{"error":null,"mode":"iimql","query":"MATCH entity WHERE type = \"domain\"","results":[{"actor":"GREYVIBE","chain_id":"withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2","confidence":"likely","description":"WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine\u2019s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.","digest":[{"role":"entry","techniques":[],"type":"email","value":"office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com"},{"role":"redirector","techniques":["IIM-T006"],"type":"url","value":"Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail"},{"role":"staging","techniques":["IIM-T024"],"type":"hash","value":"bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f"},{"role":"staging","techniques":[],"type":"hash","value":"2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327"},{"role":"payload","techniques":[],"type":"file","value":"PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a"},{"role":"payload","techniques":[],"type":"file","value":"PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe"},{"role":"staging","techniques":[],"type":"file","value":"%LOCALAPPDATA%\\Razer Update staging directory + Razer Synapse Service Helper scheduled task"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"nycpartnersenterprise.com"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"chiselworksenterprise.com"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"newrentalsenterprise.com"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2","matches":["c2 \u00b7 domain \u00b7 nycpartnersenterprise.com \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 chiselworksenterprise.com \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 newrentalsenterprise.com \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 bluelagoonaenterprise.com \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 heltaskeltahenterprise.com \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 newequipmentsolutions.com \u00b7 IIM-T011"],"published_at":"2026-05-31 19:17:43.650916","raw_url":"https://feed.iim.malwarebox.eu/api/chains/withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2/raw","relation_count":13,"roles":["entry","redirector","staging","staging","payload","payload","staging","c2","c2","c2","c2","c2","c2"],"score":6,"source_links":[{"label":"Source 1","url":"https://labs.withsecure.com/publications/greyvibe"},{"label":"Source 2","url":"https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf"},{"label":"Source 3","url":"https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/"},{"label":"Source 4","url":"https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv"}],"techniques":["IIM-T006","IIM-T011","IIM-T024"],"title":"GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool"},{"actor":"unknown","chain_id":"joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","confidence":"confirmed","description":"IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.","digest":[{"role":"entry","techniques":[],"type":"file","value":"government-project-themed Word document (VBA macro dropper)"},{"role":"entry","techniques":[],"type":"file","value":"PDF with fake Adobe Reader lure"},{"role":"staging","techniques":["IIM-T001"],"type":"url","value":"hxxps://<subdomain>.b-cdn[.]net/<path>"},{"role":"payload","techniques":[],"type":"file","value":"<second-stage payload>"},{"role":"c2","techniques":[],"type":"domain","value":"<campaign C2 endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","matches":["c2 \u00b7 domain \u00b7 <campaign C2 endpoint> \u00b7 no technique"],"published_at":"2026-05-30 21:33:26.939349","raw_url":"https://feed.iim.malwarebox.eu/api/chains/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery/raw","relation_count":4,"roles":["entry","entry","staging","payload","c2"],"score":1,"source_links":[],"techniques":["IIM-T001"],"title":"Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN"},{"actor":"ClearFake","chain_id":"redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer","confidence":"confirmed","description":"IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.","digest":[{"role":"entry","techniques":["IIM-T004"],"type":"domain","value":"<compromised website with injected JS>"},{"role":"redirector","techniques":["IIM-T015"],"type":"file","value":"injected JavaScript serving fake-CAPTCHA / ClickFix lure"},{"role":"staging","techniques":[],"type":"url","value":"<remote payload-retrieval host>"},{"role":"payload","techniques":[],"type":"file","value":"ACR Stealer (MaaS infostealer)"},{"role":"c2","techniques":[],"type":"domain","value":"<ACR Stealer C2 endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer","matches":["entry \u00b7 domain \u00b7 <compromised website with injected JS> \u00b7 IIM-T004","c2 \u00b7 domain \u00b7 <ACR Stealer C2 endpoint> \u00b7 no technique"],"published_at":"2026-05-30 21:31:45.548786","raw_url":"https://feed.iim.malwarebox.eu/api/chains/redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer/raw","relation_count":4,"roles":["entry","redirector","staging","payload","c2"],"score":2,"source_links":[],"techniques":["IIM-T004","IIM-T015"],"title":"ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer"},{"actor":"unknown","chain_id":"anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect","confidence":"likely","description":"IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.","digest":[{"role":"entry","techniques":[],"type":"url","value":"<Outlook phishing email link>"},{"role":"redirector","techniques":["IIM-T006"],"type":"url","value":"<fake Word Online / OneDrive page>"},{"role":"staging","techniques":[],"type":"file","value":"<multi-stage software installer>"},{"role":"c2","techniques":[],"type":"domain","value":"<ScreenConnect relay endpoint>"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect","matches":["c2 \u00b7 domain \u00b7 <ScreenConnect relay endpoint> \u00b7 no technique"],"published_at":"2026-05-30 21:28:41.242330","raw_url":"https://feed.iim.malwarebox.eu/api/chains/anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect/raw","relation_count":3,"roles":["entry","redirector","staging","c2"],"score":1,"source_links":[],"techniques":["IIM-T006"],"title":"Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access"},{"actor":"unknown","chain_id":"microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa","confidence":"confirmed","description":"IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.","digest":[{"role":"entry","techniques":[],"type":"file","value":"phishing HTML attachment"},{"role":"redirector","techniques":["IIM-T017"],"type":"url","value":"<initial visitor-screening phishing page>"},{"role":"redirector","techniques":[],"type":"url","value":"<CAPTCHA-gated routing page>"},{"role":"payload","techniques":[],"type":"domain","value":"<Tycoon 2FA AiTM credential endpoint>"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa","matches":["payload \u00b7 domain \u00b7 <Tycoon 2FA AiTM credential endpoint> \u00b7 no technique"],"published_at":"2026-05-30 21:27:18.638379","raw_url":"https://feed.iim.malwarebox.eu/api/chains/microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa/raw","relation_count":3,"roles":["entry","redirector","redirector","payload"],"score":1,"source_links":[],"techniques":["IIM-T017"],"title":"HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends"},{"actor":"unknown","chain_id":"securonix.2026.venomous-helper-ssa-rmm-double-compromised-host","confidence":"confirmed","description":"IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.","digest":[{"role":"entry","techniques":[],"type":"url","value":"<SSA-themed phishing email link>"},{"role":"redirector","techniques":["IIM-T004"],"type":"domain","value":"gruta.com[.]mx"},{"role":"staging","techniques":["IIM-T004"],"type":"domain","value":"server.cubatiendaalimentos.com[.]mx"},{"role":"payload","techniques":[],"type":"file","value":"SSA_Statement.exe (JWrapper-packaged Windows executable)"},{"role":"c2","techniques":[],"type":"domain","value":"<SimpleHelp/ScreenConnect RMM relay endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/securonix.2026.venomous-helper-ssa-rmm-double-compromised-host","matches":["redirector \u00b7 domain \u00b7 gruta.com[.]mx \u00b7 IIM-T004","staging \u00b7 domain \u00b7 server.cubatiendaalimentos.com[.]mx \u00b7 IIM-T004","c2 \u00b7 domain \u00b7 <SimpleHelp/ScreenConnect RMM relay endpoint> \u00b7 no technique"],"published_at":"2026-05-30 21:24:57.926412","raw_url":"https://feed.iim.malwarebox.eu/api/chains/securonix.2026.venomous-helper-ssa-rmm-double-compromised-host/raw","relation_count":4,"roles":["entry","redirector","staging","payload","c2"],"score":3,"source_links":[],"techniques":["IIM-T004"],"title":"SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access"},{"actor":"BlueNoroff","chain_id":"levelblue.2026.sapphire-sleet-macos-fake-zoom-update","confidence":"confirmed","description":"IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Zoom SDK Update.scpt"},{"role":"payload","techniques":[],"type":"file","value":"com.apple.cli profiling component"},{"role":"payload","techniques":[],"type":"file","value":"systemupdate.app / Mac Password Popup credential harvester"},{"role":"staging","techniques":[],"type":"file","value":"/Library/LaunchDaemons/com.google.webkit.service.plist"},{"role":"payload","techniques":[],"type":"file","value":"icloudz reflective backdoor component"},{"role":"payload","techniques":[],"type":"file","value":"com.google.chromes.updaters in-memory beacon agent"},{"role":"staging","techniques":[],"type":"file","value":"/tmp staged zip archives containing collected corporate and crypto assets"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"check02id.com"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"uw04webzoom.us"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"uw05webzoom.us"}],"entity_count":21,"feed_url":"https://feed.iim.malwarebox.eu/chain/levelblue.2026.sapphire-sleet-macos-fake-zoom-update","matches":["c2 \u00b7 domain \u00b7 check02id.com \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 uw04webzoom.us \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 uw05webzoom.us \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 uw03webzoom.us \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 uv01webzoom.us \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 uv03webzoom.us \u00b7 IIM-T011"],"published_at":"2026-05-30 11:17:36.619344","raw_url":"https://feed.iim.malwarebox.eu/api/chains/levelblue.2026.sapphire-sleet-macos-fake-zoom-update/raw","relation_count":21,"roles":["entry","payload","payload","staging","payload","payload","staging","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2"],"score":6,"source_links":[{"label":"Source 1","url":"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"}],"techniques":["IIM-T011"],"title":"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure"},{"actor":"unknown","chain_id":"seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2","confidence":"confirmed","description":"IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"spearphishing ZIP attachment containing Taiwan/Czech lure artifacts"},{"role":"entry","techniques":[],"type":"file","value":"\u8a08\u756b\u7533\u8acb\u5be9\u67e5\u7d50\u679c\u901a\u77e5\u55ae.pdf.lnk"},{"role":"entry","techniques":[],"type":"file","value":"_\u8a08\u756b\u7533\u8acb\u5be9\u67e5\u7d50\u679c\u901a\u77e5\u55ae.exe"},{"role":"staging","techniques":[],"type":"file","value":"data\\empty.vbs"},{"role":"staging","techniques":[],"type":"file","value":"data\\Profile.ps1"},{"role":"staging","techniques":[],"type":"file","value":"data\\1.dat encrypted RuntimeBroker_update.exe container"},{"role":"staging","techniques":[],"type":"file","value":"RuntimeBroker_update.exe sideload trigger executable"},{"role":"staging","techniques":[],"type":"file","value":"BrowserViewUtility.exe legitimate sideload host"},{"role":"payload","techniques":[],"type":"file","value":"UnityPlayer.dll / RUSTCLOAK Rust loader"},{"role":"staging","techniques":[],"type":"file","value":"Com.dat encrypted AZUREVEIL payload container"}],"entity_count":14,"feed_url":"https://feed.iim.malwarebox.eu/chain/seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2","matches":["c2 \u00b7 domain \u00b7 note1ggbbhggdwa1.blob.core.windows.net \u00b7 IIM-T002, IIM-T006, IIM-T013, IIM-T018"],"published_at":"2026-05-29 20:05:53.878328","raw_url":"https://feed.iim.malwarebox.eu/api/chains/seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2/raw","relation_count":20,"roles":["entry","entry","entry","staging","staging","staging","staging","staging","payload","staging","payload","c2","c2","staging"],"score":1,"source_links":[{"label":"Source 1","url":"https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"}],"techniques":["IIM-T002","IIM-T006","IIM-T013","IIM-T018","IIM-T024"],"title":"Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2"},{"actor":"SideCopy","chain_id":"seqrite.2026.operation-xenofiscal-sidecopy-xenorat","confidence":"confirmed","description":"IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel"},{"role":"entry","techniques":[],"type":"file","value":"\u062f_\u0647\u063a\u0648_\u06a9\u0627\u0631\u06a9\u0648\u0648\u0646\u06a9\u0648_\u0644\u06d0\u0633\u062a_\u0686\u06d0_\u062f_\u0641\u06a9\u0631\u064a_\u0627\u0648_\u0631\u0648\u0627\u0646\u064a_\u062c\u06ab\u0693\u06d0_\u0633\u06cc\u0645\u06cc\u0646\u0627\u0631_\u062a\u0647_\u0648\u0631\u067e\u06d0\u0698\u0646\u062f\u0644_\u0634\u0648\u064a_\u0648\u064812.pdf.lnk"},{"role":"staging","techniques":[],"type":"file","value":"mshta.exe LOLBIN execution of remote HTA/PHP"},{"role":"staging","techniques":["IIM-T004"],"type":"domain","value":"abimj.edu.af"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/index.php"},{"role":"staging","techniques":[],"type":"file","value":"ugayt.hta initial HTA/JavaScript payload"},{"role":"staging","techniques":[],"type":"file","value":"WayBroad.dll Stage-1 .NET loader DLL"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiyaf/document.pdf"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiya/"},{"role":"staging","techniques":[],"type":"file","value":"zuidrt.hta persistent next-stage HTA payload"}],"entity_count":19,"feed_url":"https://feed.iim.malwarebox.eu/chain/seqrite.2026.operation-xenofiscal-sidecopy-xenorat","matches":["staging \u00b7 domain \u00b7 abimj.edu.af \u00b7 IIM-T004"],"published_at":"2026-05-29 20:01:27.851436","raw_url":"https://feed.iim.malwarebox.eu/api/chains/seqrite.2026.operation-xenofiscal-sidecopy-xenorat/raw","relation_count":18,"roles":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","staging","staging"],"score":1,"source_links":[{"label":"Source 1","url":"https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"}],"techniques":["IIM-T003","IIM-T004","IIM-T021","IIM-T024"],"title":"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2"},{"actor":"unknown","chain_id":"malwarebytes.2026.fake-chatgpt-dual-platform-stealers","confidence":"confirmed","description":"IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.","digest":[{"role":"entry","techniques":[],"type":"url","value":"search ads / SEO / YouTube / Discord / Telegram traffic for AI desktop-app downloads"},{"role":"entry","techniques":[],"type":"domain","value":"openew.app"},{"role":"payload","techniques":[],"type":"file","value":"Chat_GPT.exe"},{"role":"payload","techniques":[],"type":"hash","value":"c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d"},{"role":"payload","techniques":[],"type":"file","value":"EApp.exe launched from %APPDATA%\\LeronApplication"},{"role":"c2","techniques":[],"type":"url","value":"http://188.137.246.189/laravel.php?api=api&hash=<redacted>&message=<redacted>"},{"role":"c2","techniques":[],"type":"ip","value":"188.137.246.189"},{"role":"payload","techniques":["IIM-T024"],"type":"file","value":"ChatGpt.dmg"},{"role":"payload","techniques":[],"type":"hash","value":"c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b"},{"role":"payload","techniques":[],"type":"file","value":"Odyssey Stealer / AMOS fork macOS payload"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/malwarebytes.2026.fake-chatgpt-dual-platform-stealers","matches":["entry \u00b7 domain \u00b7 openew.app \u00b7 no technique"],"published_at":"2026-05-28 19:45:38.928990","raw_url":"https://feed.iim.malwarebox.eu/api/chains/malwarebytes.2026.fake-chatgpt-dual-platform-stealers/raw","relation_count":14,"roles":["entry","entry","payload","payload","payload","c2","c2","payload","payload","payload","staging","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T024"],"title":"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer"},{"actor":"unknown","chain_id":"securelist.2026.pirated-content-silentcryptominer-rat","confidence":"confirmed","description":"IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.","digest":[{"role":"entry","techniques":[],"type":"domain","value":"pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)"},{"role":"entry","techniques":[],"type":"url","value":"fake video player plugin update prompt on pirated content site (exact URL not published)"},{"role":"staging","techniques":["IIM-T010"],"type":"domain","value":"urush1bar4.online"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing HLS Installer.874.exe and malicious DLL"},{"role":"staging","techniques":[],"type":"file","value":"HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"file","value":"malicious DLL side-loaded by HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"hash","value":"6A0FE6065D76715FEEBC1526D456DB73"},{"role":"payload","techniques":[],"type":"hash","value":"7F624407AE489324E96A708A09C17E6F"},{"role":"payload","techniques":[],"type":"hash","value":"02A43B3423367B9DDDC24CC7DFC070DF"},{"role":"payload","techniques":[],"type":"file","value":"decrypted main module / modified SilentCryptoMiner fork"}],"entity_count":26,"feed_url":"https://feed.iim.malwarebox.eu/chain/securelist.2026.pirated-content-silentcryptominer-rat","matches":["entry \u00b7 domain \u00b7 pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published) \u00b7 no technique","staging \u00b7 domain \u00b7 urush1bar4.online \u00b7 IIM-T010","c2 \u00b7 domain \u00b7 5d14vnfb.space \u00b7 IIM-T009, IIM-T011","c2 \u00b7 domain \u00b7 r7mvjl67.space \u00b7 IIM-T009, IIM-T011","c2 \u00b7 domain \u00b7 zgj1tam9.space \u00b7 IIM-T009, IIM-T011","c2 \u00b7 domain \u00b7 jeaw520i.space \u00b7 IIM-T009, IIM-T011"],"published_at":"2026-05-28 19:43:28.468986","raw_url":"https://feed.iim.malwarebox.eu/api/chains/securelist.2026.pirated-content-silentcryptominer-rat/raw","relation_count":33,"roles":["entry","entry","staging","staging","staging","payload","payload","payload","payload","payload","payload","payload","payload","payload","c2","c2","c2","c2","c2","redirector","redirector","redirector","redirector","c2","c2","c2"],"score":6,"source_links":[],"techniques":["IIM-T009","IIM-T010","IIM-T011","IIM-T024"],"title":"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure"},{"actor":"BlackToad","chain_id":"jumpsec.2026.blacktoad-autoit-remcos-network-blackout","confidence":"confirmed","description":"IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.","digest":[{"role":"entry","techniques":[],"type":"email","value":"Thai-language image-based financial payment-slip phishing email"},{"role":"staging","techniques":["IIM-T006"],"type":"url","value":"MediaFire-hosted malware download link (exact URL not published)"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"SLIP0202E0309029.pdf.scr"},{"role":"staging","techniques":[],"type":"file","value":"flvs.vbe"},{"role":"staging","techniques":[],"type":"file","value":"xbkjm.xls (renamed AutoIt3.exe interpreter)"},{"role":"staging","techniques":[],"type":"file","value":"wnkfmvql.das"},{"role":"staging","techniques":[],"type":"file","value":"oquhestmf.mp3"},{"role":"staging","techniques":[],"type":"file","value":"diniuvw.ikp"},{"role":"payload","techniques":[],"type":"file","value":"payload.bin / decoded Remcos Pro implant"},{"role":"c2","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"pmitm.ddns.net"}],"entity_count":16,"feed_url":"https://feed.iim.malwarebox.eu/chain/jumpsec.2026.blacktoad-autoit-remcos-network-blackout","matches":["c2 \u00b7 domain \u00b7 pmitm.ddns.net \u00b7 IIM-T008, IIM-T011","c2 \u00b7 domain \u00b7 lordtoad.duckdns.org \u00b7 IIM-T008, IIM-T011","c2 \u00b7 domain \u00b7 toadshit.ddnsfree.com \u00b7 IIM-T008, IIM-T011"],"published_at":"2026-05-28 16:12:38.401983","raw_url":"https://feed.iim.malwarebox.eu/api/chains/jumpsec.2026.blacktoad-autoit-remcos-network-blackout/raw","relation_count":25,"roles":["entry","staging","staging","staging","staging","staging","staging","staging","payload","c2","c2","c2","c2","c2","c2","c2"],"score":3,"source_links":[],"techniques":["IIM-T003","IIM-T006","IIM-T008","IIM-T011","IIM-T024"],"title":"BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain"},{"actor":"JINX-0164","chain_id":"wiz.2026.jinx-0164-audiofix-fake-driver-macos","confidence":"confirmed","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.","digest":[{"role":"entry","techniques":["IIM-T010"],"type":"url","value":"LinkedIn recruiter / business-partner outreach leading to fake meeting lure"},{"role":"entry","techniques":["IIM-T010","IIM-T020"],"type":"url","value":"https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac"},{"role":"staging","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/arm/driver/coreaudiod"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/intel/driver/coreaudiod"},{"role":"payload","techniques":[],"type":"hash","value":"65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6"},{"role":"payload","techniques":[],"type":"hash","value":"0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21"},{"role":"staging","techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"datahub.ink"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"cloud-sync.online"}],"entity_count":16,"feed_url":"https://feed.iim.malwarebox.eu/chain/wiz.2026.jinx-0164-audiofix-fake-driver-macos","matches":["c2 \u00b7 domain \u00b7 datahub.ink \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 cloud-sync.online \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 byte-io.us \u00b7 IIM-T011"],"published_at":"2026-05-28 13:44:27.490408","raw_url":"https://feed.iim.malwarebox.eu/api/chains/wiz.2026.jinx-0164-audiofix-fake-driver-macos/raw","relation_count":16,"roles":["entry","entry","staging","payload","payload","payload","payload","staging","c2","c2","c2","c2","c2","staging","payload","payload"],"score":3,"source_links":[],"techniques":["IIM-T010","IIM-T011","IIM-T020"],"title":"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain"},{"actor":"JINX-0164","chain_id":"wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain","confidence":"confirmed","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1"},{"role":"entry","techniques":[],"type":"file","value":"@velora-dex/sdk dist/index.js malicious appended exec block"},{"role":"staging","techniques":["IIM-T002"],"type":"url","value":"http://89.36.224.5/troubleshoot/mac/install.sh"},{"role":"staging","techniques":["IIM-T002"],"type":"ip","value":"89.36.224.5"},{"role":"staging","techniques":[],"type":"hash","value":"c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e"},{"role":"staging","techniques":[],"type":"hash","value":"2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460"},{"role":"payload","techniques":[],"type":"hash","value":"0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270"},{"role":"payload","techniques":[],"type":"hash","value":"0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d"},{"role":"payload","techniques":[],"type":"hash","value":"a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b"},{"role":"staging","techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.apple.Terminal.profiler.plist"}],"entity_count":15,"feed_url":"https://feed.iim.malwarebox.eu/chain/wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain","matches":["c2 \u00b7 domain \u00b7 datahub.ink \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 cloud-sync.online \u00b7 IIM-T011","c2 \u00b7 domain \u00b7 byte-io.us \u00b7 IIM-T011"],"published_at":"2026-05-28 13:43:20.060851","raw_url":"https://feed.iim.malwarebox.eu/api/chains/wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain/raw","relation_count":17,"roles":["entry","entry","staging","staging","staging","staging","payload","payload","payload","staging","c2","c2","c2","c2","c2"],"score":3,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T011"],"title":"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain"},{"actor":"unknown","chain_id":"ox.2026.malware-slop-npm-github-exfil","confidence":"confirmed","description":"IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"https://www.npmjs.com/package/mouse5212-super-formatter"},{"role":"payload","techniques":[],"type":"file","value":"npm postinstall script disguised as archive deployment sync utility"},{"role":"staging","techniques":[],"type":"file","value":"/mnt/user-data"},{"role":"redirector","techniques":["IIM-T006"],"type":"domain","value":"github.com"},{"role":"c2","techniques":["IIM-T018","IIM-T006"],"type":"url","value":"https://api.github.com/repos/<actor-controlled-account>/<target-repository>/contents/<random-per-run-folder>/"},{"role":"c2","techniques":["IIM-T018","IIM-T006"],"type":"file","value":"random per-run folder containing base64-encoded uploaded files"},{"role":"staging","techniques":[],"type":"file","value":"hardcoded fallback GitHub token / victim environment GitHub token"},{"role":"staging","techniques":[],"type":"file","value":"fake network connections diagnostics log"}],"entity_count":8,"feed_url":"https://feed.iim.malwarebox.eu/chain/ox.2026.malware-slop-npm-github-exfil","matches":["redirector \u00b7 domain \u00b7 github.com \u00b7 IIM-T006"],"published_at":"2026-05-28 13:32:24.344204","raw_url":"https://feed.iim.malwarebox.eu/api/chains/ox.2026.malware-slop-npm-github-exfil/raw","relation_count":7,"roles":["entry","payload","staging","redirector","c2","c2","staging","staging"],"score":1,"source_links":[],"techniques":["IIM-T006","IIM-T018"],"title":"Malware-Slop npm package to GitHub Contents API exfiltration chain"},{"actor":"unknown","chain_id":"microsoft.2026.poisoned-search-screenconnect-gpu-miner","confidence":"confirmed","description":"IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.","digest":[{"role":"entry","techniques":["IIM-T011"],"type":"domain","value":"attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published)"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"direct-download.gleeze.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"start-download.gleeze.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"direct-downloads.giize.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"free-download.giize.com"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"malicious ZIP archive containing legitimate utility executable plus autorun.dll"},{"role":"payload","techniques":[],"type":"file","value":"autorun.dll variant set loaded by legitimate utility executable"},{"role":"payload","techniques":[],"type":"hash","value":"e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610"},{"role":"payload","techniques":[],"type":"file","value":"ScreenConnect.ClientService.exe service invocation"},{"role":"c2","techniques":[],"type":"domain","value":"directdownload.icu"}],"entity_count":20,"feed_url":"https://feed.iim.malwarebox.eu/chain/microsoft.2026.poisoned-search-screenconnect-gpu-miner","matches":["entry \u00b7 domain \u00b7 attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published) \u00b7 IIM-T011","staging \u00b7 domain \u00b7 direct-download.gleeze.com \u00b7 IIM-T008, IIM-T024","staging \u00b7 domain \u00b7 start-download.gleeze.com \u00b7 IIM-T008, IIM-T024","staging \u00b7 domain \u00b7 direct-downloads.giize.com \u00b7 IIM-T008, IIM-T024","staging \u00b7 domain \u00b7 free-download.giize.com \u00b7 IIM-T008, IIM-T024","c2 \u00b7 domain \u00b7 directdownload.icu \u00b7 no technique"],"published_at":"2026-05-27 17:02:04.379573","raw_url":"https://feed.iim.malwarebox.eu/api/chains/microsoft.2026.poisoned-search-screenconnect-gpu-miner/raw","relation_count":23,"roles":["entry","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2","payload","payload","payload","c2","c2","c2","c2","c2","payload"],"score":6,"source_links":[{"label":"{'publisher': 'Microsoft Security Blog', 'title': 'From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities', 'url': 'https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/', 'published_at': '2026-05-26', 'authors': ['Microsoft Defender Experts', 'Microsoft Defender Security Research Team']}","url":"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"}],"techniques":["IIM-T008","IIM-T011","IIM-T012","IIM-T021","IIM-T024"],"title":"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2"},{"actor":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"role":"staging","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"role":"payload","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2","matches":["c2 \u00b7 domain \u00b7 commercial VPS-hosted direct C2 infrastructure (exact addresses not published) \u00b7 IIM-T002"],"published_at":"2026-05-27 13:04:07.027015","raw_url":"https://feed.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"roles":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2"},{"actor":"UAC-0010","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"role":"entry","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"role":"staging","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"role":"payload","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"role":"staging","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon","matches":["redirector \u00b7 domain \u00b7 document-downloads.ddns.net \u00b7 IIM-T008, IIM-T011"],"published_at":"2026-05-27 12:22:36.950024","raw_url":"https://feed.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"roles":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"score":1,"source_links":[{"label":"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale","url":"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"}],"techniques":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure"},{"actor":"UAT-10027","chain_id":"uat-10027-dohdoor-education-healthcare-2026-02-26","confidence":"likely","description":"Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.","digest":[{"role":"entry","techniques":[],"type":"file","value":"suspected phishing-delivered PowerShell downloader"},{"role":"staging","techniques":[],"type":"url","value":"remote staging URL serving .bat or .cmd batch file"},{"role":"staging","techniques":[],"type":"file","value":"Windows batch script dropper orchestrating DLL sideloading"},{"role":"staging","techniques":[],"type":"url","value":"http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d"},{"role":"payload","techniques":[],"type":"file","value":"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll"},{"role":"c2","techniques":[],"type":"url","value":"http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s"},{"role":"redirector","techniques":[],"type":"domain","value":"cloudflare-dns.com DoH resolver over HTTPS/443"},{"role":"c2","techniques":["IIM-T001","IIM-T011"],"type":"domain","value":"MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool"},{"role":"payload","techniques":[],"type":"file","value":"potential Cobalt Strike Beacon next-stage payload"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10027-dohdoor-education-healthcare-2026-02-26","matches":["redirector \u00b7 domain \u00b7 cloudflare-dns.com DoH resolver over HTTPS/443 \u00b7 no technique","c2 \u00b7 domain \u00b7 MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool \u00b7 IIM-T001, IIM-T011"],"published_at":"2026-05-27 12:09:14.641573","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10027-dohdoor-education-healthcare-2026-02-26/raw","relation_count":11,"roles":["entry","staging","staging","staging","payload","c2","redirector","c2","payload"],"score":2,"source_links":[],"techniques":["IIM-T001","IIM-T011"],"title":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care"},{"actor":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.","digest":[{"role":"entry","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"role":"redirector","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"role":"staging","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"role":"staging","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"role":"staging","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"role":"payload","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"role":"payload","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"}],"entity_count":12,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10362-lucidrook-taiwan-2026-04-08","matches":["c2 \u00b7 domain \u00b7 d.2fcc7078.digimg.store \u00b7 no technique"],"published_at":"2026-05-27 12:07:54.333154","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10362-lucidrook-taiwan-2026-04-08/raw","relation_count":13,"roles":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"score":1,"source_links":[],"techniques":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations"},{"actor":"unknown","chain_id":"powmix-czech-workforce-2026-04-16","confidence":"likely","description":"Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"malicious ZIP archive with compliance-themed lure"},{"role":"staging","techniques":[],"type":"file","value":"Windows shortcut file inside ZIP"},{"role":"staging","techniques":[],"type":"file","value":"embedded PowerShell loader script"},{"role":"staging","techniques":[],"type":"file","value":"hidden encoded PowMix payload blob inside ZIP"},{"role":"payload","techniques":[],"type":"file","value":"PowMix PowerShell botnet payload"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"herokuapp.com based C2 endpoint"},{"role":"c2","techniques":[],"type":"url","value":"REST-like C2 URL path containing Bot ID, configuration hash, encrypted heartbeat, timestamp and random suffix"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"operator-supplied replacement C2 domain from #HOST command"}],"entity_count":8,"feed_url":"https://feed.iim.malwarebox.eu/chain/powmix-czech-workforce-2026-04-16","matches":["c2 \u00b7 domain \u00b7 herokuapp.com based C2 endpoint \u00b7 IIM-T002","c2 \u00b7 domain \u00b7 operator-supplied replacement C2 domain from #HOST command \u00b7 IIM-T011"],"published_at":"2026-05-27 12:05:45.587349","raw_url":"https://feed.iim.malwarebox.eu/api/chains/powmix-czech-workforce-2026-04-16/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","c2","c2"],"score":2,"source_links":[],"techniques":["IIM-T002","IIM-T011","IIM-T024"],"title":"PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce"},{"actor":"Webworm","chain_id":"webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","confidence":"confirmed","description":"ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.","digest":[{"role":"payload","techniques":[],"type":"file","value":"GraphWorm payload"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed storage"},{"role":"payload","techniques":[],"type":"file","value":"WormFrp reverse proxy / exfiltration component"},{"role":"staging","techniques":["IIM-T002","IIM-T006"],"type":"domain","value":"wamanharipethe.s3.ap-south-1.amazonaws[.]com"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","matches":["c2 \u00b7 domain \u00b7 graph.microsoft.com / Microsoft Graph API \u00b7 IIM-T006, IIM-T018","c2 \u00b7 domain \u00b7 onedrive.live.com / OneDrive-backed storage \u00b7 IIM-T006, IIM-T018","staging \u00b7 domain \u00b7 wamanharipethe.s3.ap-south-1.amazonaws[.]com \u00b7 IIM-T002, IIM-T006"],"published_at":"2026-05-26 14:05:46.910472","raw_url":"https://feed.iim.malwarebox.eu/api/chains/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane/raw","relation_count":4,"roles":["payload","c2","c2","payload","staging"],"score":3,"source_links":[{"label":"ESET WeLiveSecurity Webworm report","url":"https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"}],"techniques":["IIM-T002","IIM-T006","IIM-T018"],"title":"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane"},{"actor":"Webworm","chain_id":"iim.chain.apt.2026.05.009","confidence":"confirmed","description":"ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.","digest":[{"role":"staging","techniques":["IIM-T006"],"type":"domain","value":"github[.]com/anjsdgasdf/WordPress"},{"role":"payload","techniques":[],"type":"file","value":"EchoCreep DLL"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"discord[.]com / Discord API"},{"role":"redirector","techniques":["IIM-T002","IIM-T026"],"type":"ip","value":"64[.]176[.]85[.]158"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.009","matches":["staging \u00b7 domain \u00b7 github[.]com/anjsdgasdf/WordPress \u00b7 IIM-T006","c2 \u00b7 domain \u00b7 discord[.]com / Discord API \u00b7 IIM-T006, IIM-T018"],"published_at":"2026-05-26 14:05:20.204940","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.009/raw","relation_count":3,"roles":["staging","payload","c2","redirector"],"score":2,"source_links":[{"label":"ESET WeLiveSecurity Webworm report","url":"https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"}],"techniques":["IIM-T002","IIM-T006","IIM-T018","IIM-T026"],"title":"Webworm GitHub staging to EchoCreep Discord C2"},{"actor":"UAT-8302","chain_id":"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","confidence":"confirmed","description":"UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.","digest":[{"role":"entry","techniques":[],"type":"file","value":"benign executable loading wininet.dll"},{"role":"staging","techniques":[],"type":"file","value":"SNOWLIGHT / SNOWRUST stager"},{"role":"payload","techniques":[],"type":"file","value":"VSHELL payload"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"image.update-kaspersky.workers[.]dev"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"update-kaspersky.workers[.]dev"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","matches":["c2 \u00b7 domain \u00b7 image.update-kaspersky.workers[.]dev \u00b7 IIM-T005, IIM-T006","c2 \u00b7 domain \u00b7 update-kaspersky.workers[.]dev \u00b7 IIM-T005, IIM-T006"],"published_at":"2026-05-26 14:00:43.416102","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev/raw","relation_count":4,"roles":["entry","staging","payload","c2","c2"],"score":2,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T005","IIM-T006"],"title":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev"},{"actor":"UAT-8302","chain_id":"iim.chain.apt.2026.05.006","confidence":"confirmed","description":"CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.","digest":[{"role":"payload","techniques":[],"type":"file","value":"CloudSorcerer v3 side-loaded DLL triad"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"github[.]com / public dead-drop resolver"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"gamespot[.]com / public dead-drop resolver"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"www.drivelivelime[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"msiidentity[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"url","value":"hxxp[://]trafficmanagerupdate[.]com/index[.]php"}],"entity_count":6,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.006","matches":["redirector \u00b7 domain \u00b7 github[.]com / public dead-drop resolver \u00b7 IIM-T006, IIM-T013","redirector \u00b7 domain \u00b7 gamespot[.]com / public dead-drop resolver \u00b7 IIM-T006, IIM-T013","c2 \u00b7 domain \u00b7 www.drivelivelime[.]com \u00b7 IIM-T010, IIM-T011","c2 \u00b7 domain \u00b7 msiidentity[.]com \u00b7 IIM-T010, IIM-T011"],"published_at":"2026-05-26 13:35:13.409443","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.006/raw","relation_count":7,"roles":["payload","redirector","redirector","c2","c2","c2"],"score":4,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T006","IIM-T010","IIM-T011","IIM-T013"],"title":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2"}],"stats":{"actors":19,"chains":39,"entities":406,"latest":"2026-05-31 19:22:26.947823","relations":[["connect",96],["drops",89],["references",73],["download",61],["execute",52],["communicates-with",30],["resolves-to",30],["redirect",8]],"roles":[["staging",116],["c2",110],["payload",95],["entry",51],["redirector",34]],"techniques":[["IIM-T024",18],["IIM-T006",15],["IIM-T011",14],["IIM-T002",9],["IIM-T010",7],["IIM-T018",6],["IIM-T019",6],["IIM-T004",5],["IIM-T013",5],["IIM-T021",5]]},"total_matches":29,"total_rows":79}
