{"error":null,"mode":"iimql","query":"MATCH position WHERE role = \"payload\" RETURN chain.chain_id, chain.title, entity.value","results":[{"actor":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"role":"entry","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"role":"entry","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"role":"staging","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"role":"payload","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"role":"redirector","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2","matches":["{\"chain.chain_id\": \"glassworm.2026.developer-supply-chain.multi-resolver-c2\", \"chain.title\": \"Glassworm developer supply-chain infection to redundant multi-resolver C2\", \"entity.value\": \"GlasswormRAT Node.js remote access tool\"}"],"published_at":"2026-05-27 13:04:07.027015","raw_url":"https://feed.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"roles":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2"},{"actor":"UAC-0010","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"role":"entry","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"role":"staging","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"role":"payload","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"role":"staging","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon","matches":["{\"chain.chain_id\": \"gamaredon.2025.zero-click-rar.pteranodon\", \"chain.title\": \"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure\", \"entity.value\": \"Pteranodon Stage-2 loader\"}"],"published_at":"2026-05-27 12:22:36.950024","raw_url":"https://feed.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"roles":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"score":1,"source_links":[{"label":"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale","url":"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"}],"techniques":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure"},{"actor":"UAT-10027","chain_id":"uat-10027-dohdoor-education-healthcare-2026-02-26","confidence":"likely","description":"Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval.","digest":[{"role":"entry","techniques":[],"type":"file","value":"suspected phishing-delivered PowerShell downloader"},{"role":"staging","techniques":[],"type":"url","value":"remote staging URL serving .bat or .cmd batch file"},{"role":"staging","techniques":[],"type":"file","value":"Windows batch script dropper orchestrating DLL sideloading"},{"role":"staging","techniques":[],"type":"url","value":"http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d"},{"role":"payload","techniques":[],"type":"file","value":"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll"},{"role":"c2","techniques":[],"type":"url","value":"http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s"},{"role":"redirector","techniques":[],"type":"domain","value":"cloudflare-dns.com DoH resolver over HTTPS/443"},{"role":"c2","techniques":["IIM-T001","IIM-T011"],"type":"domain","value":"MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool"},{"role":"payload","techniques":[],"type":"file","value":"potential Cobalt Strike Beacon next-stage payload"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10027-dohdoor-education-healthcare-2026-02-26","matches":["{\"chain.chain_id\": \"uat-10027-dohdoor-education-healthcare-2026-02-26\", \"chain.title\": \"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care\", \"entity.value\": \"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll\"}","{\"chain.chain_id\": \"uat-10027-dohdoor-education-healthcare-2026-02-26\", \"chain.title\": \"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care\", \"entity.value\": \"potential Cobalt Strike Beacon next-stage payload\"}"],"published_at":"2026-05-27 12:09:14.641573","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10027-dohdoor-education-healthcare-2026-02-26/raw","relation_count":11,"roles":["entry","staging","staging","staging","payload","c2","redirector","c2","payload"],"score":2,"source_links":[],"techniques":["IIM-T001","IIM-T011"],"title":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care"},{"actor":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set.","digest":[{"role":"entry","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"role":"redirector","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"role":"staging","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"role":"staging","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"role":"staging","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"role":"payload","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"role":"c2","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"role":"payload","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"}],"entity_count":12,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-10362-lucidrook-taiwan-2026-04-08","matches":["{\"chain.chain_id\": \"uat-10362-lucidrook-taiwan-2026-04-08\", \"chain.title\": \"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations\", \"entity.value\": \"LucidRook DLL stager written as DismCore.dll\"}","{\"chain.chain_id\": \"uat-10362-lucidrook-taiwan-2026-04-08\", \"chain.title\": \"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations\", \"entity.value\": \"archive1.zip staged Lua bytecode payload from FTP C2\"}"],"published_at":"2026-05-27 12:07:54.333154","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-10362-lucidrook-taiwan-2026-04-08/raw","relation_count":13,"roles":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"score":2,"source_links":[],"techniques":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations"},{"actor":"unknown","chain_id":"powmix-czech-workforce-2026-04-16","confidence":"likely","description":"Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"malicious ZIP archive with compliance-themed lure"},{"role":"staging","techniques":[],"type":"file","value":"Windows shortcut file inside ZIP"},{"role":"staging","techniques":[],"type":"file","value":"embedded PowerShell loader script"},{"role":"staging","techniques":[],"type":"file","value":"hidden encoded PowMix payload blob inside ZIP"},{"role":"payload","techniques":[],"type":"file","value":"PowMix PowerShell botnet payload"},{"role":"c2","techniques":["IIM-T002"],"type":"domain","value":"herokuapp.com based C2 endpoint"},{"role":"c2","techniques":[],"type":"url","value":"REST-like C2 URL path containing Bot ID, configuration hash, encrypted heartbeat, timestamp and random suffix"},{"role":"c2","techniques":["IIM-T011"],"type":"domain","value":"operator-supplied replacement C2 domain from #HOST command"}],"entity_count":8,"feed_url":"https://feed.iim.malwarebox.eu/chain/powmix-czech-workforce-2026-04-16","matches":["{\"chain.chain_id\": \"powmix-czech-workforce-2026-04-16\", \"chain.title\": \"PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce\", \"entity.value\": \"PowMix PowerShell botnet payload\"}"],"published_at":"2026-05-27 12:05:45.587349","raw_url":"https://feed.iim.malwarebox.eu/api/chains/powmix-czech-workforce-2026-04-16/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","c2","c2"],"score":1,"source_links":[],"techniques":["IIM-T002","IIM-T011","IIM-T024"],"title":"PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce"},{"actor":"Silver Fox","chain_id":"silver-fox-abcdoor-2026-04-30","confidence":"likely","description":"Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.","digest":[{"role":"entry","techniques":[],"type":"file","value":"tax-themed phishing email attachment or lure PDF"},{"role":"redirector","techniques":[],"type":"url","value":"attacker-controlled external download website"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"tax-related malicious archive"},{"role":"staging","techniques":["IIM-T019"],"type":"file","value":"Silver Fox RustSL loader executable mimicking a document"},{"role":"staging","techniques":[],"type":"file","value":"encrypted RustSL payload file disguised with benign extension"},{"role":"payload","techniques":[],"type":"file","value":"ValleyRAT Login module / Winos 4.0 payload"},{"role":"c2","techniques":[],"type":"ip","value":"207.56.138.28"},{"role":"payload","techniques":["IIM-T019"],"type":"file","value":"custom ValleyRAT module \u4fdd86.dll / \u4fdd86.dll_bin"},{"role":"staging","techniques":[],"type":"url","value":"http://154.82.81.205/YD20251001143052.zip"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ABCDoor appclient Python archive"}],"entity_count":11,"feed_url":"https://feed.iim.malwarebox.eu/chain/silver-fox-abcdoor-2026-04-30","matches":["{\"chain.chain_id\": \"silver-fox-abcdoor-2026-04-30\", \"chain.title\": \"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain\", \"entity.value\": \"ValleyRAT Login module / Winos 4.0 payload\"}","{\"chain.chain_id\": \"silver-fox-abcdoor-2026-04-30\", \"chain.title\": \"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain\", \"entity.value\": \"custom ValleyRAT module \u4fdd86.dll / \u4fdd86.dll_bin\"}","{\"chain.chain_id\": \"silver-fox-abcdoor-2026-04-30\", \"chain.title\": \"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain\", \"entity.value\": \"ABCDoor Python backdoor\"}"],"published_at":"2026-05-27 12:03:50.394701","raw_url":"https://feed.iim.malwarebox.eu/api/chains/silver-fox-abcdoor-2026-04-30/raw","relation_count":11,"roles":["entry","redirector","staging","staging","staging","payload","c2","payload","staging","staging","payload"],"score":3,"source_links":[],"techniques":["IIM-T019","IIM-T024"],"title":"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain"},{"actor":"Webworm","chain_id":"webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","confidence":"confirmed","description":"ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.","digest":[{"role":"payload","techniques":[],"type":"file","value":"GraphWorm payload"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed storage"},{"role":"payload","techniques":[],"type":"file","value":"WormFrp reverse proxy / exfiltration component"},{"role":"staging","techniques":["IIM-T002","IIM-T006"],"type":"domain","value":"wamanharipethe.s3.ap-south-1.amazonaws[.]com"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","matches":["{\"chain.chain_id\": \"webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane\", \"chain.title\": \"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane\", \"entity.value\": \"GraphWorm payload\"}","{\"chain.chain_id\": \"webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane\", \"chain.title\": \"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane\", \"entity.value\": \"WormFrp reverse proxy / exfiltration component\"}"],"published_at":"2026-05-26 14:05:46.910472","raw_url":"https://feed.iim.malwarebox.eu/api/chains/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane/raw","relation_count":4,"roles":["payload","c2","c2","payload","staging"],"score":2,"source_links":[{"label":"ESET WeLiveSecurity Webworm report","url":"https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"}],"techniques":["IIM-T002","IIM-T006","IIM-T018"],"title":"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane"},{"actor":"Webworm","chain_id":"iim.chain.apt.2026.05.009","confidence":"confirmed","description":"ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.","digest":[{"role":"staging","techniques":["IIM-T006"],"type":"domain","value":"github[.]com/anjsdgasdf/WordPress"},{"role":"payload","techniques":[],"type":"file","value":"EchoCreep DLL"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"discord[.]com / Discord API"},{"role":"redirector","techniques":["IIM-T002","IIM-T026"],"type":"ip","value":"64[.]176[.]85[.]158"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.009","matches":["{\"chain.chain_id\": \"iim.chain.apt.2026.05.009\", \"chain.title\": \"Webworm GitHub staging to EchoCreep Discord C2\", \"entity.value\": \"EchoCreep DLL\"}"],"published_at":"2026-05-26 14:05:20.204940","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.009/raw","relation_count":3,"roles":["staging","payload","c2","redirector"],"score":1,"source_links":[{"label":"ESET WeLiveSecurity Webworm report","url":"https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/"}],"techniques":["IIM-T002","IIM-T006","IIM-T018","IIM-T026"],"title":"Webworm GitHub staging to EchoCreep Discord C2"},{"actor":"UAT-8302","chain_id":"uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100","confidence":"confirmed","description":"Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs.","digest":[{"role":"staging","techniques":["IIM-T002"],"type":"url","value":"hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe"},{"role":"payload","techniques":[],"type":"file","value":"wagent.exe / Stowaway proxy component"},{"role":"redirector","techniques":["IIM-T014","IIM-T002"],"type":"ip","value":"85[.]209[.]156[.]3:56456"},{"role":"redirector","techniques":["IIM-T014","IIM-T002"],"type":"ip","value":"45[.]135[.]135[.]100:443"},{"role":"staging","techniques":["IIM-T002"],"type":"ip","value":"38[.]54[.]32[.]244"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100","matches":["{\"chain.chain_id\": \"uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100\", \"chain.title\": \"UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100\", \"entity.value\": \"wagent.exe / Stowaway proxy component\"}"],"published_at":"2026-05-26 14:02:22.556735","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100/raw","relation_count":4,"roles":["staging","payload","redirector","redirector","staging"],"score":1,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T002","IIM-T014"],"title":"UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100"},{"actor":"UAT-8302","chain_id":"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","confidence":"confirmed","description":"UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.","digest":[{"role":"entry","techniques":[],"type":"file","value":"benign executable loading wininet.dll"},{"role":"staging","techniques":[],"type":"file","value":"SNOWLIGHT / SNOWRUST stager"},{"role":"payload","techniques":[],"type":"file","value":"VSHELL payload"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"image.update-kaspersky.workers[.]dev"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"update-kaspersky.workers[.]dev"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","matches":["{\"chain.chain_id\": \"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev\", \"chain.title\": \"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev\", \"entity.value\": \"VSHELL payload\"}"],"published_at":"2026-05-26 14:00:43.416102","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev/raw","relation_count":4,"roles":["entry","staging","payload","c2","c2"],"score":1,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T005","IIM-T006"],"title":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev"},{"actor":"UAT-8302","chain_id":"iim.chain.apt.2026.05.006","confidence":"confirmed","description":"CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.","digest":[{"role":"payload","techniques":[],"type":"file","value":"CloudSorcerer v3 side-loaded DLL triad"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"github[.]com / public dead-drop resolver"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"gamespot[.]com / public dead-drop resolver"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"www.drivelivelime[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"msiidentity[.]com"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"url","value":"hxxp[://]trafficmanagerupdate[.]com/index[.]php"}],"entity_count":6,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.006","matches":["{\"chain.chain_id\": \"iim.chain.apt.2026.05.006\", \"chain.title\": \"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2\", \"entity.value\": \"CloudSorcerer v3 side-loaded DLL triad\"}"],"published_at":"2026-05-26 13:35:13.409443","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.006/raw","relation_count":7,"roles":["payload","redirector","redirector","c2","c2","c2"],"score":1,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T006","IIM-T010","IIM-T011","IIM-T013"],"title":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2"},{"actor":"UAT-8302","chain_id":"iim.chain.apt.2026.05.005","confidence":"confirmed","description":"Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.","digest":[{"role":"entry","techniques":[],"type":"file","value":"benign executable used for DLL side-loading"},{"role":"payload","techniques":[],"type":"file","value":"NetDraft / FringePorch backdoor"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"role":"c2","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed C2 storage"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.005","matches":["{\"chain.chain_id\": \"iim.chain.apt.2026.05.005\", \"chain.title\": \"UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2\", \"entity.value\": \"NetDraft / FringePorch backdoor\"}"],"published_at":"2026-05-26 13:33:29.759246","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.005/raw","relation_count":3,"roles":["entry","payload","c2","c2"],"score":1,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T006","IIM-T018"],"title":"UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"role":"staging","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"role":"payload","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"role":"payload","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.004","matches":["{\"chain.chain_id\": \"iim.chain.apt.2026.05.004\", \"chain.title\": \"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2\", \"entity.value\": \"OYSTERBLUES registry-staged payload\"}","{\"chain.chain_id\": \"iim.chain.apt.2026.05.004\", \"chain.title\": \"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2\", \"entity.value\": \"OYSTERSHUCK decoder/loader\"}","{\"chain.chain_id\": \"iim.chain.apt.2026.05.004\", \"chain.title\": \"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2\", \"entity.value\": \"Cobalt Strike follow-on component\"}"],"published_at":"2026-05-26 13:31:49.179479","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.004/raw","relation_count":7,"roles":["entry","staging","staging","payload","payload","c2","payload"],"score":3,"source_links":[{"label":"SOC Prime summary of CERT-UA warning on UAC-0057 OYSTER activity","url":"https://socprime.com/blog/cert-ua-warns-of-apt28-uac-0057-attacks/"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2"},{"actor":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"role":"staging","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"role":"payload","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"role":"c2","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"role":"c2","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"feed_url":"https://feed.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.003","matches":["{\"chain.chain_id\": \"iim.chain.apt.2026.05.003\", \"chain.title\": \"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz\", \"entity.value\": \"EdgeSystemConfig.dll\"}"],"published_at":"2026-05-26 13:31:09.325636","raw_url":"https://feed.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.003/raw","relation_count":3,"roles":["staging","payload","c2","c2"],"score":1,"source_links":[{"label":"FrostyNeighbor: Fresh mischief and digital shenanigans","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/tree/master/frostyneighbor"}],"techniques":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz"},{"actor":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"role":"entry","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"role":"staging","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"role":"staging","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"role":"payload","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"role":"payload","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"role":"c2","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"feed_url":"https://feed.iim.malwarebox.eu/chain/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","matches":["{\"chain.chain_id\": \"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike\", \"chain.title\": \"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike\", \"entity.value\": \"Update.js / PicassoLoader\"}","{\"chain.chain_id\": \"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike\", \"chain.title\": \"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike\", \"entity.value\": \"Update.js / Cobalt Strike dropper\"}","{\"chain.chain_id\": \"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike\", \"chain.title\": \"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike\", \"entity.value\": \"ViberPC.dll / Cobalt Strike Beacon\"}"],"published_at":"2026-05-26 13:26:34.732614","raw_url":"https://feed.iim.malwarebox.eu/api/chains/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike/raw","relation_count":8,"roles":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"score":3,"source_links":[{"label":"ESET WeLiveSecurity FrostyNeighbor report","url":"https://www.welivesecurity.com/en/eset-research/frostyneighbor-uses-cobalt-strike-against-ukraine/"},{"label":"ESET malware-ioc FrostyNeighbor README","url":"https://github.com/eset/malware-ioc/blob/master/frostyneighbor/README.md"}],"techniques":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike"},{"actor":"UAC-0247","chain_id":"uac-0247-ukrvarta-fpv-dopomoga-2026-03","confidence":"confirmed","description":"Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"UkrVarta humanitarian-aid themed ZIP archive"},{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"\u0424\u043e\u0440\u043c\u0430 \u0437\u0430\u044f\u0432\u043a\u0438 \u043d\u0430 \u0433\u0443\u043c\u0430\u043d\u0456\u0442\u0430\u0440\u043d\u0443 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u0443 \u0444\u043e\u043d\u0434 \u0423\u043a\u0440\u0412\u0430\u0440\u0442\u0430.lnk"},{"role":"staging","techniques":["IIM-T002","IIM-T019","IIM-T026"],"type":"domain","value":"ukrvarta.online"},{"role":"staging","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/dopomoga.hta"},{"role":"staging","techniques":[],"type":"url","value":"https://ukrvarta.online/dopomoga/script.js"},{"role":"payload","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/updater.txt"},{"role":"payload","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/updater.txt"},{"role":"staging","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/conference.hta"},{"role":"redirector","techniques":["IIM-T015"],"type":"url","value":"search-ms:query=lnk&crumb=location:\\\\ukrvarta.online@8080\\davwwwroot"},{"role":"payload","techniques":[],"type":"hash","value":"c06cc6122b798f88a05a088bfed39594af86ba714da89fec5ca62d7119782df9"}],"entity_count":14,"feed_url":"https://feed.iim.malwarebox.eu/chain/uac-0247-ukrvarta-fpv-dopomoga-2026-03","matches":["{\"chain.chain_id\": \"uac-0247-ukrvarta-fpv-dopomoga-2026-03\", \"chain.title\": \"UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell\", \"entity.value\": \"https://ukrvarta.online/dopomoga/updater.txt\"}","{\"chain.chain_id\": \"uac-0247-ukrvarta-fpv-dopomoga-2026-03\", \"chain.title\": \"UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell\", \"entity.value\": \"https://ukrvarta.online/conference/updater.txt\"}","{\"chain.chain_id\": \"uac-0247-ukrvarta-fpv-dopomoga-2026-03\", \"chain.title\": \"UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell\", \"entity.value\": \"c06cc6122b798f88a05a088bfed39594af86ba714da89fec5ca62d7119782df9\"}","{\"chain.chain_id\": \"uac-0247-ukrvarta-fpv-dopomoga-2026-03\", \"chain.title\": \"UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell\", \"entity.value\": \"RuntimeBroker.exe\"}","{\"chain.chain_id\": \"uac-0247-ukrvarta-fpv-dopomoga-2026-03\", \"chain.title\": \"UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell\", \"entity.value\": \"c8117fdbc81dfae804ad03eb4c7a38017851c941ecfebb06f129c7923c0d3d8d\"}","{\"chain.chain_id\": \"uac-0247-ukrvarta-fpv-dopomoga-2026-03\", \"chain.title\": \"UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell\", \"entity.value\": \"b1d765f50f5c53702658b7a59a9bd05cfb042ea6b2d150191a84c53d373b9e4a\"}"],"published_at":"2026-05-20 17:04:53.132609","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uac-0247-ukrvarta-fpv-dopomoga-2026-03/raw","relation_count":13,"roles":["entry","entry","staging","staging","staging","payload","payload","staging","redirector","payload","payload","payload","payload","c2"],"score":6,"source_links":[],"techniques":["IIM-T002","IIM-T015","IIM-T019","IIM-T024","IIM-T026"],"title":"UAC-0247 - UKRVARTA FPV"},{"actor":"UAC-0184","chain_id":"uac-0184-pseudo-png-passmark-2026-05","confidence":"confirmed","description":"Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.","digest":[{"role":"entry","techniques":[],"type":"file","value":"Ukraine-themed LNK lure"},{"role":"entry","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://169.40.135.35/dctrpr/*.hta"},{"role":"staging","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"ip","value":"169.40.135.35"},{"role":"staging","techniques":["IIM-T024","IIM-T025"],"type":"file","value":"dctrprraclus.zip"},{"role":"staging","techniques":[],"type":"file","value":"Cluster-Overlay64.exe"},{"role":"staging","techniques":[],"type":"file","value":"Plane9Engine.dll"},{"role":"staging","techniques":[],"type":"file","value":"openvr_api.dll"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"kernel-diag.lib"},{"role":"staging","techniques":[],"type":"file","value":"evr.dll decoded stage"},{"role":"staging","techniques":["IIM-T025"],"type":"file","value":"filter.bin"}],"entity_count":15,"feed_url":"https://feed.iim.malwarebox.eu/chain/uac-0184-pseudo-png-passmark-2026-05","matches":["{\"chain.chain_id\": \"uac-0184-pseudo-png-passmark-2026-05\", \"chain.title\": \"UAC-0184 gated HTA delivery to pseudo-PNG staged payload and PassMark network stack\", \"entity.value\": \"filter.bin decoded LZNT1 payload bundle\"}","{\"chain.chain_id\": \"uac-0184-pseudo-png-passmark-2026-05\", \"chain.title\": \"UAC-0184 gated HTA delivery to pseudo-PNG staged payload and PassMark network stack\", \"entity.value\": \"VSLauncher.exe\"}","{\"chain.chain_id\": \"uac-0184-pseudo-png-passmark-2026-05\", \"chain.title\": \"UAC-0184 gated HTA delivery to pseudo-PNG staged payload and PassMark network stack\", \"entity.value\": \"input.dll\"}"],"published_at":"2026-05-19 15:15:42.875501","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uac-0184-pseudo-png-passmark-2026-05/raw","relation_count":20,"roles":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2"],"score":3,"source_links":[],"techniques":["IIM-T019","IIM-T020","IIM-T021","IIM-T024","IIM-T025"],"title":"UAC-0184: Pseudo PNG Passmark"}],"stats":{"actors":11,"chains":17,"entities":142,"latest":"2026-05-27 13:04:07.027015","relations":[["drops",32],["connect",25],["references",25],["download",24],["communicates-with",19],["execute",17],["resolves-to",3]],"roles":[["staging",43],["payload",33],["c2",31],["entry",18],["redirector",17]],"techniques":[["IIM-T024",8],["IIM-T002",7],["IIM-T006",7],["IIM-T011",7],["IIM-T019",6],["IIM-T010",5],["IIM-T013",3],["IIM-T020",3],["IIM-T021",3],["IIM-T001",3]]},"total_matches":17,"total_rows":33}