · ip · 197.210.55.170 · no technique
confirmed 16 entities 16 relations

JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain

JINX-0164

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.

entryentrystagingpayloadpayloadpayloadpayloadstaging +8
c2 · domain · datahub.ink · IIM-T011c2 · domain · cloud-sync.online · IIM-T011c2 · domain · byte-io.us · IIM-T011c2 · ip · 208.115.220.17 · no technique
confirmed 15 entities 17 relations

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

JINX-0164

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

entryentrystagingstagingstagingstagingpayloadpayload +7
c2 · domain · datahub.ink · IIM-T011c2 · domain · cloud-sync.online · IIM-T011c2 · domain · byte-io.us · IIM-T011c2 · ip · 208.115.220.17 · no technique
confirmed 8 entities 7 relations

Malware-Slop npm package to GitHub Contents API exfiltration chain

unknown

IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.

entrypayloadstagingredirectorc2c2stagingstaging
c2 · url · https://api.github.com/repos/<actor-controlled-account>/<target-repository>/contents/<random-per-run-folder>/ · IIM-T018, IIM-T006c2 · file · random per-run folder containing base64-encoded uploaded files · IIM-T018, IIM-T006
confirmed 20 entities 23 relations

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

unknown

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.

entrystagingstagingstagingstagingstagingpayloadpayload +12
c2 · domain · directdownload.icu · no techniquec2 · ip · 193.42.11.108 · no techniquec2 · url · wss://minemine.gleeze.com:8443/ws · IIM-T008, IIM-T021c2 · certificate · EB:C3:5D:4A:08:D9:3A:88:0E:90:AE:AD:2D:3F:7F:B4:3F:DC:08:EA:77:DB:9D:D5:2F:80:78:1E:6B:FD:88:67 · IIM-T012
confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3
c2 · domain · commercial VPS-hosted direct C2 infrastructure (exact addresses not published) · IIM-T002c2 · ip · 164.92.88.210 · no technique
confirmed 13 entities 13 relations

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

UAC-0010

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entryentrystagingstagingpayloadredirectorredirectorredirector +5
c2 · ip · 194.67.71.75 · IIM-T003, IIM-T007c2 · ip · 45.32.220.217 · IIM-T002
likely 9 entities 11 relations

UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care

UAT-10027

Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.

entrystagingstagingstagingpayloadc2redirectorc2 +1
c2 · url · http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s · no techniquec2 · domain · MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool · IIM-T001, IIM-T011
likely 12 entities 13 relations

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

UAT-10362

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.

entryredirectorstagingstagingstagingstagingpayloadc2 +4
c2 · ip · 1.34.253.131 · IIM-T004c2 · ip · 59.124.71.242 · IIM-T004c2 · domain · d.2fcc7078.digimg.store · no technique