{"error":null,"mode":"iimql","query":"MATCH (:payload)-->(:c2)","results":[{"actor":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"role":"staging","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"role":"payload","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2","matches":["payload \u00b7 file \u00b7 GlasswormRAT Node.js remote access tool \u00b7 no technique","payload \u00b7 file \u00b7 GlasswormRAT Node.js remote access tool \u00b7 no technique"],"published_at":"2026-05-27 13:04:07.027015","raw_url":"https://feed.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"roles":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"score":2,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2"},{"actor":"UAC-0010","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"role":"entry","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"role":"staging","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"role":"payload","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"role":"staging","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon","matches":["payload \u00b7 file \u00b7 Pteranodon Stage-2 loader \u00b7 no technique","payload \u00b7 file \u00b7 Pteranodon Stage-2 loader \u00b7 no technique"],"published_at":"2026-05-27 12:22:36.950024","raw_url":"https://feed.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"roles":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"score":2,"source_links":[{"label":"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale","url":"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"}],"techniques":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure"},{"actor":"UAT-10027","chain_id":"uat-10027-dohdoor-education-healthcare-2026-02-26","confidence":"likely","description":"Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.","digest":[{"role":"entry","techniques":[],"type":"file","value":"suspected phishing-delivered PowerShell downloader"},{"role":"staging","techniques":[],"type":"url","value":"remote staging URL serving .bat or .cmd batch file"},{"role":"staging","techniques":[],"type":"file","value":"Windows batch script dropper orchestrating DLL sideloading"},{"role":"staging","techniques":[],"type":"url","value":"http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d"},{"role":"payload","techniques":[],"type":"file","value":"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll"},{"role":"c2","techniques":[],"type":"url","value":"http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s"},{"role":"redirector","techniques":[],"type":"domain","value":"cloudflare-dns.com DoH resolver over HTTPS/443"},{"role":"c2","techniques":["IIM-T001","IIM-T011"],"type":"domain","value":"MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool"},{"role":"payload","techniques":[],"type":"file","value":"potential Cobalt Strike Beacon next-stage payload"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10027-dohdoor-education-healthcare-2026-02-26","matches":["payload \u00b7 file \u00b7 Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll \u00b7 no technique","payload \u00b7 file \u00b7 Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll \u00b7 no technique"],"published_at":"2026-05-27 12:09:14.641573","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10027-dohdoor-education-healthcare-2026-02-26/raw","relation_count":11,"roles":["entry","staging","staging","staging","payload","c2","redirector","c2","payload"],"score":2,"source_links":[],"techniques":["IIM-T001","IIM-T011"],"title":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care"},{"actor":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.","digest":[{"role":"entry","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"role":"redirector","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"role":"staging","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"role":"staging","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"role":"staging","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"role":"payload","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"role":"payload","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"}],"entity_count":12,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10362-lucidrook-taiwan-2026-04-08","matches":["payload \u00b7 file \u00b7 LucidRook DLL stager written as DismCore.dll \u00b7 no technique","payload \u00b7 file \u00b7 LucidRook DLL stager written as DismCore.dll \u00b7 no technique","payload \u00b7 file \u00b7 LucidRook DLL stager written as DismCore.dll \u00b7 no technique"],"published_at":"2026-05-27 12:07:54.333154","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10362-lucidrook-taiwan-2026-04-08/raw","relation_count":13,"roles":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"score":3,"source_links":[],"techniques":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations"},{"actor":"unknown","chain_id":"powmix-czech-workforce-2026-04-16","confidence":"likely","description":"Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"malicious ZIP archive with compliance-themed lure"},{"role":"staging","techniques":[],"type":"file","value":"Windows shortcut file inside ZIP"},{"role":"staging","techniques":[],"type":"file","value":"embedded PowerShell loader script"},{"role":"staging","techniques":[],"type":"file","value":"hidden encoded PowMix payload blob inside ZIP"},{"role":"payload","techniques":[],"type":"file","value":"PowMix PowerShell botnet payload"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"herokuapp.com based C2 endpoint"},{"role":"c2","techniques":[],"type":"url","value":"REST-like C2 URL path containing Bot ID, configuration hash, encrypted heartbeat, timestamp and random suffix"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"operator-supplied replacement C2 domain from #HOST command"}],"entity_count":8,"feed_url":"https://feed.iim.malwarebox.eu/chain/powmix-czech-workforce-2026-04-16","matches":["payload \u00b7 file \u00b7 PowMix PowerShell botnet payload \u00b7 no technique","payload \u00b7 file \u00b7 PowMix PowerShell botnet payload \u00b7 no technique","payload \u00b7 file \u00b7 PowMix PowerShell botnet payload \u00b7 no technique"],"published_at":"2026-05-27 12:05:45.587349","raw_url":"https://feed.iim.malwarebox.eu/api/chains/powmix-czech-workforce-2026-04-16/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","c2","c2"],"score":3,"source_links":[],"techniques":["IIM-T002","IIM-T011","IIM-T024"],"title":"PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce"},{"actor":"Silver Fox","chain_id":"silver-fox-abcdoor-2026-04-30","confidence":"likely","description":"Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.","digest":[{"role":"entry","techniques":[],"type":"file","value":"tax-themed phishing email attachment or lure PDF"},{"role":"redirector","techniques":[],"type":"url","value":"attacker-controlled external download website"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"tax-related malicious archive"},{"role":"staging","techniques":["IIM-T019"],"type":"file","value":"Silver Fox RustSL loader executable mimicking a document"},{"role":"staging","techniques":[],"type":"file","value":"encrypted RustSL payload file disguised with benign extension"},{"role":"payload","techniques":[],"type":"file","value":"ValleyRAT Login module / Winos 4.0 payload"},{"role":"c2","techniques":[],"type":"ip","value":"207.56.138.28"},{"role":"payload","techniques":["IIM-T019"],"type":"file","value":"custom ValleyRAT module \u4fdd86.dll / \u4fdd86.dll_bin"},{"role":"staging","techniques":[],"type":"url","value":"http://154.82.81.205/YD20251001143052.zip"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ABCDoor appclient Python archive"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/silver-fox-abcdoor-2026-04-30","matches":["payload \u00b7 file \u00b7 ValleyRAT Login module / Winos 4.0 payload \u00b7 no technique"],"published_at":"2026-05-27 12:03:50.394701","raw_url":"https://feed.iim.malwarebox.eu/api/chains/silver-fox-abcdoor-2026-04-30/raw","relation_count":11,"roles":["entry","redirector","staging","staging","staging","payload","c2","payload","staging","staging","payload"],"score":1,"source_links":[],"techniques":["IIM-T019","IIM-T024"],"title":"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain"},{"actor":"Webworm","chain_id":"webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","confidence":"confirmed","description":"ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.","digest":[{"role":"payload","techniques":[],"type":"file","value":"GraphWorm payload"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed storage"},{"role":"payload","techniques":[],"type":"file","value":"WormFrp reverse proxy / exfiltration component"},{"role":"staging","techniques":["IIM-T002","IIM-T006"],"type":"domain","value":"wamanharipethe.s3.ap-south-1.amazonaws[.]com"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","matches":["payload \u00b7 file \u00b7 GraphWorm payload \u00b7 no technique","payload \u00b7 file \u00b7 GraphWorm payload \u00b7 no technique"],"published_at":"2026-05-26 14:05:46.910472","raw_url":"https://feed.iim.malwarebox.eu/api/chains/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane/raw","relation_count":4,"roles":["payload","c2","c2","payload","staging"],"score":2,"source_links":[{"label":"ESET WeLiveSecurity Webworm report","url":"https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"}],"techniques":["IIM-T002","IIM-T006","IIM-T018"],"title":"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane"},{"actor":"Webworm","chain_id":"iim.chain.apt.2026.05.009","confidence":"confirmed","description":"ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.","digest":[{"role":"staging","techniques":["IIM-T006"],"type":"domain","value":"github[.]com/anjsdgasdf/WordPress"},{"role":"payload","techniques":[],"type":"file","value":"EchoCreep DLL"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"discord[.]com / Discord API"},{"role":"redirector","techniques":["IIM-T002","IIM-T026"],"type":"ip","value":"64[.]176[.]85[.]158"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.009","matches":["payload \u00b7 file \u00b7 EchoCreep DLL \u00b7 no technique"],"published_at":"2026-05-26 14:05:20.204940","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.009/raw","relation_count":3,"roles":["staging","payload","c2","redirector"],"score":1,"source_links":[{"label":"ESET WeLiveSecurity Webworm report","url":"https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"}],"techniques":["IIM-T002","IIM-T006","IIM-T018","IIM-T026"],"title":"Webworm GitHub staging to EchoCreep Discord C2"},{"actor":"UAT-8302","chain_id":"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","confidence":"confirmed","description":"UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.","digest":[{"role":"entry","techniques":[],"type":"file","value":"benign executable loading wininet.dll"},{"role":"staging","techniques":[],"type":"file","value":"SNOWLIGHT / SNOWRUST stager"},{"role":"payload","techniques":[],"type":"file","value":"VSHELL payload"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"image.update-kaspersky.workers[.]dev"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"update-kaspersky.workers[.]dev"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","matches":["payload \u00b7 file \u00b7 VSHELL payload \u00b7 no technique","payload \u00b7 file \u00b7 VSHELL payload \u00b7 no technique"],"published_at":"2026-05-26 14:00:43.416102","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev/raw","relation_count":4,"roles":["entry","staging","payload","c2","c2"],"score":2,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T005","IIM-T006"],"title":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev"},{"actor":"UAT-8302","chain_id":"iim.chain.apt.2026.05.006","confidence":"confirmed","description":"CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.","digest":[{"role":"payload","techniques":[],"type":"file","value":"CloudSorcerer v3 side-loaded DLL triad"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"github[.]com / public dead-drop resolver"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"gamespot[.]com / public dead-drop resolver"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"www.drivelivelime[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"msiidentity[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"url","value":"hxxp[://]trafficmanagerupdate[.]com/index[.]php"}],"entity_count":6,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.006","matches":["payload \u00b7 file \u00b7 CloudSorcerer v3 side-loaded DLL triad \u00b7 no technique","payload \u00b7 file \u00b7 CloudSorcerer v3 side-loaded DLL triad \u00b7 no technique","payload \u00b7 file \u00b7 CloudSorcerer v3 side-loaded DLL triad \u00b7 no technique"],"published_at":"2026-05-26 13:35:13.409443","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.006/raw","relation_count":7,"roles":["payload","redirector","redirector","c2","c2","c2"],"score":3,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T006","IIM-T010","IIM-T011","IIM-T013"],"title":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2"},{"actor":"UAT-8302","chain_id":"iim.chain.apt.2026.05.005","confidence":"confirmed","description":"Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.","digest":[{"role":"entry","techniques":[],"type":"file","value":"benign executable used for DLL side-loading"},{"role":"payload","techniques":[],"type":"file","value":"NetDraft / FringePorch backdoor"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed C2 storage"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.005","matches":["payload \u00b7 file \u00b7 NetDraft / FringePorch backdoor \u00b7 no technique","payload \u00b7 file \u00b7 NetDraft / FringePorch backdoor \u00b7 no technique"],"published_at":"2026-05-26 13:33:29.759246","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.005/raw","relation_count":3,"roles":["entry","payload","c2","c2"],"score":2,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T006","IIM-T018"],"title":"UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"role":"staging","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"role":"payload","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.004","matches":["payload \u00b7 file \u00b7 OYSTERBLUES registry-staged payload \u00b7 no technique"],"published_at":"2026-05-26 13:31:49.179479","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.004/raw","relation_count":7,"roles":["entry","staging","staging","payload","payload","c2","payload"],"score":1,"source_links":[{"label":"SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity","url":"https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"role":"staging","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"role":"payload","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"role":"c2","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.003","matches":["payload \u00b7 file \u00b7 EdgeSystemConfig.dll \u00b7 no technique"],"published_at":"2026-05-26 13:31:09.325636","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.003/raw","relation_count":3,"roles":["staging","payload","c2","c2"],"score":1,"source_links":[{"label":"FrostyNeighbor: Fresh mischief and digital shenanigans","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/tree/master/frostyneighbor"}],"techniques":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz"},{"actor":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"role":"staging","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"role":"staging","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"role":"payload","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","matches":["payload \u00b7 file \u00b7 Update.js / PicassoLoader \u00b7 no technique","payload \u00b7 file \u00b7 ViberPC.dll / Cobalt Strike Beacon \u00b7 no technique"],"published_at":"2026-05-26 13:26:34.732614","raw_url":"https://feed.iim.malwarebox.eu/api/chains/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"score":2,"source_links":[{"label":"ESET WeLiveSecurity FrostyNeighbor report","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike"},{"actor":"UAC-0247","chain_id":"uac-0247-ukrvarta-fpv-dopomoga-2026-03","confidence":"confirmed","description":"Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"UkrVarta humanitarian-aid themed ZIP archive"},{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"\u0424\u043e\u0440\u043c\u0430 \u0437\u0430\u044f\u0432\u043a\u0438 \u043d\u0430 \u0433\u0443\u043c\u0430\u043d\u0456\u0442\u0430\u0440\u043d\u0443 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u0443 \u0444\u043e\u043d\u0434 \u0423\u043a\u0440\u0412\u0430\u0440\u0442\u0430.lnk"},{"role":"staging","techniques":["IIM-T002","IIM-T019","IIM-T026"],"type":"domain","value":"ukrvarta.online"},{"role":"staging","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/dopomoga.hta"},{"role":"staging","techniques":[],"type":"url","value":"https://ukrvarta.online/dopomoga/script.js"},{"role":"payload","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/updater.txt"},{"role":"payload","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/updater.txt"},{"role":"staging","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/conference.hta"},{"role":"redirector","techniques":["IIM-T015"],"type":"url","value":"search-ms:query=lnk&crumb=location:\\\\ukrvarta.online@8080\\davwwwroot"},{"role":"payload","techniques":[],"type":"hash","value":"c06cc6122b798f88a05a088bfed39594af86ba714da89fec5ca62d7119782df9"}],"entity_count":14,"feed_url":"https://feed.iim.malwarebox.eu/chain/uac-0247-ukrvarta-fpv-dopomoga-2026-03","matches":["payload \u00b7 hash \u00b7 b1d765f50f5c53702658b7a59a9bd05cfb042ea6b2d150191a84c53d373b9e4a \u00b7 no technique"],"published_at":"2026-05-20 17:04:53.132609","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uac-0247-ukrvarta-fpv-dopomoga-2026-03/raw","relation_count":13,"roles":["entry","entry","staging","staging","staging","payload","payload","staging","redirector","payload","payload","payload","payload","c2"],"score":1,"source_links":[],"techniques":["IIM-T002","IIM-T015","IIM-T019","IIM-T024","IIM-T026"],"title":"UAC-0247 - UKRVARTA FPV"},{"actor":"UAC-0184","chain_id":"uac-0184-pseudo-png-passmark-2026-05","confidence":"confirmed","description":"Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Ukraine-themed LNK lure"},{"role":"entry","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://169.40.135.35/dctrpr/*.hta"},{"role":"staging","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"ip","value":"169.40.135.35"},{"role":"staging","techniques":["IIM-T024","IIM-T025"],"type":"file","value":"dctrprraclus.zip"},{"role":"staging","techniques":[],"type":"file","value":"Cluster-Overlay64.exe"},{"role":"staging","techniques":[],"type":"file","value":"Plane9Engine.dll"},{"role":"staging","techniques":[],"type":"file","value":"openvr_api.dll"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"kernel-diag.lib"},{"role":"staging","techniques":[],"type":"file","value":"evr.dll decoded stage"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"filter.bin"}],"entity_count":15,"feed_url":"https://feed.iim.malwarebox.eu/chain/uac-0184-pseudo-png-passmark-2026-05","matches":["payload \u00b7 file \u00b7 input.dll \u00b7 no technique","payload \u00b7 file \u00b7 input.dll \u00b7 no technique"],"published_at":"2026-05-19 15:15:42.875501","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uac-0184-pseudo-png-passmark-2026-05/raw","relation_count":20,"roles":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2"],"score":2,"source_links":[],"techniques":["IIM-T019","IIM-T020","IIM-T021","IIM-T024","IIM-T025"],"title":"UAC-0184: Pseudo PNG Passmark"}],"stats":{"actors":11,"chains":17,"entities":142,"latest":"2026-05-27 13:04:07.027015","relations":[["drops",32],["connect",25],["references",25],["download",24],["communicates-with",19],["execute",17],["resolves-to",3]],"roles":[["staging",43],["payload",33],["c2",31],["entry",18],["redirector",17]],"techniques":[["IIM-T024",8],["IIM-T002",7],["IIM-T006",7],["IIM-T011",7],["IIM-T019",6],["IIM-T010",5],["IIM-T013",3],["IIM-T020",3],["IIM-T021",3],["IIM-T001",3]]},"total_matches":16,"total_rows":30}