{"error":null,"mode":"iimql","query":"MATCH (:staging)-[:drops]->(:payload)","results":[{"actor":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"role":"staging","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"role":"payload","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2","matches":["staging \u00b7 file \u00b7 Glassworm downloader / installer stage \u00b7 no technique"],"published_at":"2026-05-27 13:04:07.027015","raw_url":"https://feed.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"roles":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2"},{"actor":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.","digest":[{"role":"entry","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"role":"redirector","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"role":"staging","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"role":"staging","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"role":"staging","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"role":"payload","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"role":"payload","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"}],"entity_count":12,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10362-lucidrook-taiwan-2026-04-08","matches":["staging \u00b7 file \u00b7 LucidPawn dropper DismCore.dll \u00b7 no technique"],"published_at":"2026-05-27 12:07:54.333154","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10362-lucidrook-taiwan-2026-04-08/raw","relation_count":13,"roles":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"score":1,"source_links":[],"techniques":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"role":"staging","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"role":"payload","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.004","matches":["staging \u00b7 file \u00b7 OYSTERFRESH JavaScript \u00b7 no technique"],"published_at":"2026-05-26 13:31:49.179479","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.004/raw","relation_count":7,"roles":["entry","staging","staging","payload","payload","c2","payload"],"score":1,"source_links":[{"label":"SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity","url":"https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"role":"staging","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"role":"payload","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"role":"c2","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.003","matches":["staging \u00b7 file \u00b7 EdgeTaskMachine.js \u00b7 no technique"],"published_at":"2026-05-26 13:31:09.325636","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.003/raw","relation_count":3,"roles":["staging","payload","c2","c2"],"score":1,"source_links":[{"label":"FrostyNeighbor: Fresh mischief and digital shenanigans","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/tree/master/frostyneighbor"}],"techniques":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz"},{"actor":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"role":"staging","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"role":"staging","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"role":"payload","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","matches":["staging \u00b7 url \u00b7 hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg \u00b7 IIM-T001, IIM-T010"],"published_at":"2026-05-26 13:26:34.732614","raw_url":"https://feed.iim.malwarebox.eu/api/chains/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"score":1,"source_links":[{"label":"ESET WeLiveSecurity FrostyNeighbor report","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike"},{"actor":"UAC-0184","chain_id":"uac-0184-pseudo-png-passmark-2026-05","confidence":"confirmed","description":"Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Ukraine-themed LNK lure"},{"role":"entry","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://169.40.135.35/dctrpr/*.hta"},{"role":"staging","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"ip","value":"169.40.135.35"},{"role":"staging","techniques":["IIM-T024","IIM-T025"],"type":"file","value":"dctrprraclus.zip"},{"role":"staging","techniques":[],"type":"file","value":"Cluster-Overlay64.exe"},{"role":"staging","techniques":[],"type":"file","value":"Plane9Engine.dll"},{"role":"staging","techniques":[],"type":"file","value":"openvr_api.dll"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"kernel-diag.lib"},{"role":"staging","techniques":[],"type":"file","value":"evr.dll decoded stage"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"filter.bin"}],"entity_count":15,"feed_url":"https://feed.iim.malwarebox.eu/chain/uac-0184-pseudo-png-passmark-2026-05","matches":["staging \u00b7 file \u00b7 filter.bin \u00b7 IIM-T025"],"published_at":"2026-05-19 15:15:42.875501","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uac-0184-pseudo-png-passmark-2026-05/raw","relation_count":20,"roles":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T019","IIM-T020","IIM-T021","IIM-T024","IIM-T025"],"title":"UAC-0184: Pseudo PNG Passmark"}],"stats":{"actors":11,"chains":17,"entities":142,"latest":"2026-05-27 13:04:07.027015","relations":[["drops",32],["connect",25],["references",25],["download",24],["communicates-with",19],["execute",17],["resolves-to",3]],"roles":[["staging",43],["payload",33],["c2",31],["entry",18],["redirector",17]],"techniques":[["IIM-T024",8],["IIM-T002",7],["IIM-T006",7],["IIM-T011",7],["IIM-T019",6],["IIM-T010",5],["IIM-T013",3],["IIM-T020",3],["IIM-T021",3],["IIM-T001",3]]},"total_matches":6,"total_rows":6}