{"count":18,"items":[{"aliases":[],"chain_count":4,"chains":[{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100","confidence":"confirmed","created_at":"2026-05-26T14:02:16.990824","description":"Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs","digest":[{"entity_id":"e001","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002"],"type":"url","value":"hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"wagent.exe / Stowaway proxy component"},{"entity_id":"e003","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T014","IIM-T002"],"type":"ip","value":"85[.]209[.]156[.]3:56456"},{"entity_id":"e004","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T014","IIM-T002"],"type":"ip","value":"45[.]135[.]135[.]100:443"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002"],"type":"ip","value":"38[.]54[.]32[.]244"}],"entity_count":5,"id":10,"iim_version":"1.1","name":"UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0009","pattern_name":"Pattern from uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100","position_count":5,"published_at":"2026-05-26T14:02:22.556735","relation_count":4,"role_list":["staging","payload","redirector","redirector","staging"],"role_sequence":"staging > payload > redirector > redirector > staging","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T014"],"title":"UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100","updated_at":"2026-05-26T16:24:34.254453"},{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","confidence":"confirmed","created_at":"2026-05-26T14:00:38.989957","description":"UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"benign executable loading wininet.dll"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"SNOWLIGHT / SNOWRUST stager"},{"entity_id":"e003","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"VSHELL payload"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"image.update-kaspersky.workers[.]dev"},{"entity_id":"e005","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"update-kaspersky.workers[.]dev"}],"entity_count":5,"id":9,"iim_version":"1.1","name":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0008","pattern_name":"Pattern from uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","position_count":5,"published_at":"2026-05-26T14:00:43.416102","relation_count":4,"role_list":["entry","staging","payload","c2","c2"],"role_sequence":"entry > staging > payload > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T005","IIM-T006"],"title":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev","updated_at":"2026-05-26T16:24:07.643987"},{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"iim.chain.apt.2026.05.006","confidence":"confirmed","created_at":"2026-05-26T13:35:00.548199","description":"CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.","digest":[{"entity_id":"e001","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"CloudSorcerer v3 side-loaded DLL triad"},{"entity_id":"e002","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"github[.]com / public dead-drop resolver"},{"entity_id":"e003","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"gamespot[.]com / public dead-drop resolver"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"www.drivelivelime[.]com"},{"entity_id":"e005","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"msiidentity[.]com"},{"entity_id":"e006","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"url","value":"hxxp[://]trafficmanagerupdate[.]com/index[.]php"}],"entity_count":6,"id":8,"iim_version":"1.1","name":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0007","pattern_name":"Pattern from iim.chain.apt.2026.05.006","position_count":6,"published_at":"2026-05-26T13:35:13.409443","relation_count":7,"role_list":["payload","redirector","redirector","c2","c2","c2"],"role_sequence":"payload > redirector > redirector > c2 > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T006","IIM-T010","IIM-T011","IIM-T013"],"title":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2","updated_at":"2026-05-26T16:23:42.707258"},{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"iim.chain.apt.2026.05.005","confidence":"confirmed","created_at":"2026-05-26T13:33:13.779957","description":"Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"benign executable used for DLL side-loading"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"NetDraft / FringePorch backdoor"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed C2 storage"}],"entity_count":4,"id":7,"iim_version":"1.1","name":"UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0006","pattern_name":"Pattern from iim.chain.apt.2026.05.005","position_count":4,"published_at":"2026-05-26T13:33:29.759246","relation_count":3,"role_list":["entry","payload","c2","c2"],"role_sequence":"entry > payload > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T006","IIM-T018"],"title":"UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2","updated_at":"2026-05-26T16:23:02.640093"}],"id":"UAT-8302","latest":"2026-05-26T16:24:34.254453","name":"UAT-8302","top_roles":[["c2",7],["payload",4],["redirector",4],["staging",3],["entry",2]],"top_techniques":[["IIM-T006",3],["IIM-T002",1],["IIM-T014",1],["IIM-T005",1],["IIM-T010",1],["IIM-T011",1],["IIM-T013",1],["IIM-T018",1]]},{"aliases":[],"chain_count":3,"chains":[{"actor_aliases":[],"actor_id":"UAC-0057","actor_name":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","created_at":"2026-05-26T13:29:15.685499","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"entity_id":"e001","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"id":5,"iim_version":"1.1","name":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz","needs_review":false,"observed_at":"2026-04-16T00:00:00Z","pattern_id":"MB-F-0004","pattern_name":"Pattern from iim.chain.apt.2026.05.003","position_count":4,"published_at":"2026-05-26T13:31:09.325636","relation_count":3,"role_list":["staging","payload","c2","c2"],"role_sequence":"staging > payload > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz","updated_at":"2026-05-26T16:26:11.033335"},{"actor_aliases":[],"actor_id":"UAC-0057","actor_name":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","created_at":"2026-05-26T13:30:18.523190","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"entity_id":"e004","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"entity_id":"e006","needs_review":true,"role":"c2","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"entity_id":"e007","needs_review":false,"role":"payload","role_confidence":"likely","technique_confidence":"likely","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"id":6,"iim_version":"1.1","name":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2","needs_review":true,"observed_at":"2026-05-21T00:00:00Z","pattern_id":"MB-F-0005","pattern_name":"Pattern from iim.chain.apt.2026.05.004","position_count":7,"published_at":"2026-05-26T13:31:49.179479","relation_count":7,"role_list":["entry","staging","staging","payload","payload","c2","payload"],"role_sequence":"entry > staging > staging > payload > payload > c2 > payload","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2","updated_at":"2026-05-26T15:46:03.146910"},{"actor_aliases":[],"actor_id":"UAC-0057","actor_name":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","created_at":"2026-05-26T13:26:28.337138","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"entity_id":"e006","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"entity_id":"e007","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"entity_id":"e008","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"entity_id":"e009","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"id":4,"iim_version":"1.1","name":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike","needs_review":false,"observed_at":"2026-03-10T00:00:00Z","pattern_id":"MB-F-0003","pattern_name":"Pattern from frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","position_count":9,"published_at":"2026-05-26T13:26:34.732614","relation_count":8,"role_list":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"role_sequence":"entry > staging > staging > staging > payload > c2 > payload > payload > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike","updated_at":"2026-05-26T15:45:42.500183"}],"id":"UAC-0057","latest":"2026-05-26T16:26:11.033335","name":"UAC-0057","top_roles":[["payload",7],["staging",6],["c2",5],["entry",2]],"top_techniques":[["IIM-T010",3],["IIM-T011",3],["IIM-T001",2],["IIM-T019",2],["IIM-T024",2],["IIM-T020",1],["IIM-T021",1]]},{"aliases":[],"chain_count":2,"chains":[{"actor_aliases":[],"actor_id":"JINX-0164","actor_name":"JINX-0164","chain_id":"wiz.2026.jinx-0164-audiofix-fake-driver-macos","confidence":"confirmed","created_at":"2026-05-28T13:44:03.437805","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T010"],"type":"url","value":"LinkedIn recruiter / business-partner outreach leading to fake meeting lure"},{"entity_id":"e002","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T010","IIM-T020"],"type":"url","value":"https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh"},{"entity_id":"e004","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/arm/driver/coreaudiod"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T020"],"type":"url","value":"https://apple.driver-store.com/mac/intel/driver/coreaudiod"},{"entity_id":"e006","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"hash","value":"65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6"},{"entity_id":"e007","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"hash","value":"0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21"},{"entity_id":"e008","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist"},{"entity_id":"e009","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T011"],"type":"domain","value":"datahub.ink"},{"entity_id":"e010","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T011"],"type":"domain","value":"cloud-sync.online"},{"entity_id":"e011","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T011"],"type":"domain","value":"byte-io.us"},{"entity_id":"e012","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"ip","value":"208.115.220.17"},{"entity_id":"e013","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"ip","value":"185.175.59.85"},{"entity_id":"e014","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"ip","value":"153.92.126.84"},{"entity_id":"e015","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"ip","value":"89.36.224.5"},{"entity_id":"e016","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"ip","value":"84.32.83.250"}],"entity_count":16,"id":22,"iim_version":"1.1","name":"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain","needs_review":false,"observed_at":"2026-05-27T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":16,"published_at":"2026-05-28T13:44:27.490408","relation_count":16,"role_list":["entry","entry","staging","payload","payload","payload","payload","staging","c2","c2","c2","c2","c2","staging","payload","payload"],"role_sequence":"entry > entry > staging > payload > payload > payload > payload > staging > c2 > c2 > c2 > c2 > c2 > staging > payload > payload","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T010","IIM-T011","IIM-T020"],"title":"JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain","updated_at":"2026-05-28T13:44:27.490582"},{"actor_aliases":[],"actor_id":"JINX-0164","actor_name":"JINX-0164","chain_id":"wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain","confidence":"confirmed","created_at":"2026-05-28T13:42:38.215626","description":"IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T006"],"type":"url","value":"https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1"},{"entity_id":"e002","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"@velora-dex/sdk dist/index.js malicious appended exec block"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T002"],"type":"url","value":"http://89.36.224.5/troubleshoot/mac/install.sh"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T002"],"type":"ip","value":"89.36.224.5"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"hash","value":"c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e"},{"entity_id":"e006","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"hash","value":"2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460"},{"entity_id":"e007","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"hash","value":"0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270"},{"entity_id":"e008","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"hash","value":"0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d"},{"entity_id":"e009","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"hash","value":"a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b"},{"entity_id":"e010","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"~/Library/LaunchAgents/com.apple.Terminal.profiler.plist"},{"entity_id":"e011","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T011"],"type":"domain","value":"datahub.ink"},{"entity_id":"e012","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T011"],"type":"domain","value":"cloud-sync.online"},{"entity_id":"e013","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":["IIM-T011"],"type":"domain","value":"byte-io.us"},{"entity_id":"e014","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"ip","value":"208.115.220.17"},{"entity_id":"e015","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"ip","value":"185.175.59.85"}],"entity_count":15,"id":21,"iim_version":"1.1","name":"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain","needs_review":false,"observed_at":"2026-05-27T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":15,"published_at":"2026-05-28T13:43:20.060851","relation_count":17,"role_list":["entry","entry","staging","staging","staging","staging","payload","payload","payload","staging","c2","c2","c2","c2","c2"],"role_sequence":"entry > entry > staging > staging > staging > staging > payload > payload > payload > staging > c2 > c2 > c2 > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T006","IIM-T011"],"title":"JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain","updated_at":"2026-05-28T13:43:20.061035"}],"id":"JINX-0164","latest":"2026-05-28T13:44:27.490582","name":"JINX-0164","top_roles":[["c2",10],["payload",9],["staging",8],["entry",4]],"top_techniques":[["IIM-T011",2],["IIM-T010",1],["IIM-T020",1],["IIM-T002",1],["IIM-T006",1]]},{"aliases":[],"chain_count":2,"chains":[{"actor_aliases":[],"actor_id":"Webworm","actor_name":"Webworm","chain_id":"iim.chain.apt.2026.05.009","confidence":"confirmed","created_at":"2026-05-26T14:03:09.798318","description":"ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.","digest":[{"entity_id":"e001","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"domain","value":"github[.]com/anjsdgasdf/WordPress"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"EchoCreep DLL"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"discord[.]com / Discord API"},{"entity_id":"e004","needs_review":false,"role":"redirector","role_confidence":"likely","technique_confidence":"confirmed","techniques":["IIM-T002","IIM-T026"],"type":"ip","value":"64[.]176[.]85[.]158"}],"entity_count":4,"id":11,"iim_version":"1.1","name":"Webworm GitHub staging to EchoCreep Discord C2","needs_review":false,"observed_at":"2026-05-20T00:00:00Z","pattern_id":"MB-F-0010","pattern_name":"Pattern from iim.chain.apt.2026.05.009","position_count":4,"published_at":"2026-05-26T14:05:20.204940","relation_count":3,"role_list":["staging","payload","c2","redirector"],"role_sequence":"staging > payload > c2 > redirector","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T006","IIM-T018","IIM-T026"],"title":"Webworm GitHub staging to EchoCreep Discord C2","updated_at":"2026-05-26T16:27:12.383228"},{"actor_aliases":[],"actor_id":"Webworm","actor_name":"Webworm","chain_id":"webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","confidence":"confirmed","created_at":"2026-05-26T14:05:40.150501","description":"ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.","digest":[{"entity_id":"e001","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"GraphWorm payload"},{"entity_id":"e002","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed storage"},{"entity_id":"e004","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"WormFrp reverse proxy / exfiltration component"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002","IIM-T006"],"type":"domain","value":"wamanharipethe.s3.ap-south-1.amazonaws[.]com"}],"entity_count":5,"id":12,"iim_version":"1.1","name":"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane","needs_review":false,"observed_at":"2026-05-20T00:00:00Z","pattern_id":"MB-F-0011","pattern_name":"Pattern from webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","position_count":5,"published_at":"2026-05-26T14:05:46.910472","relation_count":4,"role_list":["payload","c2","c2","payload","staging"],"role_sequence":"payload > c2 > c2 > payload > staging","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T006","IIM-T018"],"title":"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane","updated_at":"2026-05-26T16:26:59.100197"}],"id":"Webworm","latest":"2026-05-26T16:27:12.383228","name":"Webworm","top_roles":[["payload",3],["c2",3],["staging",2],["redirector",1]],"top_techniques":[["IIM-T002",2],["IIM-T006",2],["IIM-T018",2],["IIM-T026",1]]},{"aliases":["UAC-0244","UAC-0247"],"chain_count":1,"chains":[{"actor_aliases":["UAC-0244","UAC-0247"],"actor_id":"UAC-0247","actor_name":"MB-0006","chain_id":"uac-0247-ukrvarta-fpv-dopomoga-2026-03","confidence":"confirmed","created_at":"2026-05-20T14:11:38.064738","description":"Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.","digest":[{"entity_id":"e01_initial_zip","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"UkrVarta humanitarian-aid themed ZIP archive"},{"entity_id":"e02_lnk_form","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"\u0424\u043e\u0440\u043c\u0430 \u0437\u0430\u044f\u0432\u043a\u0438 \u043d\u0430 \u0433\u0443\u043c\u0430\u043d\u0456\u0442\u0430\u0440\u043d\u0443 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u0443 \u0444\u043e\u043d\u0434 \u0423\u043a\u0440\u0412\u0430\u0440\u0442\u0430.lnk"},{"entity_id":"e03_ukrvarta_domain","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002","IIM-T019","IIM-T026"],"type":"domain","value":"ukrvarta.online"},{"entity_id":"e04_dopomoga_hta","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/dopomoga.hta"},{"entity_id":"e05_dopomoga_script_js","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://ukrvarta.online/dopomoga/script.js"},{"entity_id":"e06_dopomoga_updater_url","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/updater.txt"},{"entity_id":"e07_conference_updater_url","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/updater.txt"},{"entity_id":"e08_conference_hta","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/conference.hta"},{"entity_id":"e09_webdav_searchms","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T015"],"type":"url","value":"search-ms:query=lnk&crumb=location:\\\\ukrvarta.online@8080\\davwwwroot"},{"entity_id":"e10_updater_sha256","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"hash","value":"c06cc6122b798f88a05a088bfed39594af86ba714da89fec5ca62d7119782df9"},{"entity_id":"e11_runtimebroker_target","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"RuntimeBroker.exe"},{"entity_id":"e12_shellcode_sha256","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"hash","value":"c8117fdbc81dfae804ad03eb4c7a38017851c941ecfebb06f129c7923c0d3d8d"},{"entity_id":"e13_final_payload_sha256","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"hash","value":"b1d765f50f5c53702658b7a59a9bd05cfb042ea6b2d150191a84c53d373b9e4a"},{"entity_id":"e14_c2_ip","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T002"],"type":"ip","value":"109.237.97.4"}],"entity_count":14,"id":3,"iim_version":"1.1","name":"UAC-0247 - UKRVARTA FPV","needs_review":false,"observed_at":"2026-03-24T00:00:00Z","pattern_id":"MB-F-0002","pattern_name":"Pattern from uac-0247-ukrvarta-fpv-dopomoga-2026-03","position_count":14,"published_at":"2026-05-20T17:04:53.132609","relation_count":13,"role_list":["entry","entry","staging","staging","staging","payload","payload","staging","redirector","payload","payload","payload","payload","c2"],"role_sequence":"entry > entry > staging > staging > staging > payload > payload > staging > redirector > payload > payload > payload > payload > c2","share_enabled":true,"share_views":79,"tags":[],"technique_ids":["IIM-T002","IIM-T015","IIM-T019","IIM-T024","IIM-T026"],"title":"UAC-0247 - UKRVARTA FPV","updated_at":"2026-06-01T08:56:02.115525"}],"id":"UAC-0247","latest":"2026-06-01T08:56:02.115525","name":"MB-0006","top_roles":[["payload",6],["staging",4],["entry",2],["redirector",1],["c2",1]],"top_techniques":[["IIM-T002",1],["IIM-T015",1],["IIM-T019",1],["IIM-T024",1],["IIM-T026",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"APT43","actor_name":"APT43","chain_id":"enki.2026.kimsuky-webex-httpSpy-jsonping","confidence":"confirmed","created_at":"2026-05-31T19:20:52.273708","description":"ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://conference.birdriver.org/"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"url","value":"https://download.birdriver.org/download.php?id=425623"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"fix-camera.jse"},{"entity_id":"e004","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T015"],"type":"file","value":"C:\\ProgramData\\meeting.html decoy redirector"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"C:\\ProgramData\\mTSTCv8.mdxm / loadDll.dll"},{"entity_id":"e006","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://download.birdriver.org/download.php?id=393156"},{"entity_id":"e007","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"engine.dat / spyInster.dll"},{"entity_id":"e008","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"C:\\Users\\Public\\cacheMon.dat / spyLoader.dll"},{"entity_id":"e009","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"HttpSpy main module / httpSpy.dll"},{"entity_id":"e010","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"http://hdrgdrfes.chickenkiller.com/index.php"},{"entity_id":"e011","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"JSONPing local infection-verification server on localhost:62001 /ping?callback=..."}],"entity_count":11,"id":40,"iim_version":"1.1","name":"Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2","needs_review":false,"observed_at":"2026-04-30T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":11,"published_at":"2026-05-31T19:22:26.947823","relation_count":13,"role_list":["entry","staging","staging","redirector","staging","staging","payload","payload","payload","c2","staging"],"role_sequence":"entry > staging > staging > redirector > staging > staging > payload > payload > payload > c2 > staging","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T015","IIM-T024"],"title":"Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2","updated_at":"2026-05-31T19:22:26.948034"}],"id":"APT43","latest":"2026-05-31T19:22:26.948034","name":"APT43","top_roles":[["staging",5],["payload",3],["entry",1],["redirector",1],["c2",1]],"top_techniques":[["IIM-T015",1],["IIM-T024",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"GREYVIBE","actor_name":"GREYVIBE","chain_id":"withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2","confidence":"likely","created_at":"2026-05-31T19:17:20.901117","description":"WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine\u2019s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"email","value":"office.cip.ua.gov@gmail.com / office.gov.cips@gmail.com"},{"entity_id":"e002","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"url","value":"Google Drive-hosted malicious RAR archives used in April 2026 PhantomMail"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"hash","value":"bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"hash","value":"2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"PhantomRelayV2 watchdog / RzUpdateManager.ps1 / ee144c883784c635ef84e0ae6a12b03553c1fd65646621f22d08511bd3e6d42a"},{"entity_id":"e006","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"PhantomRelayV2 RAT client / RzTelemetry.ps1 / 03beb07ce116a2a69f360dd3fab8c3aa55bb42ce580d43f1924642874e388efe"},{"entity_id":"e007","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"%LOCALAPPDATA%\\Razer Update staging directory + Razer Synapse Service Helper scheduled task"},{"entity_id":"e008","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"nycpartnersenterprise.com"},{"entity_id":"e009","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"chiselworksenterprise.com"},{"entity_id":"e010","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"newrentalsenterprise.com"},{"entity_id":"e011","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"bluelagoonaenterprise.com"},{"entity_id":"e012","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"heltaskeltahenterprise.com"},{"entity_id":"e013","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"newequipmentsolutions.com"}],"entity_count":13,"id":39,"iim_version":"1.1","name":"GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool","needs_review":false,"observed_at":"2026-04-30T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":13,"published_at":"2026-05-31T19:17:43.650916","relation_count":13,"role_list":["entry","redirector","staging","staging","payload","payload","staging","c2","c2","c2","c2","c2","c2"],"role_sequence":"entry > redirector > staging > staging > payload > payload > staging > c2 > c2 > c2 > c2 > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T006","IIM-T011","IIM-T024"],"title":"GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool","updated_at":"2026-05-31T19:18:31.414913"}],"id":"GREYVIBE","latest":"2026-05-31T19:18:31.414913","name":"GREYVIBE","top_roles":[["c2",6],["staging",3],["payload",2],["entry",1],["redirector",1]],"top_techniques":[["IIM-T006",1],["IIM-T011",1],["IIM-T024",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"ClearFake","actor_name":"ClearFake","chain_id":"redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer","confidence":"confirmed","created_at":"2026-05-30T21:31:27.756539","description":"IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T004"],"type":"domain","value":"<compromised website with injected JS>"},{"entity_id":"e2","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T015"],"type":"file","value":"injected JavaScript serving fake-CAPTCHA / ClickFix lure"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":"n/a","techniques":[],"type":"url","value":"<remote payload-retrieval host>"},{"entity_id":"e4","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"n/a","techniques":[],"type":"file","value":"ACR Stealer (MaaS infostealer)"},{"entity_id":"e5","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"n/a","techniques":[],"type":"domain","value":"<ACR Stealer C2 endpoint>"}],"entity_count":5,"id":35,"iim_version":"1.1","name":"ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer","needs_review":true,"observed_at":"2026-05-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":5,"published_at":"2026-05-30T21:31:45.548786","relation_count":4,"role_list":["entry","redirector","staging","payload","c2"],"role_sequence":"entry > redirector > staging > payload > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T004","IIM-T015"],"title":"ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer","updated_at":"2026-05-30T21:31:45.548971"}],"id":"ClearFake","latest":"2026-05-30T21:31:45.548971","name":"ClearFake","top_roles":[["entry",1],["redirector",1],["staging",1],["payload",1],["c2",1]],"top_techniques":[["IIM-T004",1],["IIM-T015",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"BlueNoroff","actor_name":"BlueNoroff","chain_id":"levelblue.2026.sapphire-sleet-macos-fake-zoom-update","confidence":"confirmed","created_at":"2026-05-30T11:15:15.267152","description":"IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Zoom SDK Update.scpt"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"com.apple.cli profiling component"},{"entity_id":"e003","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"systemupdate.app / Mac Password Popup credential harvester"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"/Library/LaunchDaemons/com.google.webkit.service.plist"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"icloudz reflective backdoor component"},{"entity_id":"e006","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"com.google.chromes.updaters in-memory beacon agent"},{"entity_id":"e007","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"/tmp staged zip archives containing collected corporate and crypto assets"},{"entity_id":"e008","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"check02id.com"},{"entity_id":"e009","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"uw04webzoom.us"},{"entity_id":"e010","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"uw05webzoom.us"},{"entity_id":"e011","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"uw03webzoom.us"},{"entity_id":"e012","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"uv01webzoom.us"},{"entity_id":"e013","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"uv03webzoom.us"},{"entity_id":"e014","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"uv04webzoom.us"},{"entity_id":"e015","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"ux06webzoom.us"},{"entity_id":"e016","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T011"],"type":"domain","value":"ur01webzoom.us"},{"entity_id":"e017","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"83.136.208.246"},{"entity_id":"e018","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"83.136.209.22"},{"entity_id":"e019","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"104.145.210.107"},{"entity_id":"e020","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"83.136.208.48"},{"entity_id":"e021","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"83.136.210.180"}],"entity_count":21,"id":30,"iim_version":"1.1","name":"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure","needs_review":false,"observed_at":"2026-05-28T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":21,"published_at":"2026-05-30T11:17:36.619344","relation_count":21,"role_list":["entry","payload","payload","staging","payload","payload","staging","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2","c2"],"role_sequence":"entry > payload > payload > staging > payload > payload > staging > c2 > c2 > c2 > c2 > c2 > c2 > c2 > c2 > c2 > c2 > c2 > c2 > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T011"],"title":"Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure","updated_at":"2026-05-30T11:17:36.619524"}],"id":"BlueNoroff","latest":"2026-05-30T11:17:36.619524","name":"BlueNoroff","top_roles":[["c2",14],["payload",4],["staging",2],["entry",1]],"top_techniques":[["IIM-T011",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"SideCopy","actor_name":"SideCopy","chain_id":"seqrite.2026.operation-xenofiscal-sidecopy-xenorat","confidence":"confirmed","created_at":"2026-05-29T19:57:59.061431","description":"IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"spearphishing ZIP archive targeting Afghanistan Ministry of Finance personnel"},{"entity_id":"e002","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"\u062f_\u0647\u063a\u0648_\u06a9\u0627\u0631\u06a9\u0648\u0648\u0646\u06a9\u0648_\u0644\u06d0\u0633\u062a_\u0686\u06d0_\u062f_\u0641\u06a9\u0631\u064a_\u0627\u0648_\u0631\u0648\u0627\u0646\u064a_\u062c\u06ab\u0693\u06d0_\u0633\u06cc\u0645\u06cc\u0646\u0627\u0631_\u062a\u0647_\u0648\u0631\u067e\u06d0\u0698\u0646\u062f\u0644_\u0634\u0648\u064a_\u0648\u064812.pdf.lnk"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"mshta.exe LOLBIN execution of remote HTA/PHP"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T004"],"type":"domain","value":"abimj.edu.af"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/index.php"},{"entity_id":"e006","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"ugayt.hta initial HTA/JavaScript payload"},{"entity_id":"e007","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":null,"techniques":[],"type":"file","value":"WayBroad.dll Stage-1 .NET loader DLL"},{"entity_id":"e008","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiyaf/document.pdf"},{"entity_id":"e009","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T004"],"type":"url","value":"http://abimj.edu.af/institute/cloudiya/"},{"entity_id":"e010","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"zuidrt.hta persistent next-stage HTA payload"},{"entity_id":"e011","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T004","IIM-T021"],"type":"url","value":"https://abimj.edu.af/institute/10/"},{"entity_id":"e012","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T004","IIM-T021"],"type":"url","value":"https://abimj.edu.af/institute/7/"},{"entity_id":"e013","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"ayui.vmxx encrypted/compressed next-stage blob"},{"entity_id":"e014","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"ayhui.vmxx reconstructed shellcode container"},{"entity_id":"e015","needs_review":false,"role":"payload","role_confidence":"likely","technique_confidence":null,"techniques":[],"type":"file","value":"Aotestpass.dll Stage-2 loader DLL and shellcode bridge"},{"entity_id":"e016","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"XenoRAT 1.8.7 final payload"},{"entity_id":"e017","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T003"],"type":"ip","value":"185.235.137.106"},{"entity_id":"e018","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T004"],"type":"ip","value":"103.132.98.224"},{"entity_id":"e019","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T004"],"type":"ip","value":"103.132.98.226"}],"entity_count":19,"id":27,"iim_version":"1.1","name":"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2","needs_review":false,"observed_at":"2026-05-29T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":19,"published_at":"2026-05-29T20:01:27.851436","relation_count":18,"role_list":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","staging","staging"],"role_sequence":"entry > entry > staging > staging > staging > staging > staging > staging > staging > staging > staging > staging > staging > payload > payload > payload > c2 > staging > staging","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T003","IIM-T004","IIM-T021","IIM-T024"],"title":"Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2","updated_at":"2026-05-29T20:07:11.463788"}],"id":"SideCopy","latest":"2026-05-29T20:07:11.463788","name":"SideCopy","top_roles":[["staging",13],["payload",3],["entry",2],["c2",1]],"top_techniques":[["IIM-T003",1],["IIM-T004",1],["IIM-T021",1],["IIM-T024",1]]},{"aliases":["UAC-0226"],"chain_count":1,"chains":[{"actor_aliases":["UAC-0226"],"actor_id":"UAC-0226","actor_name":"MB-0004","chain_id":"ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28","confidence":"confirmed","created_at":"2026-05-28T17:35:17.960639","description":"Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\\\ProgramData\\\\cv4. cv4 reads C:\\\\ProgramData\\\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.","digest":[{"entity_id":"archive_attachment","needs_review":true,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"Ukraine-themed CVE-2025-8088 archive attachment / container not submitted"},{"entity_id":"decoy_pdf","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"1070_26782818.pdf"},{"entity_id":"startup_lnk","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\U061m7RlE5py.lnk"},{"entity_id":"cv4_loader","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"C:\\ProgramData\\cv4"},{"entity_id":"zhg_encoded","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"C:\\ProgramData\\Zhg"},{"entity_id":"zhg_decoded_flat","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Zhg decoded flat x64 payload image"},{"entity_id":"stage1_status_url","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://151.158.1.229:11861/AHH_bY/"},{"entity_id":"stage2_c2_url","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://151.158.1.229:11861/pQWhYy/"},{"entity_id":"c2_ip","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"151.158.1.229"}],"entity_count":9,"id":24,"iim_version":"1.1","name":"Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2","needs_review":true,"observed_at":"2026-05-28T19:30:00Z","pattern_id":null,"pattern_name":null,"position_count":9,"published_at":"2026-05-28T17:37:25.767455","relation_count":11,"role_list":["entry","staging","staging","staging","payload","payload","c2","c2","c2"],"role_sequence":"entry > staging > staging > staging > payload > payload > c2 > c2 > c2","share_enabled":true,"share_views":1,"tags":[],"technique_ids":["IIM-T024"],"title":"Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2","updated_at":"2026-05-28T20:07:26.947956"}],"id":"UAC-0226","latest":"2026-05-28T20:07:26.947956","name":"MB-0004","top_roles":[["staging",3],["c2",3],["payload",2],["entry",1]],"top_techniques":[["IIM-T024",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"BlackToad","actor_name":"BlackToad","chain_id":"jumpsec.2026.blacktoad-autoit-remcos-network-blackout","confidence":"confirmed","created_at":"2026-05-28T16:11:46.670575","description":"IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"email","value":"Thai-language image-based financial payment-slip phishing email"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"url","value":"MediaFire-hosted malware download link (exact URL not published)"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"SLIP0202E0309029.pdf.scr"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"flvs.vbe"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"xbkjm.xls (renamed AutoIt3.exe interpreter)"},{"entity_id":"e006","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"wnkfmvql.das"},{"entity_id":"e007","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"oquhestmf.mp3"},{"entity_id":"e008","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"diniuvw.ikp"},{"entity_id":"e009","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"payload.bin / decoded Remcos Pro implant"},{"entity_id":"e010","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"pmitm.ddns.net"},{"entity_id":"e011","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"lordtoad.duckdns.org"},{"entity_id":"e012","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"toadshit.ddnsfree.com"},{"entity_id":"e013","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"197.210.55.170"},{"entity_id":"e014","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T011"],"type":"ip","value":"102.90.43.109"},{"entity_id":"e015","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T011"],"type":"ip","value":"105.112.100.79"},{"entity_id":"e016","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T003","IIM-T011"],"type":"ip","value":"45.156.87.226"}],"entity_count":16,"id":23,"iim_version":"1.1","name":"BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain","needs_review":false,"observed_at":"2026-05-27T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":16,"published_at":"2026-05-28T16:12:38.401983","relation_count":25,"role_list":["entry","staging","staging","staging","staging","staging","staging","staging","payload","c2","c2","c2","c2","c2","c2","c2"],"role_sequence":"entry > staging > staging > staging > staging > staging > staging > staging > payload > c2 > c2 > c2 > c2 > c2 > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T003","IIM-T006","IIM-T008","IIM-T011","IIM-T024"],"title":"BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain","updated_at":"2026-05-28T19:35:05.925615"}],"id":"BlackToad","latest":"2026-05-28T19:35:05.925615","name":"BlackToad","top_roles":[["staging",7],["c2",7],["entry",1],["payload",1]],"top_techniques":[["IIM-T003",1],["IIM-T006",1],["IIM-T008",1],["IIM-T011",1],["IIM-T024",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"Glassworm","actor_name":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","created_at":"2026-05-27T13:03:13.394650","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"entity_id":"e002","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"entity_id":"e003","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"entity_id":"e004","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"entity_id":"e006","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"entity_id":"e007","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"entity_id":"e008","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"entity_id":"e009","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"entity_id":"e010","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"},{"entity_id":"e011","needs_review":true,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"164.92.88.210"}],"entity_count":11,"id":18,"iim_version":"1.1","name":"Glassworm developer supply-chain infection to redundant multi-resolver C2","needs_review":true,"observed_at":"2026-05-26T14:00:00Z","pattern_id":null,"pattern_name":null,"position_count":11,"published_at":"2026-05-27T13:04:07.027015","relation_count":13,"role_list":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"role_sequence":"entry > entry > entry > entry > staging > payload > redirector > redirector > redirector > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2","updated_at":"2026-05-27T13:04:07.027212"}],"id":"Glassworm","latest":"2026-05-27T13:04:07.027212","name":"Glassworm","top_roles":[["entry",4],["redirector",3],["c2",2],["staging",1],["payload",1]],"top_techniques":[["IIM-T002",1],["IIM-T006",1],["IIM-T013",1]]},{"aliases":["ACTINIUM / Aqua Blizzard","Armageddon","Blue Otso","BlueAlpha","DEV-0157","Gamaredon","Hive0051","IRON TILDEN","NastyShrew","Primitive Bear","Shuckworm","Trident Ursa","UAC-0010","UNC530","WINTERFLOUNDER"],"chain_count":1,"chains":[{"actor_aliases":["Gamaredon","UAC-0010","Armageddon","Primitive Bear","Shuckworm","ACTINIUM / Aqua Blizzard","IRON TILDEN","DEV-0157","BlueAlpha","Blue Otso","Hive0051","WINTERFLOUNDER","Trident Ursa","UNC530","NastyShrew"],"actor_id":"UAC-0010","actor_name":"MB-0001","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","created_at":"2026-05-27T12:22:27.839898","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"entity_id":"e002","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"entity_id":"e006","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"entity_id":"e007","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"entity_id":"e008","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"entity_id":"e009","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"entity_id":"e010","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"},{"entity_id":"e011","needs_review":false,"role":"redirector","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"document-downloads.ddns.net"},{"entity_id":"e012","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"confirmed","techniques":["IIM-T003","IIM-T007"],"type":"ip","value":"194.67.71.75"},{"entity_id":"e013","needs_review":true,"role":"c2","role_confidence":"tentative","technique_confidence":"tentative","techniques":["IIM-T002"],"type":"ip","value":"45.32.220.217"}],"entity_count":13,"id":17,"iim_version":"1.1","name":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure","needs_review":true,"observed_at":"2025-11-11T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":13,"published_at":"2026-05-27T12:22:36.950024","relation_count":13,"role_list":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"role_sequence":"entry > entry > staging > staging > payload > redirector > redirector > redirector > redirector > staging > redirector > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure","updated_at":"2026-05-27T12:23:23.340783"}],"id":"UAC-0010","latest":"2026-05-27T12:23:23.340783","name":"MB-0001","top_roles":[["redirector",5],["staging",3],["entry",2],["c2",2],["payload",1]],"top_techniques":[["IIM-T002",1],["IIM-T003",1],["IIM-T006",1],["IIM-T007",1],["IIM-T008",1],["IIM-T010",1],["IIM-T011",1],["IIM-T013",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"UAT-10027","actor_name":"UAT-10027","chain_id":"uat-10027-dohdoor-education-healthcare-2026-02-26","confidence":"likely","created_at":"2026-05-27T12:08:50.170201","description":"Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"file","value":"suspected phishing-delivered PowerShell downloader"},{"entity_id":"e2","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"remote staging URL serving .bat or .cmd batch file"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Windows batch script dropper orchestrating DLL sideloading"},{"entity_id":"e4","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d"},{"entity_id":"e5","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll"},{"entity_id":"e6","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s"},{"entity_id":"e7","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"domain","value":"cloudflare-dns.com DoH resolver over HTTPS/443"},{"entity_id":"e8","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T001","IIM-T011"],"type":"domain","value":"MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool"},{"entity_id":"e9","needs_review":false,"role":"payload","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"file","value":"potential Cobalt Strike Beacon next-stage payload"}],"entity_count":9,"id":16,"iim_version":"1.1","name":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care","needs_review":false,"observed_at":"2025-12-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":9,"published_at":"2026-05-27T12:09:14.641573","relation_count":11,"role_list":["entry","staging","staging","staging","payload","c2","redirector","c2","payload"],"role_sequence":"entry > staging > staging > staging > payload > c2 > redirector > c2 > payload","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T001","IIM-T011"],"title":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care","updated_at":"2026-05-27T12:09:14.641751"}],"id":"UAT-10027","latest":"2026-05-27T12:09:14.641751","name":"UAT-10027","top_roles":[["staging",3],["payload",2],["c2",2],["entry",1],["redirector",1]],"top_techniques":[["IIM-T001",1],["IIM-T011",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"UAT-10362","actor_name":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","created_at":"2026-05-27T12:07:35.136019","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"entity_id":"e2","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"entity_id":"e4","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"entity_id":"e5","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"entity_id":"e6","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"entity_id":"e7","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"entity_id":"e8","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"entity_id":"e9","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"entity_id":"e10","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"},{"entity_id":"e11","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"archive4.zip encrypted host reconnaissance upload"},{"entity_id":"e12","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"domain","value":"d.2fcc7078.digimg.store"}],"entity_count":12,"id":15,"iim_version":"1.1","name":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations","needs_review":false,"observed_at":"2025-10-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":12,"published_at":"2026-05-27T12:07:54.333154","relation_count":13,"role_list":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"role_sequence":"entry > redirector > staging > staging > staging > staging > payload > c2 > c2 > payload > staging > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations","updated_at":"2026-05-27T12:07:54.333344"}],"id":"UAT-10362","latest":"2026-05-27T12:07:54.333344","name":"UAT-10362","top_roles":[["staging",5],["c2",3],["payload",2],["entry",1],["redirector",1]],"top_techniques":[["IIM-T004",1],["IIM-T016",1],["IIM-T024",1]]},{"aliases":[],"chain_count":1,"chains":[{"actor_aliases":[],"actor_id":"Silver Fox","actor_name":"Silver Fox","chain_id":"silver-fox-abcdoor-2026-04-30","confidence":"likely","created_at":"2026-05-27T12:03:10.683479","description":"Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"file","value":"tax-themed phishing email attachment or lure PDF"},{"entity_id":"e2","needs_review":true,"role":"redirector","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"url","value":"attacker-controlled external download website"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"tax-related malicious archive"},{"entity_id":"e4","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"file","value":"Silver Fox RustSL loader executable mimicking a document"},{"entity_id":"e5","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"encrypted RustSL payload file disguised with benign extension"},{"entity_id":"e6","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"ValleyRAT Login module / Winos 4.0 payload"},{"entity_id":"e7","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"207.56.138.28"},{"entity_id":"e8","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"file","value":"custom ValleyRAT module \u4fdd86.dll / \u4fdd86.dll_bin"},{"entity_id":"e9","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"http://154.82.81.205/YD20251001143052.zip"},{"entity_id":"e10","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"ABCDoor appclient Python archive"},{"entity_id":"e11","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"ABCDoor Python backdoor"}],"entity_count":11,"id":13,"iim_version":"1.1","name":"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain","needs_review":true,"observed_at":"2025-12-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":11,"published_at":"2026-05-27T12:03:50.394701","relation_count":11,"role_list":["entry","redirector","staging","staging","staging","payload","c2","payload","staging","staging","payload"],"role_sequence":"entry > redirector > staging > staging > staging > payload > c2 > payload > staging > staging > payload","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T019","IIM-T024"],"title":"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain","updated_at":"2026-05-27T12:04:20.292252"}],"id":"Silver Fox","latest":"2026-05-27T12:04:20.292252","name":"Silver Fox","top_roles":[["staging",5],["payload",3],["entry",1],["redirector",1],["c2",1]],"top_techniques":[["IIM-T019",1],["IIM-T024",1]]},{"aliases":["Hive0156","UAC-0184"],"chain_count":1,"chains":[{"actor_aliases":["UAC-0184","Hive0156"],"actor_id":"UAC-0184","actor_name":"MB-0005","chain_id":"uac-0184-pseudo-png-passmark-2026-05","confidence":"confirmed","created_at":"2026-05-19T15:12:15.998736","description":"Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.","digest":[{"entity_id":"e_lure_lnk","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":null,"techniques":[],"type":"file","value":"Ukraine-themed LNK lure"},{"entity_id":"e_hta_set","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://169.40.135.35/dctrpr/*.hta"},{"entity_id":"e_delivery_ip","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"ip","value":"169.40.135.35"},{"entity_id":"e_zip","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T024","IIM-T025"],"type":"file","value":"dctrprraclus.zip"},{"entity_id":"e_cluster","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"Cluster-Overlay64.exe"},{"entity_id":"e_plane9","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"Plane9Engine.dll"},{"entity_id":"e_openvr","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"openvr_api.dll"},{"entity_id":"e_kernel","needs_review":true,"role":"staging","role_confidence":"confirmed","technique_confidence":"tentative","techniques":["IIM-T025"],"type":"file","value":"kernel-diag.lib"},{"entity_id":"e_evr","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"evr.dll decoded stage"},{"entity_id":"e_filter","needs_review":true,"role":"staging","role_confidence":"confirmed","technique_confidence":"tentative","techniques":["IIM-T025"],"type":"file","value":"filter.bin"},{"entity_id":"e_bundle","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"filter.bin decoded LZNT1 payload bundle"},{"entity_id":"e_vslauncher","needs_review":false,"role":"payload","role_confidence":"likely","technique_confidence":null,"techniques":[],"type":"file","value":"VSLauncher.exe"},{"entity_id":"e_input","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"input.dll"},{"entity_id":"e_multicast","needs_review":true,"role":"c2","role_confidence":"tentative","technique_confidence":null,"techniques":[],"type":"ip","value":"224.0.0.255"},{"entity_id":"e_controller","needs_review":true,"role":"c2","role_confidence":"tentative","technique_confidence":null,"techniques":[],"type":"ip","value":"internal peer/controller"}],"entity_count":15,"id":1,"iim_version":"1.1","name":"UAC-0184: Pseudo PNG Passmark","needs_review":true,"observed_at":null,"pattern_id":"MB-F-0001","pattern_name":"Pattern from uac-0184-pseudo-png-passmark-2026-05","position_count":15,"published_at":"2026-05-19T15:15:42.875501","relation_count":20,"role_list":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2"],"role_sequence":"entry > entry > staging > staging > staging > staging > staging > staging > staging > staging > payload > payload > payload > c2 > c2","share_enabled":true,"share_views":1,"tags":[],"technique_ids":["IIM-T019","IIM-T020","IIM-T021","IIM-T024","IIM-T025"],"title":"UAC-0184: Pseudo PNG Passmark","updated_at":"2026-05-19T15:15:44.468178"}],"id":"UAC-0184","latest":"2026-05-19T15:15:44.468178","name":"MB-0005","top_roles":[["staging",8],["payload",3],["entry",2],["c2",2]],"top_techniques":[["IIM-T019",1],["IIM-T020",1],["IIM-T021",1],["IIM-T024",1],["IIM-T025",1]]}]}
