{"error":null,"mode":"iimql","query":"MATCH (:staging)-[:drops]->(:payload)","results":[{"actor":"APT43","chain_id":"enki.2026.kimsuky-webex-httpSpy-jsonping","confidence":"confirmed","description":"ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2.","digest":[{"role":"entry","techniques":[],"type":"url","value":"https://conference.birdriver.org/"},{"role":"staging","techniques":["IIM-T024"],"type":"url","value":"https://download.birdriver.org/download.php?id=425623"},{"role":"staging","techniques":[],"type":"file","value":"fix-camera.jse"},{"role":"redirector","techniques":["IIM-T015"],"type":"file","value":"C:\\ProgramData\\meeting.html decoy redirector"},{"role":"staging","techniques":[],"type":"file","value":"C:\\ProgramData\\mTSTCv8.mdxm / loadDll.dll"},{"role":"staging","techniques":[],"type":"url","value":"https://download.birdriver.org/download.php?id=393156"},{"role":"payload","techniques":[],"type":"file","value":"engine.dat / spyInster.dll"},{"role":"payload","techniques":[],"type":"file","value":"C:\\Users\\Public\\cacheMon.dat / spyLoader.dll"},{"role":"payload","techniques":[],"type":"file","value":"HttpSpy main module / httpSpy.dll"},{"role":"c2","techniques":[],"type":"url","value":"http://hdrgdrfes.chickenkiller.com/index.php"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/enki.2026.kimsuky-webex-httpSpy-jsonping","matches":["staging \u00b7 url \u00b7 https://download.birdriver.org/download.php?id=393156 \u00b7 no technique"],"published_at":"2026-05-31 19:22:26.947823","raw_url":"https://feed.iim.malwarebox.eu/api/chains/enki.2026.kimsuky-webex-httpSpy-jsonping/raw","relation_count":13,"roles":["entry","staging","staging","redirector","staging","staging","payload","payload","payload","c2","staging"],"score":1,"source_links":[],"techniques":["IIM-T015","IIM-T024"],"title":"Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2"},{"actor":"unknown","chain_id":"joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","confidence":"confirmed","description":"IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.","digest":[{"role":"entry","techniques":[],"type":"file","value":"government-project-themed Word document (VBA macro dropper)"},{"role":"entry","techniques":[],"type":"file","value":"PDF with fake Adobe Reader lure"},{"role":"staging","techniques":["IIM-T001"],"type":"url","value":"hxxps://<subdomain>.b-cdn[.]net/<path>"},{"role":"payload","techniques":[],"type":"file","value":"<second-stage payload>"},{"role":"c2","techniques":[],"type":"domain","value":"<campaign C2 endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","matches":["staging \u00b7 url \u00b7 hxxps://<subdomain>.b-cdn[.]net/<path> \u00b7 IIM-T001"],"published_at":"2026-05-30 21:33:26.939349","raw_url":"https://feed.iim.malwarebox.eu/api/chains/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery/raw","relation_count":4,"roles":["entry","entry","staging","payload","c2"],"score":1,"source_links":[],"techniques":["IIM-T001"],"title":"Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN"},{"actor":"ClearFake","chain_id":"redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer","confidence":"confirmed","description":"IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.","digest":[{"role":"entry","techniques":["IIM-T004"],"type":"domain","value":"<compromised website with injected JS>"},{"role":"redirector","techniques":["IIM-T015"],"type":"file","value":"injected JavaScript serving fake-CAPTCHA / ClickFix lure"},{"role":"staging","techniques":[],"type":"url","value":"<remote payload-retrieval host>"},{"role":"payload","techniques":[],"type":"file","value":"ACR Stealer (MaaS infostealer)"},{"role":"c2","techniques":[],"type":"domain","value":"<ACR Stealer C2 endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer","matches":["staging \u00b7 url \u00b7 <remote payload-retrieval host> \u00b7 no technique"],"published_at":"2026-05-30 21:31:45.548786","raw_url":"https://feed.iim.malwarebox.eu/api/chains/redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer/raw","relation_count":4,"roles":["entry","redirector","staging","payload","c2"],"score":1,"source_links":[],"techniques":["IIM-T004","IIM-T015"],"title":"ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer"},{"actor":"unknown","chain_id":"k7.2026.rvtools-signed-msi-python-rat","confidence":"confirmed","description":"IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Signed fake RVTools MSI installer / d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4.msi"},{"role":"staging","techniques":[],"type":"file","value":"Binary.MyScript.vbs embedded MSI custom action"},{"role":"staging","techniques":["IIM-T006"],"type":"url","value":"Dropbox URL hosting winp.zip archive (exact URL not published)"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"winp.zip portable Python RAT bundle in %AppData%"},{"role":"payload","techniques":[],"type":"file","value":"Portable WinPython support layer / Pythonw.exe execution environment"},{"role":"payload","techniques":[],"type":"file","value":"collector.py reconnaissance module / 9192D18A955A9D03E2C70B60AAC1784A"},{"role":"staging","techniques":[],"type":"file","value":"%TEMP%\\configA.json local reconnaissance staging file"},{"role":"payload","techniques":[],"type":"file","value":"Pmanager.py persistence and C2 manager / 71085940124AD3C035A181ACADC10362"},{"role":"c2","techniques":[],"type":"ip","value":"45.61.136.94"},{"role":"c2","techniques":[],"type":"ip","value":"64.95.12.238"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/k7.2026.rvtools-signed-msi-python-rat","matches":["staging \u00b7 file \u00b7 winp.zip portable Python RAT bundle in %AppData% \u00b7 IIM-T024","staging \u00b7 file \u00b7 winp.zip portable Python RAT bundle in %AppData% \u00b7 IIM-T024","staging \u00b7 file \u00b7 winp.zip portable Python RAT bundle in %AppData% \u00b7 IIM-T024"],"published_at":"2026-05-30 11:07:46.459997","raw_url":"https://feed.iim.malwarebox.eu/api/chains/k7.2026.rvtools-signed-msi-python-rat/raw","relation_count":15,"roles":["entry","staging","staging","staging","payload","payload","staging","payload","c2","c2","c2","c2","c2"],"score":3,"source_links":[{"label":"Source 1","url":"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"},{"label":"Source 2","url":"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig2.png"},{"label":"Source 3","url":"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"}],"techniques":["IIM-T006","IIM-T024"],"title":"Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool"},{"actor":"SideCopy","chain_id":"seqrite.2026.operation-xenofiscal-sidecopy-xenorat","confidence":"confirmed","description":"IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel"},{"role":"entry","techniques":[],"type":"file","value":"\u062f_\u0647\u063a\u0648_\u06a9\u0627\u0631\u06a9\u0648\u0648\u0646\u06a9\u0648_\u0644\u06d0\u0633\u062a_\u0686\u06d0_\u062f_\u0641\u06a9\u0631\u064a_\u0627\u0648_\u0631\u0648\u0627\u0646\u064a_\u062c\u06ab\u0693\u06d0_\u0633\u06cc\u0645\u06cc\u0646\u0627\u0631_\u062a\u0647_\u0648\u0631\u067e\u06d0\u0698\u0646\u062f\u0644_\u0634\u0648\u064a_\u0648\u064812.pdf.lnk"},{"role":"staging","techniques":[],"type":"file","value":"mshta.exe LOLBIN execution of remote HTA/PHP"},{"role":"staging","techniques":["IIM-T004"],"type":"domain","value":"abimj.edu.af"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/index.php"},{"role":"staging","techniques":[],"type":"file","value":"ugayt.hta initial HTA/JavaScript payload"},{"role":"staging","techniques":[],"type":"file","value":"WayBroad.dll Stage-1 .NET loader DLL"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiyaf/document.pdf"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiya/"},{"role":"staging","techniques":[],"type":"file","value":"zuidrt.hta persistent next-stage HTA payload"}],"entity_count":19,"feed_url":"https://feed.iim.malwarebox.eu/chain/seqrite.2026.operation-xenofiscal-sidecopy-xenorat","matches":["staging \u00b7 file \u00b7 ayui.vmxx encrypted/compressed next-stage blob \u00b7 no technique"],"published_at":"2026-05-29 20:01:27.851436","raw_url":"https://feed.iim.malwarebox.eu/api/chains/seqrite.2026.operation-xenofiscal-sidecopy-xenorat/raw","relation_count":18,"roles":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","staging","staging"],"score":1,"source_links":[{"label":"Source 1","url":"https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"}],"techniques":["IIM-T003","IIM-T004","IIM-T021","IIM-T024"],"title":"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2"},{"actor":"unknown","chain_id":"securelist.2026.pirated-content-silentcryptominer-rat","confidence":"confirmed","description":"IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.","digest":[{"role":"entry","techniques":[],"type":"domain","value":"pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)"},{"role":"entry","techniques":[],"type":"url","value":"fake video player plugin update prompt on pirated content site (exact URL not published)"},{"role":"staging","techniques":["IIM-T010"],"type":"domain","value":"urush1bar4.online"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing HLS Installer.874.exe and malicious DLL"},{"role":"staging","techniques":[],"type":"file","value":"HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"file","value":"malicious DLL side-loaded by HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"hash","value":"6A0FE6065D76715FEEBC1526D456DB73"},{"role":"payload","techniques":[],"type":"hash","value":"7F624407AE489324E96A708A09C17E6F"},{"role":"payload","techniques":[],"type":"hash","value":"02A43B3423367B9DDDC24CC7DFC070DF"},{"role":"payload","techniques":[],"type":"file","value":"decrypted main module / modified SilentCryptoMiner fork"}],"entity_count":26,"feed_url":"https://feed.iim.malwarebox.eu/chain/securelist.2026.pirated-content-silentcryptominer-rat","matches":["staging \u00b7 file \u00b7 ZIP archive containing HLS Installer.874.exe and malicious DLL \u00b7 IIM-T024"],"published_at":"2026-05-28 19:43:28.468986","raw_url":"https://feed.iim.malwarebox.eu/api/chains/securelist.2026.pirated-content-silentcryptominer-rat/raw","relation_count":33,"roles":["entry","entry","staging","staging","staging","payload","payload","payload","payload","payload","payload","payload","payload","payload","c2","c2","c2","c2","c2","redirector","redirector","redirector","redirector","c2","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T009","IIM-T010","IIM-T011","IIM-T024"],"title":"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure"},{"actor":"BlackToad","chain_id":"jumpsec.2026.blacktoad-autoit-remcos-network-blackout","confidence":"confirmed","description":"IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.","digest":[{"role":"entry","techniques":[],"type":"email","value":"Thai-language image-based financial payment-slip phishing email"},{"role":"staging","techniques":["IIM-T006"],"type":"url","value":"MediaFire-hosted malware download link (exact URL not published)"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"SLIP0202E0309029.pdf.scr"},{"role":"staging","techniques":[],"type":"file","value":"flvs.vbe"},{"role":"staging","techniques":[],"type":"file","value":"xbkjm.xls (renamed AutoIt3.exe interpreter)"},{"role":"staging","techniques":[],"type":"file","value":"wnkfmvql.das"},{"role":"staging","techniques":[],"type":"file","value":"oquhestmf.mp3"},{"role":"staging","techniques":[],"type":"file","value":"diniuvw.ikp"},{"role":"payload","techniques":[],"type":"file","value":"payload.bin / decoded Remcos Pro implant"},{"role":"c2","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"pmitm.ddns.net"}],"entity_count":16,"feed_url":"https://feed.iim.malwarebox.eu/chain/jumpsec.2026.blacktoad-autoit-remcos-network-blackout","matches":["staging \u00b7 file \u00b7 diniuvw.ikp \u00b7 no technique"],"published_at":"2026-05-28 16:12:38.401983","raw_url":"https://feed.iim.malwarebox.eu/api/chains/jumpsec.2026.blacktoad-autoit-remcos-network-blackout/raw","relation_count":25,"roles":["entry","staging","staging","staging","staging","staging","staging","staging","payload","c2","c2","c2","c2","c2","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T003","IIM-T006","IIM-T008","IIM-T011","IIM-T024"],"title":"BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain"},{"actor":"JINX-0164","chain_id":"wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain","confidence":"confirmed","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1"},{"role":"entry","techniques":[],"type":"file","value":"@velora-dex/sdk dist/index.js malicious appended exec block"},{"role":"staging","techniques":["IIM-T002"],"type":"url","value":"http://89.36.224.5/troubleshoot/mac/install.sh"},{"role":"staging","techniques":["IIM-T002"],"type":"ip","value":"89.36.224.5"},{"role":"staging","techniques":[],"type":"hash","value":"c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e"},{"role":"staging","techniques":[],"type":"hash","value":"2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460"},{"role":"payload","techniques":[],"type":"hash","value":"0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270"},{"role":"payload","techniques":[],"type":"hash","value":"0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d"},{"role":"payload","techniques":[],"type":"hash","value":"a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b"},{"role":"staging","techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.apple.Terminal.profiler.plist"}],"entity_count":15,"feed_url":"https://feed.iim.malwarebox.eu/chain/wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain","matches":["staging \u00b7 hash \u00b7 c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e \u00b7 no technique","staging \u00b7 hash \u00b7 c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e \u00b7 no technique","staging \u00b7 hash \u00b7 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460 \u00b7 no technique","staging \u00b7 hash \u00b7 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460 \u00b7 no technique"],"published_at":"2026-05-28 13:43:20.060851","raw_url":"https://feed.iim.malwarebox.eu/api/chains/wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain/raw","relation_count":17,"roles":["entry","entry","staging","staging","staging","staging","payload","payload","payload","staging","c2","c2","c2","c2","c2"],"score":4,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T011"],"title":"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain"},{"actor":"unknown","chain_id":"microsoft.2026.poisoned-search-screenconnect-gpu-miner","confidence":"confirmed","description":"IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.","digest":[{"role":"entry","techniques":["IIM-T011"],"type":"domain","value":"attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published)"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"direct-download.gleeze.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"start-download.gleeze.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"direct-downloads.giize.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"free-download.giize.com"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"malicious ZIP archive containing legitimate utility executable plus autorun.dll"},{"role":"payload","techniques":[],"type":"file","value":"autorun.dll variant set loaded by legitimate utility executable"},{"role":"payload","techniques":[],"type":"hash","value":"e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610"},{"role":"payload","techniques":[],"type":"file","value":"ScreenConnect.ClientService.exe service invocation"},{"role":"c2","techniques":[],"type":"domain","value":"directdownload.icu"}],"entity_count":20,"feed_url":"https://feed.iim.malwarebox.eu/chain/microsoft.2026.poisoned-search-screenconnect-gpu-miner","matches":["staging \u00b7 file \u00b7 malicious ZIP archive containing legitimate utility executable plus autorun.dll \u00b7 IIM-T024"],"published_at":"2026-05-27 17:02:04.379573","raw_url":"https://feed.iim.malwarebox.eu/api/chains/microsoft.2026.poisoned-search-screenconnect-gpu-miner/raw","relation_count":23,"roles":["entry","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2","payload","payload","payload","c2","c2","c2","c2","c2","payload"],"score":1,"source_links":[{"label":"{'publisher': 'Microsoft Security Blog', 'title': 'From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities', 'url': 'https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/', 'published_at': '2026-05-26', 'authors': ['Microsoft Defender Experts', 'Microsoft Defender Security Research Team']}","url":"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"}],"techniques":["IIM-T008","IIM-T011","IIM-T012","IIM-T021","IIM-T024"],"title":"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2"},{"actor":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"role":"staging","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"role":"payload","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2","matches":["staging \u00b7 file \u00b7 Glassworm downloader / installer stage \u00b7 no technique"],"published_at":"2026-05-27 13:04:07.027015","raw_url":"https://feed.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"roles":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2"},{"actor":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.","digest":[{"role":"entry","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"role":"redirector","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"role":"staging","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"role":"staging","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"role":"staging","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"role":"payload","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"role":"payload","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"}],"entity_count":12,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10362-lucidrook-taiwan-2026-04-08","matches":["staging \u00b7 file \u00b7 LucidPawn dropper DismCore.dll \u00b7 no technique"],"published_at":"2026-05-27 12:07:54.333154","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10362-lucidrook-taiwan-2026-04-08/raw","relation_count":13,"roles":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"score":1,"source_links":[],"techniques":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"role":"staging","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"role":"payload","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.004","matches":["staging \u00b7 file \u00b7 OYSTERFRESH JavaScript \u00b7 no technique"],"published_at":"2026-05-26 13:31:49.179479","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.004/raw","relation_count":7,"roles":["entry","staging","staging","payload","payload","c2","payload"],"score":1,"source_links":[{"label":"SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity","url":"https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"role":"staging","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"role":"payload","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"role":"c2","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.003","matches":["staging \u00b7 file \u00b7 EdgeTaskMachine.js \u00b7 no technique"],"published_at":"2026-05-26 13:31:09.325636","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.003/raw","relation_count":3,"roles":["staging","payload","c2","c2"],"score":1,"source_links":[{"label":"FrostyNeighbor: Fresh mischief and digital shenanigans","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/tree/master/frostyneighbor"}],"techniques":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz"},{"actor":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"role":"staging","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"role":"staging","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"role":"payload","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","matches":["staging \u00b7 url \u00b7 hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg \u00b7 IIM-T001, IIM-T010"],"published_at":"2026-05-26 13:26:34.732614","raw_url":"https://feed.iim.malwarebox.eu/api/chains/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"score":1,"source_links":[{"label":"ESET WeLiveSecurity FrostyNeighbor report","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike"},{"actor":"UAC-0184","chain_id":"uac-0184-pseudo-png-passmark-2026-05","confidence":"confirmed","description":"Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Ukraine-themed LNK lure"},{"role":"entry","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://169.40.135.35/dctrpr/*.hta"},{"role":"staging","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"ip","value":"169.40.135.35"},{"role":"staging","techniques":["IIM-T024","IIM-T025"],"type":"file","value":"dctrprraclus.zip"},{"role":"staging","techniques":[],"type":"file","value":"Cluster-Overlay64.exe"},{"role":"staging","techniques":[],"type":"file","value":"Plane9Engine.dll"},{"role":"staging","techniques":[],"type":"file","value":"openvr_api.dll"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"kernel-diag.lib"},{"role":"staging","techniques":[],"type":"file","value":"evr.dll decoded stage"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"filter.bin"}],"entity_count":15,"feed_url":"https://feed.iim.malwarebox.eu/chain/uac-0184-pseudo-png-passmark-2026-05","matches":["staging \u00b7 file \u00b7 filter.bin \u00b7 IIM-T025"],"published_at":"2026-05-19 15:15:42.875501","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uac-0184-pseudo-png-passmark-2026-05/raw","relation_count":20,"roles":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T019","IIM-T020","IIM-T021","IIM-T024","IIM-T025"],"title":"UAC-0184: Pseudo PNG Passmark"}],"stats":{"actors":19,"chains":39,"entities":406,"latest":"2026-05-31 19:22:26.947823","relations":[["connect",96],["drops",89],["references",73],["download",61],["execute",52],["communicates-with",30],["resolves-to",30],["redirect",8]],"roles":[["staging",116],["c2",110],["payload",95],["entry",51],["redirector",34]],"techniques":[["IIM-T024",18],["IIM-T006",15],["IIM-T011",14],["IIM-T002",9],["IIM-T010",7],["IIM-T018",6],["IIM-T019",6],["IIM-T004",5],["IIM-T013",5],["IIM-T021",5]]},"total_matches":15,"total_rows":20}
