{"error":null,"mode":"iimql","query":"MATCH chain WHERE technique_ids HAS \"IIM-T010\"","results":[{"actor":"UAC-0010","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"role":"entry","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"role":"staging","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"role":"payload","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"role":"staging","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon","matches":["chain match"],"published_at":"2026-05-27 12:22:36.950024","raw_url":"https://feed.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"roles":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"score":1,"source_links":[{"label":"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale","url":"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"}],"techniques":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure"},{"actor":"UAT-8302","chain_id":"iim.chain.apt.2026.05.006","confidence":"confirmed","description":"CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.","digest":[{"role":"payload","techniques":[],"type":"file","value":"CloudSorcerer v3 side-loaded DLL triad"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"github[.]com / public dead-drop resolver"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"gamespot[.]com / public dead-drop resolver"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"www.drivelivelime[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"msiidentity[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"url","value":"hxxp[://]trafficmanagerupdate[.]com/index[.]php"}],"entity_count":6,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.006","matches":["chain match"],"published_at":"2026-05-26 13:35:13.409443","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.006/raw","relation_count":7,"roles":["payload","redirector","redirector","c2","c2","c2"],"score":1,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T006","IIM-T010","IIM-T011","IIM-T013"],"title":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"role":"staging","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"role":"payload","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.004","matches":["chain match"],"published_at":"2026-05-26 13:31:49.179479","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.004/raw","relation_count":7,"roles":["entry","staging","staging","payload","payload","c2","payload"],"score":1,"source_links":[{"label":"SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity","url":"https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"role":"staging","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"role":"payload","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"role":"c2","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.003","matches":["chain match"],"published_at":"2026-05-26 13:31:09.325636","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.003/raw","relation_count":3,"roles":["staging","payload","c2","c2"],"score":1,"source_links":[{"label":"FrostyNeighbor: Fresh mischief and digital shenanigans","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/tree/master/frostyneighbor"}],"techniques":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz"},{"actor":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"role":"staging","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"role":"staging","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"role":"payload","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","matches":["chain match"],"published_at":"2026-05-26 13:26:34.732614","raw_url":"https://feed.iim.malwarebox.eu/api/chains/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"score":1,"source_links":[{"label":"ESET WeLiveSecurity FrostyNeighbor report","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike"}],"stats":{"actors":11,"chains":17,"entities":142,"latest":"2026-05-27 13:04:07.027015","relations":[["drops",32],["connect",25],["references",25],["download",24],["communicates-with",19],["execute",17],["resolves-to",3]],"roles":[["staging",43],["payload",33],["c2",31],["entry",18],["redirector",17]],"techniques":[["IIM-T024",8],["IIM-T002",7],["IIM-T006",7],["IIM-T011",7],["IIM-T019",6],["IIM-T010",5],["IIM-T013",3],["IIM-T020",3],["IIM-T021",3],["IIM-T001",3]]},"total_matches":5,"total_rows":5}