{"error":null,"mode":"iimql","query":"MATCH (:entry)-->(:staging)-->(:payload)","results":[{"actor":"unknown","chain_id":"medium.2026.atomic-macos-stealer-amos-http-c2","confidence":"confirmed","description":"IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9"},{"role":"staging","techniques":[],"type":"file","value":"XOR-obfuscated AMOS behavioral/config layer using key 7M43mJx9I0GwjslSA2oKSgkqsUo"},{"role":"payload","techniques":[],"type":"file","value":"AMOS collection and evasion runtime (AppleScript Finder move/delete, xattr quarantine removal, osascript mute, bash self-delete)"},{"role":"c2","techniques":[],"type":"url","value":"http://85.217.222.185/static.php"},{"role":"c2","techniques":[],"type":"url","value":"http://85.217.222.185/index.php"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/medium.2026.atomic-macos-stealer-amos-http-c2","matches":["entry \u00b7 file \u00b7 Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9 \u00b7 no technique"],"published_at":"2026-05-31 19:04:58.401138","raw_url":"https://feed.iim.malwarebox.eu/api/chains/medium.2026.atomic-macos-stealer-amos-http-c2/raw","relation_count":4,"roles":["entry","staging","payload","c2","c2"],"score":1,"source_links":[],"techniques":[],"title":"Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints"},{"actor":"unknown","chain_id":"joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","confidence":"confirmed","description":"IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.","digest":[{"role":"entry","techniques":[],"type":"file","value":"government-project-themed Word document (VBA macro dropper)"},{"role":"entry","techniques":[],"type":"file","value":"PDF with fake Adobe Reader lure"},{"role":"staging","techniques":["IIM-T001"],"type":"url","value":"hxxps://<subdomain>.b-cdn[.]net/<path>"},{"role":"payload","techniques":[],"type":"file","value":"<second-stage payload>"},{"role":"c2","techniques":[],"type":"domain","value":"<campaign C2 endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","matches":["entry \u00b7 file \u00b7 government-project-themed Word document (VBA macro dropper) \u00b7 no technique","entry \u00b7 file \u00b7 PDF with fake Adobe Reader lure \u00b7 no technique"],"published_at":"2026-05-30 21:33:26.939349","raw_url":"https://feed.iim.malwarebox.eu/api/chains/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery/raw","relation_count":4,"roles":["entry","entry","staging","payload","c2"],"score":2,"source_links":[],"techniques":["IIM-T001"],"title":"Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN"},{"actor":"BlueNoroff","chain_id":"levelblue.2026.sapphire-sleet-macos-fake-zoom-update","confidence":"confirmed","description":"IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Zoom SDK Update.scpt"},{"role":"payload","techniques":[],"type":"file","value":"com.apple.cli profiling component"},{"role":"payload","techniques":[],"type":"file","value":"systemupdate.app / Mac Password Popup credential harvester"},{"role":"staging","techniques":[],"type":"file","value":"/Library/LaunchDaemons/com.google.webkit.service.plist"},{"role":"payload","techniques":[],"type":"file","value":"icloudz reflective backdoor component"},{"role":"payload","techniques":[],"type":"file","value":"com.google.chromes.updaters in-memory beacon agent"},{"role":"staging","techniques":[],"type":"file","value":"/tmp staged zip archives containing collected corporate and crypto assets"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"check02id.com"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"uw04webzoom.us"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"uw05webzoom.us"}],"entity_count":21,"feed_url":"https://feed.iim.malwarebox.eu/chain/levelblue.2026.sapphire-sleet-macos-fake-zoom-update","matches":["entry \u00b7 file \u00b7 Zoom SDK Update.scpt \u00b7 no technique"],"published_at":"2026-05-30 11:17:36.619344","raw_url":"https://feed.iim.malwarebox.eu/api/chains/levelblue.2026.sapphire-sleet-macos-fake-zoom-update/raw","relation_count":21,"roles":["entry","payload","payload","staging","payload","payload","staging","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2"],"score":1,"source_links":[{"label":"Source 1","url":"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"}],"techniques":["IIM-T011"],"title":"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure"},{"actor":"unknown","chain_id":"seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2","confidence":"confirmed","description":"IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"spearphishing ZIP attachment containing Taiwan/Czech lure artifacts"},{"role":"entry","techniques":[],"type":"file","value":"\u8a08\u756b\u7533\u8acb\u5be9\u67e5\u7d50\u679c\u901a\u77e5\u55ae.pdf.lnk"},{"role":"entry","techniques":[],"type":"file","value":"_\u8a08\u756b\u7533\u8acb\u5be9\u67e5\u7d50\u679c\u901a\u77e5\u55ae.exe"},{"role":"staging","techniques":[],"type":"file","value":"data\\empty.vbs"},{"role":"staging","techniques":[],"type":"file","value":"data\\Profile.ps1"},{"role":"staging","techniques":[],"type":"file","value":"data\\1.dat encrypted RuntimeBroker_update.exe container"},{"role":"staging","techniques":[],"type":"file","value":"RuntimeBroker_update.exe sideload trigger executable"},{"role":"staging","techniques":[],"type":"file","value":"BrowserViewUtility.exe legitimate sideload host"},{"role":"payload","techniques":[],"type":"file","value":"UnityPlayer.dll / RUSTCLOAK Rust loader"},{"role":"staging","techniques":[],"type":"file","value":"Com.dat encrypted AZUREVEIL payload container"}],"entity_count":14,"feed_url":"https://feed.iim.malwarebox.eu/chain/seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2","matches":["entry \u00b7 file \u00b7 _\u8a08\u756b\u7533\u8acb\u5be9\u67e5\u7d50\u679c\u901a\u77e5\u55ae.exe \u00b7 no technique"],"published_at":"2026-05-29 20:05:53.878328","raw_url":"https://feed.iim.malwarebox.eu/api/chains/seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2/raw","relation_count":20,"roles":["entry","entry","entry","staging","staging","staging","staging","staging","payload","staging","payload","c2","c2","staging"],"score":1,"source_links":[{"label":"Source 1","url":"https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"}],"techniques":["IIM-T002","IIM-T006","IIM-T013","IIM-T018","IIM-T024"],"title":"Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2"},{"actor":"UAC-0226","chain_id":"ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28","confidence":"confirmed","description":"Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\ProgramData\\cv4. cv4 reads C:\\ProgramData\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"Ukraine-themed CVE-2025-8088 archive attachment / container not submitted"},{"role":"staging","techniques":[],"type":"file","value":"1070_26782818.pdf"},{"role":"staging","techniques":[],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\U061m7RlE5py.lnk"},{"role":"staging","techniques":[],"type":"file","value":"C:\\ProgramData\\cv4"},{"role":"payload","techniques":[],"type":"file","value":"C:\\ProgramData\\Zhg"},{"role":"payload","techniques":[],"type":"file","value":"Zhg decoded flat x64 payload image"},{"role":"c2","techniques":[],"type":"url","value":"https://151.158.1.229:11861/AHH_bY/"},{"role":"c2","techniques":[],"type":"url","value":"https://151.158.1.229:11861/pQWhYy/"},{"role":"c2","techniques":[],"type":"ip","value":"151.158.1.229"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28","matches":["entry \u00b7 file \u00b7 Ukraine-themed CVE-2025-8088 archive attachment / container not submitted \u00b7 IIM-T024","entry \u00b7 file \u00b7 Ukraine-themed CVE-2025-8088 archive attachment / container not submitted \u00b7 IIM-T024"],"published_at":"2026-05-28 17:37:25.767455","raw_url":"https://feed.iim.malwarebox.eu/api/chains/ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28/raw","relation_count":11,"roles":["entry","staging","staging","staging","payload","payload","c2","c2","c2"],"score":2,"source_links":[],"techniques":["IIM-T024"],"title":"Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2"},{"actor":"JINX-0164","chain_id":"wiz.2026.jinx-0164-audiofix-fake-driver-macos","confidence":"confirmed","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.","digest":[{"role":"entry","techniques":["IIM-T010"],"type":"url","value":"LinkedIn recruiter / business-partner outreach leading to fake meeting lure"},{"role":"entry","techniques":["IIM-T010","IIM-T020"],"type":"url","value":"https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac"},{"role":"staging","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/arm/driver/coreaudiod"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/intel/driver/coreaudiod"},{"role":"payload","techniques":[],"type":"hash","value":"65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6"},{"role":"payload","techniques":[],"type":"hash","value":"0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21"},{"role":"staging","techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"datahub.ink"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"cloud-sync.online"}],"entity_count":16,"feed_url":"https://feed.iim.malwarebox.eu/chain/wiz.2026.jinx-0164-audiofix-fake-driver-macos","matches":["entry \u00b7 url \u00b7 https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac \u00b7 IIM-T010, IIM-T020","entry \u00b7 url \u00b7 https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac \u00b7 IIM-T010, IIM-T020"],"published_at":"2026-05-28 13:44:27.490408","raw_url":"https://feed.iim.malwarebox.eu/api/chains/wiz.2026.jinx-0164-audiofix-fake-driver-macos/raw","relation_count":16,"roles":["entry","entry","staging","payload","payload","payload","payload","staging","c2","c2","c2","c2","c2","staging","payload","payload"],"score":2,"source_links":[],"techniques":["IIM-T010","IIM-T011","IIM-T020"],"title":"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain"},{"actor":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"role":"staging","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"role":"payload","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2","matches":["entry \u00b7 file \u00b7 Trojanized VS Code / OpenVSX extension package \u00b7 IIM-T006","entry \u00b7 file \u00b7 Compromised npm package with postinstall hook \u00b7 IIM-T006","entry \u00b7 file \u00b7 Compromised Python package with setup script \u00b7 IIM-T006","entry \u00b7 url \u00b7 github://poisoned-default-branches/more-than-300-repositories \u00b7 IIM-T006"],"published_at":"2026-05-27 13:04:07.027015","raw_url":"https://feed.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"roles":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"score":4,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2"},{"actor":"UAT-8302","chain_id":"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","confidence":"confirmed","description":"UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.","digest":[{"role":"entry","techniques":[],"type":"file","value":"benign executable loading wininet.dll"},{"role":"staging","techniques":[],"type":"file","value":"SNOWLIGHT / SNOWRUST stager"},{"role":"payload","techniques":[],"type":"file","value":"VSHELL payload"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"image.update-kaspersky.workers[.]dev"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"update-kaspersky.workers[.]dev"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","matches":["entry \u00b7 file \u00b7 benign executable loading wininet.dll \u00b7 no technique"],"published_at":"2026-05-26 14:00:43.416102","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev/raw","relation_count":4,"roles":["entry","staging","payload","c2","c2"],"score":1,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T005","IIM-T006"],"title":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev"}],"stats":{"actors":19,"chains":39,"entities":406,"latest":"2026-05-31 19:22:26.947823","relations":[["connect",96],["drops",89],["references",73],["download",61],["execute",52],["communicates-with",30],["resolves-to",30],["redirect",8]],"roles":[["staging",116],["c2",110],["payload",95],["entry",51],["redirector",34]],"techniques":[["IIM-T024",18],["IIM-T006",15],["IIM-T011",14],["IIM-T002",9],["IIM-T010",7],["IIM-T018",6],["IIM-T019",6],["IIM-T004",5],["IIM-T013",5],["IIM-T021",5]]},"total_matches":8,"total_rows":14}
