{
  "actor_id": "UAC-0057",
  "chain": [
    {
      "entity_id": "e001",
      "needs_review": false,
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "needs_review": false,
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T010",
        "IIM-T011"
      ]
    },
    {
      "entity_id": "e004",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T010"
      ]
    }
  ],
  "chain_id": "iim.chain.apt.2026.05.003",
  "confidence": "confirmed",
  "description": "FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.",
  "entities": [
    {
      "evidence": [
        "SHA1 6FDED427A16D5314BA3E1EB9AFD120DC84449769; Cobalt Strike dropper-related JS"
      ],
      "id": "e001",
      "source": "ESET FrostyNeighbor IOC repo",
      "type": "file",
      "value": "EdgeTaskMachine.js"
    },
    {
      "evidence": [
        "SHA1 27FA11F6A1D653779974B6FB54DE4AF47F211232; Cobalt Strike Beacon"
      ],
      "id": "e002",
      "source": "ESET FrostyNeighbor IOC repo",
      "type": "file",
      "value": "EdgeSystemConfig.dll"
    },
    {
      "evidence": [
        "Listed by ESET as Cobalt Strike C&C; first seen 2026-04-16"
      ],
      "id": "e003",
      "observed_at": "2026-04-16T00:00:00Z",
      "source": "ESET FrostyNeighbor IOC repo",
      "type": "domain",
      "value": "best-seller.lavanille[.]buzz"
    },
    {
      "evidence": [
        "Parent Cobalt Strike C&C domain"
      ],
      "id": "e004",
      "source": "ESET FrostyNeighbor IOC repo",
      "type": "domain",
      "value": "lavanille[.]buzz"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-04-16T00:00:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "drops"
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 2,
      "to": "e003",
      "type": "connect"
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 3,
      "to": "e004",
      "type": "references"
    }
  ],
  "title": "FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz",
  "x_limitations": "This chain models a confirmed Cobalt Strike infrastructure lane from ESET IoCs. The public IoC list does not expose every intermediate victim-side execution step.",
  "x_report_published_month": "2026-05",
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_source_reports": [
    "FrostyNeighbor: Fresh mischief and digital shenanigans",
    "ESET malware-ioc FrostyNeighbor README"
  ],
  "x_source_urls": [
    "https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/",
    "https://github.com/eset/malware-ioc/tree/master/frostyneighbor"
  ]
}