{"error":null,"mode":"plain","query":"workers.dev","results":[{"actor":"UAT-8302","chain_id":"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","confidence":"confirmed","description":"UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.","digest":[{"role":"entry","techniques":[],"type":"file","value":"benign executable loading wininet.dll"},{"role":"staging","techniques":[],"type":"file","value":"SNOWLIGHT / SNOWRUST stager"},{"role":"payload","techniques":[],"type":"file","value":"VSHELL payload"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"image.update-kaspersky.workers[.]dev"},{"role":"c2","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"update-kaspersky.workers[.]dev"}],"entity_count":5,"feed_url":"https://feed.iim.malwarebox.eu/chain/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","matches":[],"published_at":"2026-05-26 14:00:43.416102","raw_url":"https://feed.iim.malwarebox.eu/api/chains/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev/raw","relation_count":4,"roles":["entry","staging","payload","c2","c2"],"score":2,"source_links":[{"label":"Cisco Talos UAT-8302 report","url":"https://blog.talosintelligence.com/uat-8302/"},{"label":"Cisco Talos IOC file","url":"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"}],"techniques":["IIM-T005","IIM-T006"],"title":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev"}],"stats":{"actors":11,"chains":17,"entities":142,"latest":"2026-05-27 13:04:07.027015","relations":[["drops",32],["connect",25],["references",25],["download",24],["communicates-with",19],["execute",17],["resolves-to",3]],"roles":[["staging",43],["payload",33],["c2",31],["entry",18],["redirector",17]],"techniques":[["IIM-T024",8],["IIM-T002",7],["IIM-T006",7],["IIM-T011",7],["IIM-T019",6],["IIM-T010",5],["IIM-T013",3],["IIM-T020",3],["IIM-T021",3],["IIM-T001",3]]},"total_matches":1,"total_rows":1}