{"error":null,"mode":"iimql","query":"MATCH chain WHERE technique_ids HAS \"IIM-T010\"","results":[{"actor":"unknown","chain_id":"securelist.2026.pirated-content-silentcryptominer-rat","confidence":"confirmed","description":"IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.","digest":[{"role":"entry","techniques":[],"type":"domain","value":"pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)"},{"role":"entry","techniques":[],"type":"url","value":"fake video player plugin update prompt on pirated content site (exact URL not published)"},{"role":"staging","techniques":["IIM-T010"],"type":"domain","value":"urush1bar4.online"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing HLS Installer.874.exe and malicious DLL"},{"role":"staging","techniques":[],"type":"file","value":"HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"file","value":"malicious DLL side-loaded by HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"hash","value":"6A0FE6065D76715FEEBC1526D456DB73"},{"role":"payload","techniques":[],"type":"hash","value":"7F624407AE489324E96A708A09C17E6F"},{"role":"payload","techniques":[],"type":"hash","value":"02A43B3423367B9DDDC24CC7DFC070DF"},{"role":"payload","techniques":[],"type":"file","value":"decrypted main module / modified SilentCryptoMiner fork"}],"entity_count":26,"feed_url":"https://feed.iim.malwarebox.eu/chain/securelist.2026.pirated-content-silentcryptominer-rat","matches":["chain match"],"published_at":"2026-05-28 19:43:28.468986","raw_url":"https://feed.iim.malwarebox.eu/api/chains/securelist.2026.pirated-content-silentcryptominer-rat/raw","relation_count":33,"roles":["entry","entry","staging","staging","staging","payload","payload","payload","payload","payload","payload","payload","payload","payload","c2","c2","c2","c2","c2","redirector","redirector","redirector","redirector","c2","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T009","IIM-T010","IIM-T011","IIM-T024"],"title":"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure"},{"actor":"JINX-0164","chain_id":"wiz.2026.jinx-0164-audiofix-fake-driver-macos","confidence":"confirmed","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.","digest":[{"role":"entry","techniques":["IIM-T010"],"type":"url","value":"LinkedIn recruiter / business-partner outreach leading to fake meeting lure"},{"role":"entry","techniques":["IIM-T010","IIM-T020"],"type":"url","value":"https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac"},{"role":"staging","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/arm/driver/coreaudiod"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/intel/driver/coreaudiod"},{"role":"payload","techniques":[],"type":"hash","value":"65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6"},{"role":"payload","techniques":[],"type":"hash","value":"0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21"},{"role":"staging","techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"datahub.ink"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"cloud-sync.online"}],"entity_count":16,"feed_url":"https://feed.iim.malwarebox.eu/chain/wiz.2026.jinx-0164-audiofix-fake-driver-macos","matches":["chain match"],"published_at":"2026-05-28 13:44:27.490408","raw_url":"https://feed.iim.malwarebox.eu/api/chains/wiz.2026.jinx-0164-audiofix-fake-driver-macos/raw","relation_count":16,"roles":["entry","entry","staging","payload","payload","payload","payload","staging","c2","c2","c2","c2","c2","staging","payload","payload"],"score":1,"source_links":[],"techniques":["IIM-T010","IIM-T011","IIM-T020"],"title":"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain"},{"actor":"UAC-0010","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"role":"entry","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"role":"staging","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"role":"payload","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"role":"staging","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon","matches":["chain match"],"published_at":"2026-05-27 12:22:36.950024","raw_url":"https://feed.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"roles":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"score":1,"source_links":[{"label":"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale","url":"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"}],"techniques":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure"},{"actor":"UAT-8302","chain_id":"iim.chain.apt.2026.05.006","confidence":"confirmed","description":"CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.","digest":[{"role":"payload","techniques":[],"type":"file","value":"CloudSorcerer v3 side-loaded DLL triad"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"github[.]com / public dead-drop resolver"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"gamespot[.]com / public dead-drop resolver"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"www.drivelivelime[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"msiidentity[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"url","value":"hxxp[://]trafficmanagerupdate[.]com/index[.]php"}],"entity_count":6,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.006","matches":["chain match"],"published_at":"2026-05-26 13:35:13.409443","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.006/raw","relation_count":7,"roles":["payload","redirector","redirector","c2","c2","c2"],"score":1,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T006","IIM-T010","IIM-T011","IIM-T013"],"title":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"role":"staging","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"role":"payload","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.004","matches":["chain match"],"published_at":"2026-05-26 13:31:49.179479","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.004/raw","relation_count":7,"roles":["entry","staging","staging","payload","payload","c2","payload"],"score":1,"source_links":[{"label":"SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity","url":"https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"role":"staging","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"role":"payload","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"role":"c2","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.003","matches":["chain match"],"published_at":"2026-05-26 13:31:09.325636","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.003/raw","relation_count":3,"roles":["staging","payload","c2","c2"],"score":1,"source_links":[{"label":"FrostyNeighbor: Fresh mischief and digital shenanigans","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/tree/master/frostyneighbor"}],"techniques":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz"},{"actor":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"role":"staging","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"role":"staging","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"role":"payload","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","matches":["chain match"],"published_at":"2026-05-26 13:26:34.732614","raw_url":"https://feed.iim.malwarebox.eu/api/chains/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"score":1,"source_links":[{"label":"ESET WeLiveSecurity FrostyNeighbor report","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike"}],"stats":{"actors":19,"chains":39,"entities":406,"latest":"2026-05-31 19:22:26.947823","relations":[["connect",96],["drops",89],["references",73],["download",61],["execute",52],["communicates-with",30],["resolves-to",30],["redirect",8]],"roles":[["staging",116],["c2",110],["payload",95],["entry",51],["redirector",34]],"techniques":[["IIM-T024",18],["IIM-T006",15],["IIM-T011",14],["IIM-T002",9],["IIM-T010",7],["IIM-T018",6],["IIM-T019",6],["IIM-T004",5],["IIM-T013",5],["IIM-T021",5]]},"total_matches":7,"total_rows":7}
