{
  "actor_id": "UAT-8302",
  "chain": [
    {
      "entity_id": "e001",
      "needs_review": false,
      "role": "entry",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "needs_review": false,
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e004",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    }
  ],
  "chain_id": "iim.chain.apt.2026.05.005",
  "confidence": "confirmed",
  "description": "Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.",
  "entities": [
    {
      "evidence": [
        "Talos describes side-loading as the deployment method for several UAT-8302 tools"
      ],
      "id": "e001",
      "source": "Cisco Talos UAT-8302 report",
      "type": "file",
      "value": "benign executable used for DLL side-loading"
    },
    {
      "evidence": [
        "SHA256 1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca; Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b; 51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2"
      ],
      "id": "e002",
      "source": "Cisco Talos UAT-8302 report and IOC repo",
      "type": "file",
      "value": "NetDraft / FringePorch backdoor"
    },
    {
      "evidence": [
        "NetDraft uses Microsoft Graph / OneDrive for C2"
      ],
      "id": "e003",
      "source": "Cisco Talos UAT-8302 report",
      "type": "domain",
      "value": "graph.microsoft.com / Microsoft Graph API"
    },
    {
      "evidence": [
        "Cloud storage C2 channel described by Talos"
      ],
      "id": "e004",
      "source": "Cisco Talos UAT-8302 report",
      "type": "domain",
      "value": "onedrive.live.com / OneDrive-backed C2 storage"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-05T00:00:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "execute"
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 2,
      "to": "e003",
      "type": "communicates-with"
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 3,
      "to": "e004",
      "type": "communicates-with"
    }
  ],
  "title": "UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2",
  "x_limitations": "The exact OneDrive tenant/object path is not public in the report; the C2 service relation is explicitly documented.",
  "x_report_published_month": "2026-05",
  "x_scope_note": "Talos report was published in May 2026 and covers government targeting in southeastern Europe among other regions.",
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_source_reports": [
    "Cisco Talos UAT-8302 report",
    "Cisco Talos IOC file"
  ],
  "x_source_urls": [
    "https://blog.talosintelligence.com/uat-8302/",
    "https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"
  ]
}