IIMQL Search deep search for infra chains

Public IIM Chain Search

Search the infrastructure layer.

Query published IIM chains from Mantis. Plain text works for quick pivots; IIMQL works when you want roles, relations, entities, and actual chain structure. Very wild concept: search the thing we modelled.

Latest chains C2 nodes Domains Entry to payload Drops payload Actor contains UAC More examples + docs
17chains
11actors
142entities
7relation types

IIMQL query

17 chains found

33 raw match rows before grouping. Results link back to the public feed view.

JSON API
confirmed 11 entities 13 relations

Glassworm developer supply-chain infection to redundant multi-resolver C2

Glassworm

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entryentryentryentrystagingpayloadredirectorredirector +3
{"chain.chain_id": "glassworm.2026.developer-supply-chain.multi-resolver-c2", "chain.title": "Glassworm developer supply-chain infection to redundant multi-resolver C2", "entity.value": "GlasswormRAT Node.js remote access tool"}
confirmed 13 entities 13 relations

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

UAC-0010

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entryentrystagingstagingpayloadredirectorredirectorredirector +5
{"chain.chain_id": "gamaredon.2025.zero-click-rar.pteranodon", "chain.title": "Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure", "entity.value": "Pteranodon Stage-2 loader"}
likely 9 entities 11 relations

UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care

UAT-10027

Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.

entrystagingstagingstagingpayloadc2redirectorc2 +1
{"chain.chain_id": "uat-10027-dohdoor-education-healthcare-2026-02-26", "chain.title": "UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care", "entity.value": "Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll"}{"chain.chain_id": "uat-10027-dohdoor-education-healthcare-2026-02-26", "chain.title": "UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care", "entity.value": "potential Cobalt Strike Beacon next-stage payload"}
likely 12 entities 13 relations

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

UAT-10362

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.

entryredirectorstagingstagingstagingstagingpayloadc2 +4
{"chain.chain_id": "uat-10362-lucidrook-taiwan-2026-04-08", "chain.title": "UAT-10362 LucidRook LNK archive chain against Taiwanese organizations", "entity.value": "LucidRook DLL stager written as DismCore.dll"}{"chain.chain_id": "uat-10362-lucidrook-taiwan-2026-04-08", "chain.title": "UAT-10362 LucidRook LNK archive chain against Taiwanese organizations", "entity.value": "archive1.zip staged Lua bytecode payload from FTP C2"}
likely 8 entities 8 relations

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

unknown

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entrystagingstagingstagingpayloadc2c2c2
{"chain.chain_id": "powmix-czech-workforce-2026-04-16", "chain.title": "PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce", "entity.value": "PowMix PowerShell botnet payload"}
likely 11 entities 11 relations

Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain

Silver Fox

Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.

entryredirectorstagingstagingstagingpayloadc2payload +3
{"chain.chain_id": "silver-fox-abcdoor-2026-04-30", "chain.title": "Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain", "entity.value": "ValleyRAT Login module / Winos 4.0 payload"}{"chain.chain_id": "silver-fox-abcdoor-2026-04-30", "chain.title": "Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain", "entity.value": "custom ValleyRAT module 保86.dll / 保86.dll_bin"}{"chain.chain_id": "silver-fox-abcdoor-2026-04-30", "chain.title": "Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain", "entity.value": "ABCDoor Python backdoor"}
confirmed 5 entities 4 relations

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

Webworm

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payloadc2c2payloadstaging
{"chain.chain_id": "webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane", "chain.title": "Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane", "entity.value": "GraphWorm payload"}{"chain.chain_id": "webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane", "chain.title": "Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane", "entity.value": "WormFrp reverse proxy / exfiltration component"}
confirmed 4 entities 3 relations

Webworm GitHub staging to EchoCreep Discord C2

Webworm

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

stagingpayloadc2redirector
{"chain.chain_id": "iim.chain.apt.2026.05.009", "chain.title": "Webworm GitHub staging to EchoCreep Discord C2", "entity.value": "EchoCreep DLL"}
confirmed 5 entities 4 relations

UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100

UAT-8302

Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs.

stagingpayloadredirectorredirectorstaging
{"chain.chain_id": "uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100", "chain.title": "UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100", "entity.value": "wagent.exe / Stowaway proxy component"}
confirmed 5 entities 4 relations

UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev

UAT-8302

UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.

entrystagingpayloadc2c2
{"chain.chain_id": "uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev", "chain.title": "UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev", "entity.value": "VSHELL payload"}
confirmed 6 entities 7 relations

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

UAT-8302

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payloadredirectorredirectorc2c2c2
{"chain.chain_id": "iim.chain.apt.2026.05.006", "chain.title": "UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2", "entity.value": "CloudSorcerer v3 side-loaded DLL triad"}
confirmed 4 entities 3 relations

UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2

UAT-8302

Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.

entrypayloadc2c2
{"chain.chain_id": "iim.chain.apt.2026.05.005", "chain.title": "UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2", "entity.value": "NetDraft / FringePorch backdoor"}
likely 7 entities 7 relations

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

UAC-0057

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entrystagingstagingpayloadpayloadc2payload
{"chain.chain_id": "iim.chain.apt.2026.05.004", "chain.title": "UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2", "entity.value": "OYSTERBLUES registry-staged payload"}{"chain.chain_id": "iim.chain.apt.2026.05.004", "chain.title": "UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2", "entity.value": "OYSTERSHUCK decoder/loader"}{"chain.chain_id": "iim.chain.apt.2026.05.004", "chain.title": "UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2", "entity.value": "Cobalt Strike follow-on component"}
confirmed 4 entities 3 relations

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

UAC-0057

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

stagingpayloadc2c2
{"chain.chain_id": "iim.chain.apt.2026.05.003", "chain.title": "FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz", "entity.value": "EdgeSystemConfig.dll"}
confirmed 9 entities 8 relations

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

UAC-0057

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entrystagingstagingstagingpayloadc2payloadpayload +1
{"chain.chain_id": "frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike", "chain.title": "FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike", "entity.value": "Update.js / PicassoLoader"}{"chain.chain_id": "frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike", "chain.title": "FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike", "entity.value": "Update.js / Cobalt Strike dropper"}{"chain.chain_id": "frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike", "chain.title": "FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike", "entity.value": "ViberPC.dll / Cobalt Strike Beacon"}
confirmed 14 entities 13 relations

UAC-0247 - UKRVARTA FPV

UAC-0247

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entryentrystagingstagingstagingpayloadpayloadstaging +6
{"chain.chain_id": "uac-0247-ukrvarta-fpv-dopomoga-2026-03", "chain.title": "UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell", "entity.value": "https://ukrvarta.online/dopomoga/updater.txt"}{"chain.chain_id": "uac-0247-ukrvarta-fpv-dopomoga-2026-03", "chain.title": "UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell", "entity.value": "https://ukrvarta.online/conference/updater.txt"}{"chain.chain_id": "uac-0247-ukrvarta-fpv-dopomoga-2026-03", "chain.title": "UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell", "entity.value": "c06cc6122b798f88a05a088bfed39594af86ba714da89fec5ca62d7119782df9"}{"chain.chain_id": "uac-0247-ukrvarta-fpv-dopomoga-2026-03", "chain.title": "UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell", "entity.value": "RuntimeBroker.exe"}
confirmed 15 entities 20 relations

UAC-0184: Pseudo PNG Passmark

UAC-0184

Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.

entryentrystagingstagingstagingstagingstagingstaging +7
{"chain.chain_id": "uac-0184-pseudo-png-passmark-2026-05", "chain.title": "UAC-0184 gated HTA delivery to pseudo-PNG staged payload and PassMark network stack", "entity.value": "filter.bin decoded LZNT1 payload bundle"}{"chain.chain_id": "uac-0184-pseudo-png-passmark-2026-05", "chain.title": "UAC-0184 gated HTA delivery to pseudo-PNG staged payload and PassMark network stack", "entity.value": "VSLauncher.exe"}{"chain.chain_id": "uac-0184-pseudo-png-passmark-2026-05", "chain.title": "UAC-0184 gated HTA delivery to pseudo-PNG staged payload and PassMark network stack", "entity.value": "input.dll"}