{ "actor_id": "UAT-8302", "chain": [ { "entity_id": "e001", "needs_review": false, "role": "payload", "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e002", "needs_review": false, "role": "redirector", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T006", "IIM-T013" ] }, { "entity_id": "e003", "needs_review": false, "role": "redirector", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T006", "IIM-T013" ] }, { "entity_id": "e004", "needs_review": false, "role": "c2", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T010", "IIM-T011" ] }, { "entity_id": "e005", "needs_review": false, "role": "c2", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T010", "IIM-T011" ] }, { "entity_id": "e006", "needs_review": false, "role": "c2", "role_confidence": "confirmed", "technique_confidence": "confirmed", "techniques": [ "IIM-T010", "IIM-T011" ] } ], "chain_id": "iim.chain.apt.2026.05.006", "confidence": "confirmed", "description": "CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.", "entities": [ { "evidence": [ "Talos describes a legitimate executable plus DLL plus encrypted BIN staging arrangement" ], "id": "e001", "source": "Cisco Talos UAT-8302 report", "type": "file", "value": "CloudSorcerer v3 side-loaded DLL triad" }, { "evidence": [ "CloudSorcerer v3 contacts GitHub to obtain C2 information" ], "id": "e002", "source": "Cisco Talos UAT-8302 report", "type": "domain", "value": "github[.]com / public dead-drop resolver" }, { "evidence": [ "CloudSorcerer v3 contacts GameSpot to obtain C2 information" ], "id": "e003", "source": "Cisco Talos UAT-8302 report", "type": "domain", "value": "gamespot[.]com / public dead-drop resolver" }, { "evidence": [ "Network IOC: hxxps[://]www[.]drivelivelime[.]com, /x, /pw" ], "id": "e004", "source": "Cisco Talos IOC file", "type": "domain", "value": "www.drivelivelime[.]com" }, { "evidence": [ "Network IOC: hxxps[://]msiidentity[.]com and /pw" ], "id": "e005", "source": "Cisco Talos IOC file", "type": "domain", "value": "msiidentity[.]com" }, { "evidence": [ "Network IOC: trafficmanagerupdate.com/index.php" ], "id": "e006", "source": "Cisco Talos IOC file", "type": "url", "value": "hxxp[://]trafficmanagerupdate[.]com/index[.]php" } ], "iim_version": "1.1", "import_source": "manual-osint-report-to-iim-conversion", "needs_review": false, "observed_at": "2026-05-05T00:00:00Z", "relations": [ { "confidence": "confirmed", "from": "e001", "sequence_order": 1, "to": "e002", "type": "references" }, { "confidence": "confirmed", "from": "e001", "sequence_order": 2, "to": "e003", "type": "references" }, { "confidence": "confirmed", "from": "e002", "sequence_order": 3, "to": "e004", "type": "references" }, { "confidence": "confirmed", "from": "e003", "sequence_order": 4, "to": "e005", "type": "references" }, { "confidence": "confirmed", "from": "e001", "sequence_order": 5, "to": "e004", "type": "connect" }, { "confidence": "confirmed", "from": "e001", "sequence_order": 6, "to": "e005", "type": "connect" }, { "confidence": "confirmed", "from": "e001", "sequence_order": 7, "to": "e006", "type": "connect" } ], "title": "UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2", "x_limitations": "Dead-drop service object IDs are not public; Talos documents the service class and publishes decoded C2 network IoCs.", "x_report_published_month": "2026-05", "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.", "x_source_reports": [ "Cisco Talos UAT-8302 report", "Cisco Talos IOC file" ], "x_source_urls": [ "https://blog.talosintelligence.com/uat-8302/", "https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt" ] }