{"error":null,"mode":"iimql","query":"MATCH position WHERE role = \"payload\" RETURN chain.chain_id, chain.title, entity.value","results":[{"actor":"APT43","chain_id":"enki.2026.kimsuky-webex-httpSpy-jsonping","confidence":"confirmed","description":"ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2.","digest":[{"role":"entry","techniques":[],"type":"url","value":"https://conference.birdriver.org/"},{"role":"staging","techniques":["IIM-T024"],"type":"url","value":"https://download.birdriver.org/download.php?id=425623"},{"role":"staging","techniques":[],"type":"file","value":"fix-camera.jse"},{"role":"redirector","techniques":["IIM-T015"],"type":"file","value":"C:\\ProgramData\\meeting.html decoy redirector"},{"role":"staging","techniques":[],"type":"file","value":"C:\\ProgramData\\mTSTCv8.mdxm / loadDll.dll"},{"role":"staging","techniques":[],"type":"url","value":"https://download.birdriver.org/download.php?id=393156"},{"role":"payload","techniques":[],"type":"file","value":"engine.dat / spyInster.dll"},{"role":"payload","techniques":[],"type":"file","value":"C:\\Users\\Public\\cacheMon.dat / spyLoader.dll"},{"role":"payload","techniques":[],"type":"file","value":"HttpSpy main module / httpSpy.dll"},{"role":"c2","techniques":[],"type":"url","value":"http://hdrgdrfes.chickenkiller.com/index.php"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/enki.2026.kimsuky-webex-httpSpy-jsonping","matches":["{\"chain.chain_id\": \"enki.2026.kimsuky-webex-httpSpy-jsonping\", \"chain.title\": \"Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2\", \"entity.value\": \"engine.dat / spyInster.dll\"}","{\"chain.chain_id\": \"enki.2026.kimsuky-webex-httpSpy-jsonping\", \"chain.title\": \"Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2\", \"entity.value\": \"C:\\\\Users\\\\Public\\\\cacheMon.dat / spyLoader.dll\"}","{\"chain.chain_id\": \"enki.2026.kimsuky-webex-httpSpy-jsonping\", \"chain.title\": \"Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2\", \"entity.value\": \"HttpSpy main module / httpSpy.dll\"}"],"published_at":"2026-05-31 19:22:26.947823","raw_url":"https://feed.iim.malwarebox.eu/api/chains/enki.2026.kimsuky-webex-httpSpy-jsonping/raw","relation_count":13,"roles":["entry","staging","staging","redirector","staging","staging","payload","payload","payload","c2","staging"],"score":3,"source_links":[],"techniques":["IIM-T015","IIM-T024"],"title":"Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2"},{"actor":"GREYVIBE","chain_id":"withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2","confidence":"likely","description":"WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine\u2019s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.","digest":[{"role":"entry","techniques":[],"type":"email","value":"office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com"},{"role":"redirector","techniques":["IIM-T006"],"type":"url","value":"Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail"},{"role":"staging","techniques":["IIM-T024"],"type":"hash","value":"bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f"},{"role":"staging","techniques":[],"type":"hash","value":"2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327"},{"role":"payload","techniques":[],"type":"file","value":"PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a"},{"role":"payload","techniques":[],"type":"file","value":"PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe"},{"role":"staging","techniques":[],"type":"file","value":"%LOCALAPPDATA%\\Razer Update staging directory + Razer Synapse Service Helper scheduled task"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"nycpartnersenterprise.com"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"chiselworksenterprise.com"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"newrentalsenterprise.com"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2","matches":["{\"chain.chain_id\": \"withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2\", \"chain.title\": \"GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool\", \"entity.value\": \"PhantomRelayV2 watchdog / RzUpdateManager.p\u2026","{\"chain.chain_id\": \"withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2\", \"chain.title\": \"GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool\", \"entity.value\": \"PhantomRelayV2 RAT client / RzTelemetry.ps1\u2026"],"published_at":"2026-05-31 19:17:43.650916","raw_url":"https://feed.iim.malwarebox.eu/api/chains/withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2/raw","relation_count":13,"roles":["entry","redirector","staging","staging","payload","payload","staging","c2","c2","c2","c2","c2","c2"],"score":2,"source_links":[{"label":"Source 1","url":"https://labs.withsecure.com/publications/greyvibe"},{"label":"Source 2","url":"https://labs.withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf"},{"label":"Source 3","url":"https://github.com/WithSecureLabs/iocs/tree/master/GREYVIBE/"},{"label":"Source 4","url":"https://raw.githubusercontent.com/WithSecureLabs/iocs/refs/heads/master/GREYVIBE/greyvibe_iocs.csv"}],"techniques":["IIM-T006","IIM-T011","IIM-T024"],"title":"GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool"},{"actor":"unknown","chain_id":"rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse","confidence":"confirmed","description":"IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.","digest":[{"role":"entry","techniques":[],"type":"ip","value":"104.207.144.154"},{"role":"entry","techniques":[],"type":"ip","value":"146.19.216.119"},{"role":"entry","techniques":[],"type":"ip","value":"146.19.216.120"},{"role":"entry","techniques":[],"type":"ip","value":"146.19.216.125"},{"role":"redirector","techniques":[],"type":"url","value":"/ssl-vpn/login.esp on affected GlobalProtect portal/gateway"},{"role":"staging","techniques":[],"type":"certificate","value":"Reused certificate/public key from affected GlobalProtect certificate chain"},{"role":"payload","techniques":[],"type":"file","value":"Forged GlobalProtect authentication-override cookie (portal-userauthcookie / portal-prelogonuserauthcookie)"},{"role":"payload","techniques":[],"type":"file","value":"Successful cookie-authenticated GlobalProtect admin login session (examples: GP-CLIENT, DESKTOP-GP01, spoofed MAC aa:bb:cc:dd:ee:ff)"},{"role":"c2","techniques":[],"type":"file","value":"VPN-assigned internal-network access after successful cookie authentication (subset of victims)"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse","matches":["{\"chain.chain_id\": \"rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse\", \"chain.title\": \"CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access\", \"entity.value\": \"Forged GlobalProt\u2026","{\"chain.chain_id\": \"rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse\", \"chain.title\": \"CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access\", \"entity.value\": \"Successful cookie\u2026"],"published_at":"2026-05-31 19:08:44.752514","raw_url":"https://feed.iim.malwarebox.eu/api/chains/rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse/raw","relation_count":9,"roles":["entry","entry","entry","entry","redirector","staging","payload","payload","c2"],"score":2,"source_links":[],"techniques":[],"title":"CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access"},{"actor":"unknown","chain_id":"medium.2026.atomic-macos-stealer-amos-http-c2","confidence":"confirmed","description":"IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Atomic macOS Stealer (AMOS) Mach-O universal binary / ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9"},{"role":"staging","techniques":[],"type":"file","value":"XOR-obfuscated AMOS behavioral/config layer using key 7M43mJx9I0GwjslSA2oKSgkqsUo"},{"role":"payload","techniques":[],"type":"file","value":"AMOS collection and evasion runtime (AppleScript Finder move/delete, xattr quarantine removal, osascript mute, bash self-delete)"},{"role":"c2","techniques":[],"type":"url","value":"http://85.217.222.185/static.php"},{"role":"c2","techniques":[],"type":"url","value":"http://85.217.222.185/index.php"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/medium.2026.atomic-macos-stealer-amos-http-c2","matches":["{\"chain.chain_id\": \"medium.2026.atomic-macos-stealer-amos-http-c2\", \"chain.title\": \"Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints\", \"entity.value\": \"AMOS collection and evasion runtime (Ap\u2026"],"published_at":"2026-05-31 19:04:58.401138","raw_url":"https://feed.iim.malwarebox.eu/api/chains/medium.2026.atomic-macos-stealer-amos-http-c2/raw","relation_count":4,"roles":["entry","staging","payload","c2","c2"],"score":1,"source_links":[],"techniques":[],"title":"Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints"},{"actor":"unknown","chain_id":"joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","confidence":"confirmed","description":"IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.","digest":[{"role":"entry","techniques":[],"type":"file","value":"government-project-themed Word document (VBA macro dropper)"},{"role":"entry","techniques":[],"type":"file","value":"PDF with fake Adobe Reader lure"},{"role":"staging","techniques":["IIM-T001"],"type":"url","value":"hxxps://<subdomain>.b-cdn[.]net/<path>"},{"role":"payload","techniques":[],"type":"file","value":"<second-stage payload>"},{"role":"c2","techniques":[],"type":"domain","value":"<campaign C2 endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery","matches":["{\"chain.chain_id\": \"joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery\", \"chain.title\": \"Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN\", \"entity.value\": \"<second-stage pay\u2026"],"published_at":"2026-05-30 21:33:26.939349","raw_url":"https://feed.iim.malwarebox.eu/api/chains/joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery/raw","relation_count":4,"roles":["entry","entry","staging","payload","c2"],"score":1,"source_links":[],"techniques":["IIM-T001"],"title":"Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN"},{"actor":"ClearFake","chain_id":"redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer","confidence":"confirmed","description":"IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.","digest":[{"role":"entry","techniques":["IIM-T004"],"type":"domain","value":"<compromised website with injected JS>"},{"role":"redirector","techniques":["IIM-T015"],"type":"file","value":"injected JavaScript serving fake-CAPTCHA / ClickFix lure"},{"role":"staging","techniques":[],"type":"url","value":"<remote payload-retrieval host>"},{"role":"payload","techniques":[],"type":"file","value":"ACR Stealer (MaaS infostealer)"},{"role":"c2","techniques":[],"type":"domain","value":"<ACR Stealer C2 endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer","matches":["{\"chain.chain_id\": \"redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer\", \"chain.title\": \"ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer\", \"entity.value\": \"ACR Stealer (MaaS infostealer)\"}"],"published_at":"2026-05-30 21:31:45.548786","raw_url":"https://feed.iim.malwarebox.eu/api/chains/redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer/raw","relation_count":4,"roles":["entry","redirector","staging","payload","c2"],"score":1,"source_links":[],"techniques":["IIM-T004","IIM-T015"],"title":"ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer"},{"actor":"unknown","chain_id":"microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa","confidence":"confirmed","description":"IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.","digest":[{"role":"entry","techniques":[],"type":"file","value":"phishing HTML attachment"},{"role":"redirector","techniques":["IIM-T017"],"type":"url","value":"<initial visitor-screening phishing page>"},{"role":"redirector","techniques":[],"type":"url","value":"<CAPTCHA-gated routing page>"},{"role":"payload","techniques":[],"type":"domain","value":"<Tycoon 2FA AiTM credential endpoint>"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa","matches":["{\"chain.chain_id\": \"microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa\", \"chain.title\": \"HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends\", \"entity.value\": \"<Tycoon 2FA\u2026"],"published_at":"2026-05-30 21:27:18.638379","raw_url":"https://feed.iim.malwarebox.eu/api/chains/microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa/raw","relation_count":3,"roles":["entry","redirector","redirector","payload"],"score":1,"source_links":[],"techniques":["IIM-T017"],"title":"HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends"},{"actor":"unknown","chain_id":"securonix.2026.venomous-helper-ssa-rmm-double-compromised-host","confidence":"confirmed","description":"IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.","digest":[{"role":"entry","techniques":[],"type":"url","value":"<SSA-themed phishing email link>"},{"role":"redirector","techniques":["IIM-T004"],"type":"domain","value":"gruta.com[.]mx"},{"role":"staging","techniques":["IIM-T004"],"type":"domain","value":"server.cubatiendaalimentos.com[.]mx"},{"role":"payload","techniques":[],"type":"file","value":"SSA_Statement.exe (JWrapper-packaged Windows executable)"},{"role":"c2","techniques":[],"type":"domain","value":"<SimpleHelp/ScreenConnect RMM relay endpoint>"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/securonix.2026.venomous-helper-ssa-rmm-double-compromised-host","matches":["{\"chain.chain_id\": \"securonix.2026.venomous-helper-ssa-rmm-double-compromised-host\", \"chain.title\": \"SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access\", \"entity.value\": \"SSA_Statement.exe\u2026"],"published_at":"2026-05-30 21:24:57.926412","raw_url":"https://feed.iim.malwarebox.eu/api/chains/securonix.2026.venomous-helper-ssa-rmm-double-compromised-host/raw","relation_count":4,"roles":["entry","redirector","staging","payload","c2"],"score":1,"source_links":[],"techniques":["IIM-T004"],"title":"SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access"},{"actor":"unknown","chain_id":"godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor","confidence":"confirmed","description":"IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.","digest":[{"role":"entry","techniques":["IIM-T004"],"type":"file","value":"compromised WordPress plugin/theme PHP file containing Steam resolver malware"},{"role":"redirector","techniques":["IIM-T006","IIM-T013","IIM-T018"],"type":"url","value":"hxxps://steamcommunity[.]com/profiles/76561199096946028/"},{"role":"redirector","techniques":["IIM-T006","IIM-T013","IIM-T018"],"type":"url","value":"hxxps://steamcommunity[.]com/id/ravypadliha"},{"role":"redirector","techniques":["IIM-T006","IIM-T013","IIM-T018"],"type":"url","value":"hxxps://steamcommunity[.]com/id/enomisvool123/"},{"role":"redirector","techniques":["IIM-T006","IIM-T013","IIM-T018"],"type":"url","value":"hxxps://steamcommunity[.]com/id/eremohin342"},{"role":"staging","techniques":["IIM-T013"],"type":"file","value":"commentthread_comment_text invisible-Unicode encoded payload blob"},{"role":"staging","techniques":[],"type":"file","value":"optional AES-256-CTR / PBKDF2 / HMAC decoder layer"},{"role":"payload","techniques":[],"type":"url","value":"hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js"},{"role":"payload","techniques":[],"type":"file","value":"wp_enqueue_script frontend JavaScript injection via asahi-jquery-min-bundle"},{"role":"payload","techniques":[],"type":"file","value":"mpzZYIbGOb template_redirect cookie-authenticated PHP backdoor handler"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor","matches":["{\"chain.chain_id\": \"godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor\", \"chain.title\": \"Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control\",\u2026","{\"chain.chain_id\": \"godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor\", \"chain.title\": \"Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control\",\u2026","{\"chain.chain_id\": \"godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor\", \"chain.title\": \"Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control\",\u2026"],"published_at":"2026-05-30 11:26:11.980022","raw_url":"https://feed.iim.malwarebox.eu/api/chains/godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor/raw","relation_count":17,"roles":["entry","redirector","redirector","redirector","redirector","staging","staging","payload","payload","payload","c2","c2","staging"],"score":3,"source_links":[{"label":"Source 1","url":"https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"}],"techniques":["IIM-T004","IIM-T006","IIM-T013","IIM-T018"],"title":"Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control"},{"actor":"BlueNoroff","chain_id":"levelblue.2026.sapphire-sleet-macos-fake-zoom-update","confidence":"confirmed","description":"IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Zoom SDK Update.scpt"},{"role":"payload","techniques":[],"type":"file","value":"com.apple.cli profiling component"},{"role":"payload","techniques":[],"type":"file","value":"systemupdate.app / Mac Password Popup credential harvester"},{"role":"staging","techniques":[],"type":"file","value":"/Library/LaunchDaemons/com.google.webkit.service.plist"},{"role":"payload","techniques":[],"type":"file","value":"icloudz reflective backdoor component"},{"role":"payload","techniques":[],"type":"file","value":"com.google.chromes.updaters in-memory beacon agent"},{"role":"staging","techniques":[],"type":"file","value":"/tmp staged zip archives containing collected corporate and crypto assets"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"check02id.com"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"uw04webzoom.us"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"uw05webzoom.us"}],"entity_count":21,"feed_url":"https://feed.iim.malwarebox.eu/chain/levelblue.2026.sapphire-sleet-macos-fake-zoom-update","matches":["{\"chain.chain_id\": \"levelblue.2026.sapphire-sleet-macos-fake-zoom-update\", \"chain.title\": \"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure\", \"entity.value\": \"com.apple.cli profiling component\"}","{\"chain.chain_id\": \"levelblue.2026.sapphire-sleet-macos-fake-zoom-update\", \"chain.title\": \"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure\", \"entity.value\": \"systemupdate.app / Mac Password Popup credential ha\u2026","{\"chain.chain_id\": \"levelblue.2026.sapphire-sleet-macos-fake-zoom-update\", \"chain.title\": \"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure\", \"entity.value\": \"icloudz reflective backdoor component\"}","{\"chain.chain_id\": \"levelblue.2026.sapphire-sleet-macos-fake-zoom-update\", \"chain.title\": \"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure\", \"entity.value\": \"com.google.chromes.updaters in-memory beacon agent\"}"],"published_at":"2026-05-30 11:17:36.619344","raw_url":"https://feed.iim.malwarebox.eu/api/chains/levelblue.2026.sapphire-sleet-macos-fake-zoom-update/raw","relation_count":21,"roles":["entry","payload","payload","staging","payload","payload","staging","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2"],"score":4,"source_links":[{"label":"Source 1","url":"https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign"}],"techniques":["IIM-T011"],"title":"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure"},{"actor":"unknown","chain_id":"k7.2026.rvtools-signed-msi-python-rat","confidence":"confirmed","description":"IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Signed fake RVTools MSI installer / d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4.msi"},{"role":"staging","techniques":[],"type":"file","value":"Binary.MyScript.vbs embedded MSI custom action"},{"role":"staging","techniques":["IIM-T006"],"type":"url","value":"Dropbox URL hosting winp.zip archive (exact URL not published)"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"winp.zip portable Python RAT bundle in %AppData%"},{"role":"payload","techniques":[],"type":"file","value":"Portable WinPython support layer / Pythonw.exe execution environment"},{"role":"payload","techniques":[],"type":"file","value":"collector.py reconnaissance module / 9192D18A955A9D03E2C70B60AAC1784A"},{"role":"staging","techniques":[],"type":"file","value":"%TEMP%\\configA.json local reconnaissance staging file"},{"role":"payload","techniques":[],"type":"file","value":"Pmanager.py persistence and C2 manager / 71085940124AD3C035A181ACADC10362"},{"role":"c2","techniques":[],"type":"ip","value":"45.61.136.94"},{"role":"c2","techniques":[],"type":"ip","value":"64.95.12.238"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/k7.2026.rvtools-signed-msi-python-rat","matches":["{\"chain.chain_id\": \"k7.2026.rvtools-signed-msi-python-rat\", \"chain.title\": \"Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool\", \"entity.value\": \"Portable WinPython support layer / Pythonw.exe execution environment\"}","{\"chain.chain_id\": \"k7.2026.rvtools-signed-msi-python-rat\", \"chain.title\": \"Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool\", \"entity.value\": \"collector.py reconnaissance module / 9192D18A955A9D03E2C70B60AAC1784A\"}","{\"chain.chain_id\": \"k7.2026.rvtools-signed-msi-python-rat\", \"chain.title\": \"Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool\", \"entity.value\": \"Pmanager.py persistence and C2 manager / 71085940124AD3C035A181ACADC10362\"}"],"published_at":"2026-05-30 11:07:46.459997","raw_url":"https://feed.iim.malwarebox.eu/api/chains/k7.2026.rvtools-signed-msi-python-rat/raw","relation_count":15,"roles":["entry","staging","staging","staging","payload","payload","staging","payload","c2","c2","c2","c2","c2"],"score":3,"source_links":[{"label":"Source 1","url":"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"},{"label":"Source 2","url":"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig2.png"},{"label":"Source 3","url":"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"}],"techniques":["IIM-T006","IIM-T024"],"title":"Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool"},{"actor":"unknown","chain_id":"seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2","confidence":"confirmed","description":"IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"spearphishing ZIP attachment containing Taiwan/Czech lure artifacts"},{"role":"entry","techniques":[],"type":"file","value":"\u8a08\u756b\u7533\u8acb\u5be9\u67e5\u7d50\u679c\u901a\u77e5\u55ae.pdf.lnk"},{"role":"entry","techniques":[],"type":"file","value":"_\u8a08\u756b\u7533\u8acb\u5be9\u67e5\u7d50\u679c\u901a\u77e5\u55ae.exe"},{"role":"staging","techniques":[],"type":"file","value":"data\\empty.vbs"},{"role":"staging","techniques":[],"type":"file","value":"data\\Profile.ps1"},{"role":"staging","techniques":[],"type":"file","value":"data\\1.dat encrypted RuntimeBroker_update.exe container"},{"role":"staging","techniques":[],"type":"file","value":"RuntimeBroker_update.exe sideload trigger executable"},{"role":"staging","techniques":[],"type":"file","value":"BrowserViewUtility.exe legitimate sideload host"},{"role":"payload","techniques":[],"type":"file","value":"UnityPlayer.dll / RUSTCLOAK Rust loader"},{"role":"staging","techniques":[],"type":"file","value":"Com.dat encrypted AZUREVEIL payload container"}],"entity_count":14,"feed_url":"https://feed.iim.malwarebox.eu/chain/seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2","matches":["{\"chain.chain_id\": \"seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2\", \"chain.title\": \"Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2\", \"entity.value\": \"UnityPlayer.dll / RUSTCLOAK Rust loader\"}","{\"chain.chain_id\": \"seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2\", \"chain.title\": \"Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2\", \"entity.value\": \"AZUREVEIL Adaptix C2 agent\"}"],"published_at":"2026-05-29 20:05:53.878328","raw_url":"https://feed.iim.malwarebox.eu/api/chains/seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2/raw","relation_count":20,"roles":["entry","entry","entry","staging","staging","staging","staging","staging","payload","staging","payload","c2","c2","staging"],"score":2,"source_links":[{"label":"Source 1","url":"https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"}],"techniques":["IIM-T002","IIM-T006","IIM-T013","IIM-T018","IIM-T024"],"title":"Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2"},{"actor":"SideCopy","chain_id":"seqrite.2026.operation-xenofiscal-sidecopy-xenorat","confidence":"confirmed","description":"IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel"},{"role":"entry","techniques":[],"type":"file","value":"\u062f_\u0647\u063a\u0648_\u06a9\u0627\u0631\u06a9\u0648\u0648\u0646\u06a9\u0648_\u0644\u06d0\u0633\u062a_\u0686\u06d0_\u062f_\u0641\u06a9\u0631\u064a_\u0627\u0648_\u0631\u0648\u0627\u0646\u064a_\u062c\u06ab\u0693\u06d0_\u0633\u06cc\u0645\u06cc\u0646\u0627\u0631_\u062a\u0647_\u0648\u0631\u067e\u06d0\u0698\u0646\u062f\u0644_\u0634\u0648\u064a_\u0648\u064812.pdf.lnk"},{"role":"staging","techniques":[],"type":"file","value":"mshta.exe LOLBIN execution of remote HTA/PHP"},{"role":"staging","techniques":["IIM-T004"],"type":"domain","value":"abimj.edu.af"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/index.php"},{"role":"staging","techniques":[],"type":"file","value":"ugayt.hta initial HTA/JavaScript payload"},{"role":"staging","techniques":[],"type":"file","value":"WayBroad.dll Stage-1 .NET loader DLL"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiyaf/document.pdf"},{"role":"staging","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiya/"},{"role":"staging","techniques":[],"type":"file","value":"zuidrt.hta persistent next-stage HTA payload"}],"entity_count":19,"feed_url":"https://feed.iim.malwarebox.eu/chain/seqrite.2026.operation-xenofiscal-sidecopy-xenorat","matches":["{\"chain.chain_id\": \"seqrite.2026.operation-xenofiscal-sidecopy-xenorat\", \"chain.title\": \"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2\", \"entity.value\": \"ayhui.vmxx reconstructed shellcode container\"}","{\"chain.chain_id\": \"seqrite.2026.operation-xenofiscal-sidecopy-xenorat\", \"chain.title\": \"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2\", \"entity.value\": \"Aotestpass.dll Stage-2 loader DLL and shellcode bridge\"}","{\"chain.chain_id\": \"seqrite.2026.operation-xenofiscal-sidecopy-xenorat\", \"chain.title\": \"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2\", \"entity.value\": \"XenoRAT 1.8.7 final payload\"}"],"published_at":"2026-05-29 20:01:27.851436","raw_url":"https://feed.iim.malwarebox.eu/api/chains/seqrite.2026.operation-xenofiscal-sidecopy-xenorat/raw","relation_count":18,"roles":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","staging","staging"],"score":3,"source_links":[{"label":"Source 1","url":"https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/"}],"techniques":["IIM-T003","IIM-T004","IIM-T021","IIM-T024"],"title":"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2"},{"actor":"unknown","chain_id":"malwarebytes.2026.fake-chatgpt-dual-platform-stealers","confidence":"confirmed","description":"IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.","digest":[{"role":"entry","techniques":[],"type":"url","value":"search ads / SEO / YouTube / Discord / Telegram traffic for AI desktop-app downloads"},{"role":"entry","techniques":[],"type":"domain","value":"openew.app"},{"role":"payload","techniques":[],"type":"file","value":"Chat_GPT.exe"},{"role":"payload","techniques":[],"type":"hash","value":"c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d"},{"role":"payload","techniques":[],"type":"file","value":"EApp.exe launched from %APPDATA%\\LeronApplication"},{"role":"c2","techniques":[],"type":"url","value":"http://188.137.246.189/laravel.php?api=api&hash=<redacted>&message=<redacted>"},{"role":"c2","techniques":[],"type":"ip","value":"188.137.246.189"},{"role":"payload","techniques":["IIM-T024"],"type":"file","value":"ChatGpt.dmg"},{"role":"payload","techniques":[],"type":"hash","value":"c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b"},{"role":"payload","techniques":[],"type":"file","value":"Odyssey Stealer / AMOS fork macOS payload"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/malwarebytes.2026.fake-chatgpt-dual-platform-stealers","matches":["{\"chain.chain_id\": \"malwarebytes.2026.fake-chatgpt-dual-platform-stealers\", \"chain.title\": \"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer\", \"entity.value\": \"Chat_GPT.exe\"}","{\"chain.chain_id\": \"malwarebytes.2026.fake-chatgpt-dual-platform-stealers\", \"chain.title\": \"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer\", \"entity.value\": \"c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd63\u2026","{\"chain.chain_id\": \"malwarebytes.2026.fake-chatgpt-dual-platform-stealers\", \"chain.title\": \"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer\", \"entity.value\": \"EApp.exe launched from %APPDATA%\\\\LeronApplicatio\u2026","{\"chain.chain_id\": \"malwarebytes.2026.fake-chatgpt-dual-platform-stealers\", \"chain.title\": \"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer\", \"entity.value\": \"ChatGpt.dmg\"}","{\"chain.chain_id\": \"malwarebytes.2026.fake-chatgpt-dual-platform-stealers\", \"chain.title\": \"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer\", \"entity.value\": \"c0919e1999eaee67e67aeda0287722775afb04e9a9a0f7279\u2026","{\"chain.chain_id\": \"malwarebytes.2026.fake-chatgpt-dual-platform-stealers\", \"chain.title\": \"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer\", \"entity.value\": \"Odyssey Stealer / AMOS fork macOS payload\"}"],"published_at":"2026-05-28 19:45:38.928990","raw_url":"https://feed.iim.malwarebox.eu/api/chains/malwarebytes.2026.fake-chatgpt-dual-platform-stealers/raw","relation_count":14,"roles":["entry","entry","payload","payload","payload","c2","c2","payload","payload","payload","staging","c2","c2"],"score":6,"source_links":[],"techniques":["IIM-T024"],"title":"Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer"},{"actor":"unknown","chain_id":"securelist.2026.pirated-content-silentcryptominer-rat","confidence":"confirmed","description":"IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.","digest":[{"role":"entry","techniques":[],"type":"domain","value":"pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)"},{"role":"entry","techniques":[],"type":"url","value":"fake video player plugin update prompt on pirated content site (exact URL not published)"},{"role":"staging","techniques":["IIM-T010"],"type":"domain","value":"urush1bar4.online"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing HLS Installer.874.exe and malicious DLL"},{"role":"staging","techniques":[],"type":"file","value":"HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"file","value":"malicious DLL side-loaded by HLS Installer.874.exe"},{"role":"payload","techniques":[],"type":"hash","value":"6A0FE6065D76715FEEBC1526D456DB73"},{"role":"payload","techniques":[],"type":"hash","value":"7F624407AE489324E96A708A09C17E6F"},{"role":"payload","techniques":[],"type":"hash","value":"02A43B3423367B9DDDC24CC7DFC070DF"},{"role":"payload","techniques":[],"type":"file","value":"decrypted main module / modified SilentCryptoMiner fork"}],"entity_count":26,"feed_url":"https://feed.iim.malwarebox.eu/chain/securelist.2026.pirated-content-silentcryptominer-rat","matches":["{\"chain.chain_id\": \"securelist.2026.pirated-content-silentcryptominer-rat\", \"chain.title\": \"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure\", \"entity.value\": \"malicious DLL side-loaded by HLS Installer.874.\u2026","{\"chain.chain_id\": \"securelist.2026.pirated-content-silentcryptominer-rat\", \"chain.title\": \"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure\", \"entity.value\": \"6A0FE6065D76715FEEBC1526D456DB73\"}","{\"chain.chain_id\": \"securelist.2026.pirated-content-silentcryptominer-rat\", \"chain.title\": \"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure\", \"entity.value\": \"7F624407AE489324E96A708A09C17E6F\"}","{\"chain.chain_id\": \"securelist.2026.pirated-content-silentcryptominer-rat\", \"chain.title\": \"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure\", \"entity.value\": \"02A43B3423367B9DDDC24CC7DFC070DF\"}","{\"chain.chain_id\": \"securelist.2026.pirated-content-silentcryptominer-rat\", \"chain.title\": \"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure\", \"entity.value\": \"decrypted main module / modified SilentCryptoMi\u2026","{\"chain.chain_id\": \"securelist.2026.pirated-content-silentcryptominer-rat\", \"chain.title\": \"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure\", \"entity.value\": \"RAT agent module injected into conhost.exe\"}"],"published_at":"2026-05-28 19:43:28.468986","raw_url":"https://feed.iim.malwarebox.eu/api/chains/securelist.2026.pirated-content-silentcryptominer-rat/raw","relation_count":33,"roles":["entry","entry","staging","staging","staging","payload","payload","payload","payload","payload","payload","payload","payload","payload","c2","c2","c2","c2","c2","redirector","redirector","redirector","redirector","c2","c2","c2"],"score":6,"source_links":[],"techniques":["IIM-T009","IIM-T010","IIM-T011","IIM-T024"],"title":"Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure"},{"actor":"UAC-0226","chain_id":"ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28","confidence":"confirmed","description":"Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\ProgramData\\cv4. cv4 reads C:\\ProgramData\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"Ukraine-themed CVE-2025-8088 archive attachment / container not submitted"},{"role":"staging","techniques":[],"type":"file","value":"1070_26782818.pdf"},{"role":"staging","techniques":[],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\U061m7RlE5py.lnk"},{"role":"staging","techniques":[],"type":"file","value":"C:\\ProgramData\\cv4"},{"role":"payload","techniques":[],"type":"file","value":"C:\\ProgramData\\Zhg"},{"role":"payload","techniques":[],"type":"file","value":"Zhg decoded flat x64 payload image"},{"role":"c2","techniques":[],"type":"url","value":"https://151.158.1.229:11861/AHH_bY/"},{"role":"c2","techniques":[],"type":"url","value":"https://151.158.1.229:11861/pQWhYy/"},{"role":"c2","techniques":[],"type":"ip","value":"151.158.1.229"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28","matches":["{\"chain.chain_id\": \"ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28\", \"chain.title\": \"Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2\", \"entity.value\": \"C:\\\\ProgramDat\u2026","{\"chain.chain_id\": \"ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28\", \"chain.title\": \"Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2\", \"entity.value\": \"Zhg decoded fl\u2026"],"published_at":"2026-05-28 17:37:25.767455","raw_url":"https://feed.iim.malwarebox.eu/api/chains/ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28/raw","relation_count":11,"roles":["entry","staging","staging","staging","payload","payload","c2","c2","c2"],"score":2,"source_links":[],"techniques":["IIM-T024"],"title":"Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2"},{"actor":"BlackToad","chain_id":"jumpsec.2026.blacktoad-autoit-remcos-network-blackout","confidence":"confirmed","description":"IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.","digest":[{"role":"entry","techniques":[],"type":"email","value":"Thai-language image-based financial payment-slip phishing email"},{"role":"staging","techniques":["IIM-T006"],"type":"url","value":"MediaFire-hosted malware download link (exact URL not published)"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"SLIP0202E0309029.pdf.scr"},{"role":"staging","techniques":[],"type":"file","value":"flvs.vbe"},{"role":"staging","techniques":[],"type":"file","value":"xbkjm.xls (renamed AutoIt3.exe interpreter)"},{"role":"staging","techniques":[],"type":"file","value":"wnkfmvql.das"},{"role":"staging","techniques":[],"type":"file","value":"oquhestmf.mp3"},{"role":"staging","techniques":[],"type":"file","value":"diniuvw.ikp"},{"role":"payload","techniques":[],"type":"file","value":"payload.bin / decoded Remcos Pro implant"},{"role":"c2","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"pmitm.ddns.net"}],"entity_count":16,"feed_url":"https://feed.iim.malwarebox.eu/chain/jumpsec.2026.blacktoad-autoit-remcos-network-blackout","matches":["{\"chain.chain_id\": \"jumpsec.2026.blacktoad-autoit-remcos-network-blackout\", \"chain.title\": \"BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain\", \"entity.value\": \"payload.bin / decoded Remcos Pro implant\"}"],"published_at":"2026-05-28 16:12:38.401983","raw_url":"https://feed.iim.malwarebox.eu/api/chains/jumpsec.2026.blacktoad-autoit-remcos-network-blackout/raw","relation_count":25,"roles":["entry","staging","staging","staging","staging","staging","staging","staging","payload","c2","c2","c2","c2","c2","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T003","IIM-T006","IIM-T008","IIM-T011","IIM-T024"],"title":"BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain"},{"actor":"JINX-0164","chain_id":"wiz.2026.jinx-0164-audiofix-fake-driver-macos","confidence":"confirmed","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.","digest":[{"role":"entry","techniques":["IIM-T010"],"type":"url","value":"LinkedIn recruiter / business-partner outreach leading to fake meeting lure"},{"role":"entry","techniques":["IIM-T010","IIM-T020"],"type":"url","value":"https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac"},{"role":"staging","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/arm/driver/coreaudiod"},{"role":"payload","techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/intel/driver/coreaudiod"},{"role":"payload","techniques":[],"type":"hash","value":"65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6"},{"role":"payload","techniques":[],"type":"hash","value":"0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21"},{"role":"staging","techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"datahub.ink"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"cloud-sync.online"}],"entity_count":16,"feed_url":"https://feed.iim.malwarebox.eu/chain/wiz.2026.jinx-0164-audiofix-fake-driver-macos","matches":["{\"chain.chain_id\": \"wiz.2026.jinx-0164-audiofix-fake-driver-macos\", \"chain.title\": \"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain\", \"entity.value\": \"https://apple.driver-store.com/mac/arm/driver/coreaudiod\"}","{\"chain.chain_id\": \"wiz.2026.jinx-0164-audiofix-fake-driver-macos\", \"chain.title\": \"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain\", \"entity.value\": \"https://apple.driver-store.com/mac/intel/driver/coreaudiod\"}","{\"chain.chain_id\": \"wiz.2026.jinx-0164-audiofix-fake-driver-macos\", \"chain.title\": \"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain\", \"entity.value\": \"65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6\"}","{\"chain.chain_id\": \"wiz.2026.jinx-0164-audiofix-fake-driver-macos\", \"chain.title\": \"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain\", \"entity.value\": \"0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21\"}","{\"chain.chain_id\": \"wiz.2026.jinx-0164-audiofix-fake-driver-macos\", \"chain.title\": \"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain\", \"entity.value\": \"89.36.224.5\"}","{\"chain.chain_id\": \"wiz.2026.jinx-0164-audiofix-fake-driver-macos\", \"chain.title\": \"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain\", \"entity.value\": \"84.32.83.250\"}"],"published_at":"2026-05-28 13:44:27.490408","raw_url":"https://feed.iim.malwarebox.eu/api/chains/wiz.2026.jinx-0164-audiofix-fake-driver-macos/raw","relation_count":16,"roles":["entry","entry","staging","payload","payload","payload","payload","staging","c2","c2","c2","c2","c2","staging","payload","payload"],"score":6,"source_links":[],"techniques":["IIM-T010","IIM-T011","IIM-T020"],"title":"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain"},{"actor":"JINX-0164","chain_id":"wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain","confidence":"confirmed","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1"},{"role":"entry","techniques":[],"type":"file","value":"@velora-dex/sdk dist/index.js malicious appended exec block"},{"role":"staging","techniques":["IIM-T002"],"type":"url","value":"http://89.36.224.5/troubleshoot/mac/install.sh"},{"role":"staging","techniques":["IIM-T002"],"type":"ip","value":"89.36.224.5"},{"role":"staging","techniques":[],"type":"hash","value":"c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e"},{"role":"staging","techniques":[],"type":"hash","value":"2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460"},{"role":"payload","techniques":[],"type":"hash","value":"0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270"},{"role":"payload","techniques":[],"type":"hash","value":"0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d"},{"role":"payload","techniques":[],"type":"hash","value":"a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b"},{"role":"staging","techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.apple.Terminal.profiler.plist"}],"entity_count":15,"feed_url":"https://feed.iim.malwarebox.eu/chain/wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain","matches":["{\"chain.chain_id\": \"wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain\", \"chain.title\": \"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain\", \"entity.value\": \"0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270\"}","{\"chain.chain_id\": \"wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain\", \"chain.title\": \"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain\", \"entity.value\": \"0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d\"}","{\"chain.chain_id\": \"wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain\", \"chain.title\": \"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain\", \"entity.value\": \"a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b\"}"],"published_at":"2026-05-28 13:43:20.060851","raw_url":"https://feed.iim.malwarebox.eu/api/chains/wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain/raw","relation_count":17,"roles":["entry","entry","staging","staging","staging","staging","payload","payload","payload","staging","c2","c2","c2","c2","c2"],"score":3,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T011"],"title":"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain"},{"actor":"unknown","chain_id":"ox.2026.malware-slop-npm-github-exfil","confidence":"confirmed","description":"IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"https://www.npmjs.com/package/mouse5212-super-formatter"},{"role":"payload","techniques":[],"type":"file","value":"npm postinstall script disguised as archive deployment sync utility"},{"role":"staging","techniques":[],"type":"file","value":"/mnt/user-data"},{"role":"redirector","techniques":["IIM-T006"],"type":"domain","value":"github.com"},{"role":"c2","techniques":["IIM-T018","IIM-T006"],"type":"url","value":"https://api.github.com/repos/<actor-controlled-account>/<target-repository>/contents/<random-per-run-folder>/"},{"role":"c2","techniques":["IIM-T018","IIM-T006"],"type":"file","value":"random per-run folder containing base64-encoded uploaded files"},{"role":"staging","techniques":[],"type":"file","value":"hardcoded fallback GitHub token / victim environment GitHub token"},{"role":"staging","techniques":[],"type":"file","value":"fake network connections diagnostics log"}],"entity_count":8,"feed_url":"https://feed.iim.malwarebox.eu/chain/ox.2026.malware-slop-npm-github-exfil","matches":["{\"chain.chain_id\": \"ox.2026.malware-slop-npm-github-exfil\", \"chain.title\": \"Malware-Slop npm package to GitHub Contents API exfiltration chain\", \"entity.value\": \"npm postinstall script disguised as archive deployment sync utility\"}"],"published_at":"2026-05-28 13:32:24.344204","raw_url":"https://feed.iim.malwarebox.eu/api/chains/ox.2026.malware-slop-npm-github-exfil/raw","relation_count":7,"roles":["entry","payload","staging","redirector","c2","c2","staging","staging"],"score":1,"source_links":[],"techniques":["IIM-T006","IIM-T018"],"title":"Malware-Slop npm package to GitHub Contents API exfiltration chain"},{"actor":"unknown","chain_id":"microsoft.2026.poisoned-search-screenconnect-gpu-miner","confidence":"confirmed","description":"IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.","digest":[{"role":"entry","techniques":["IIM-T011"],"type":"domain","value":"attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published)"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"direct-download.gleeze.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"start-download.gleeze.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"direct-downloads.giize.com"},{"role":"staging","techniques":["IIM-T008","IIM-T024"],"type":"domain","value":"free-download.giize.com"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"malicious ZIP archive containing legitimate utility executable plus autorun.dll"},{"role":"payload","techniques":[],"type":"file","value":"autorun.dll variant set loaded by legitimate utility executable"},{"role":"payload","techniques":[],"type":"hash","value":"e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610"},{"role":"payload","techniques":[],"type":"file","value":"ScreenConnect.ClientService.exe service invocation"},{"role":"c2","techniques":[],"type":"domain","value":"directdownload.icu"}],"entity_count":20,"feed_url":"https://feed.iim.malwarebox.eu/chain/microsoft.2026.poisoned-search-screenconnect-gpu-miner","matches":["{\"chain.chain_id\": \"microsoft.2026.poisoned-search-screenconnect-gpu-miner\", \"chain.title\": \"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2\", \"entity.value\": \"autorun.dll variant set loaded by legitimate utility execu\u2026","{\"chain.chain_id\": \"microsoft.2026.poisoned-search-screenconnect-gpu-miner\", \"chain.title\": \"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2\", \"entity.value\": \"e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847\u2026","{\"chain.chain_id\": \"microsoft.2026.poisoned-search-screenconnect-gpu-miner\", \"chain.title\": \"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2\", \"entity.value\": \"ScreenConnect.ClientService.exe service invocation\"}","{\"chain.chain_id\": \"microsoft.2026.poisoned-search-screenconnect-gpu-miner\", \"chain.title\": \"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2\", \"entity.value\": \"SimpleRunPE.exe variant set transferred through ScreenConn\u2026","{\"chain.chain_id\": \"microsoft.2026.poisoned-search-screenconnect-gpu-miner\", \"chain.title\": \"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2\", \"entity.value\": \"%LocalAppData%\\\\Microsoft\\\\Windows\\\\Caches\\\\D3F4E2A1\\\\Runt\u2026","{\"chain.chain_id\": \"microsoft.2026.poisoned-search-screenconnect-gpu-miner\", \"chain.title\": \"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2\", \"entity.value\": \"Microsoft-signed .NET Framework hollowing target set\"}"],"published_at":"2026-05-27 17:02:04.379573","raw_url":"https://feed.iim.malwarebox.eu/api/chains/microsoft.2026.poisoned-search-screenconnect-gpu-miner/raw","relation_count":23,"roles":["entry","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2","payload","payload","payload","c2","c2","c2","c2","c2","payload"],"score":6,"source_links":[{"label":"{'publisher': 'Microsoft Security Blog', 'title': 'From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities', 'url': 'https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/', 'published_at': '2026-05-26', 'authors': ['Microsoft Defender Experts', 'Microsoft Defender Security Research Team']}","url":"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"}],"techniques":["IIM-T008","IIM-T011","IIM-T012","IIM-T021","IIM-T024"],"title":"Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2"},{"actor":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"role":"staging","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"role":"payload","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2","matches":["{\"chain.chain_id\": \"glassworm.2026.developer-supply-chain.multi-resolver-c2\", \"chain.title\": \"Glassworm developer supply-chain infection to redundant multi-resolver C2\", \"entity.value\": \"GlasswormRAT Node.js remote access tool\"}"],"published_at":"2026-05-27 13:04:07.027015","raw_url":"https://feed.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"roles":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2"},{"actor":"UAC-0010","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"role":"entry","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"role":"staging","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"role":"payload","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"role":"staging","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon","matches":["{\"chain.chain_id\": \"gamaredon.2025.zero-click-rar.pteranodon\", \"chain.title\": \"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure\", \"entity.value\": \"Pteranodon Stage-2 loader\"}"],"published_at":"2026-05-27 12:22:36.950024","raw_url":"https://feed.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"roles":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"score":1,"source_links":[{"label":"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale","url":"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"}],"techniques":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure"},{"actor":"UAT-10027","chain_id":"uat-10027-dohdoor-education-healthcare-2026-02-26","confidence":"likely","description":"Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.","digest":[{"role":"entry","techniques":[],"type":"file","value":"suspected phishing-delivered PowerShell downloader"},{"role":"staging","techniques":[],"type":"url","value":"remote staging URL serving .bat or .cmd batch file"},{"role":"staging","techniques":[],"type":"file","value":"Windows batch script dropper orchestrating DLL sideloading"},{"role":"staging","techniques":[],"type":"url","value":"http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d"},{"role":"payload","techniques":[],"type":"file","value":"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll"},{"role":"c2","techniques":[],"type":"url","value":"http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s"},{"role":"redirector","techniques":[],"type":"domain","value":"cloudflare-dns.com DoH resolver over HTTPS/443"},{"role":"c2","techniques":["IIM-T001","IIM-T011"],"type":"domain","value":"MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool"},{"role":"payload","techniques":[],"type":"file","value":"potential Cobalt Strike Beacon next-stage payload"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10027-dohdoor-education-healthcare-2026-02-26","matches":["{\"chain.chain_id\": \"uat-10027-dohdoor-education-healthcare-2026-02-26\", \"chain.title\": \"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care\", \"entity.value\": \"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll\"}","{\"chain.chain_id\": \"uat-10027-dohdoor-education-healthcare-2026-02-26\", \"chain.title\": \"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care\", \"entity.value\": \"potential Cobalt Strike Beacon next-stage payload\"}"],"published_at":"2026-05-27 12:09:14.641573","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10027-dohdoor-education-healthcare-2026-02-26/raw","relation_count":11,"roles":["entry","staging","staging","staging","payload","c2","redirector","c2","payload"],"score":2,"source_links":[],"techniques":["IIM-T001","IIM-T011"],"title":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care"},{"actor":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.","digest":[{"role":"entry","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"role":"redirector","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"role":"staging","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"role":"staging","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"role":"staging","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"role":"payload","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"role":"payload","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"}],"entity_count":12,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10362-lucidrook-taiwan-2026-04-08","matches":["{\"chain.chain_id\": \"uat-10362-lucidrook-taiwan-2026-04-08\", \"chain.title\": \"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations\", \"entity.value\": \"LucidRook DLL stager written as DismCore.dll\"}","{\"chain.chain_id\": \"uat-10362-lucidrook-taiwan-2026-04-08\", \"chain.title\": \"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations\", \"entity.value\": \"archive1.zip staged Lua bytecode payload from FTP C2\"}"],"published_at":"2026-05-27 12:07:54.333154","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10362-lucidrook-taiwan-2026-04-08/raw","relation_count":13,"roles":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"score":2,"source_links":[],"techniques":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations"}],"stats":{"actors":19,"chains":39,"entities":406,"latest":"2026-05-31 19:22:26.947823","relations":[["connect",96],["drops",89],["references",73],["download",61],["execute",52],["communicates-with",30],["resolves-to",30],["redirect",8]],"roles":[["staging",116],["c2",110],["payload",95],["entry",51],["redirector",34]],"techniques":[["IIM-T024",18],["IIM-T006",15],["IIM-T011",14],["IIM-T002",9],["IIM-T010",7],["IIM-T018",6],["IIM-T019",6],["IIM-T004",5],["IIM-T013",5],["IIM-T021",5]]},"total_matches":38,"total_rows":95}
