{
  "actor_id": "BlackToad",
  "attack_annotations": [
    {
      "comment": "Image-based phishing email links to an external MediaFire-hosted malware file.",
      "name": "Phishing: Spearphishing Link",
      "tactic": "initial-access",
      "technique_id": "T1566.002"
    },
    {
      "comment": "Victim execution of a .pdf.scr masqueraded SFX executable.",
      "name": "User Execution: Malicious File",
      "tactic": "execution",
      "technique_id": "T1204.002"
    },
    {
      "comment": "VBS NOP padding, pumped AutoIt script, substitution-hex encoded payload.",
      "name": "Obfuscated Files or Information",
      "tactic": "defense-evasion",
      "technique_id": "T1027"
    },
    {
      "comment": "flvs.vbe VBS loader stage.",
      "name": "Command and Scripting Interpreter: Visual Basic",
      "tactic": "execution",
      "technique_id": "T1059.005"
    },
    {
      "comment": "AutoIt script stage executed via renamed AutoIt3 interpreter.",
      "name": "Command and Scripting Interpreter",
      "tactic": "execution",
      "technique_id": "T1059"
    },
    {
      "comment": "INI configuration sets HKCU Run key WindowsUpdate and persistence directory %userprofile%\\sorq\\.",
      "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
      "tactic": "persistence",
      "technique_id": "T1547.001"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "needs_review": false,
      "review_notes": "The email is the social-engineering entry point; no IIM infrastructure technique is assigned because the technique taxonomy focuses on infrastructure behavior.",
      "role": "entry",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e002",
      "needs_review": false,
      "review_notes": "MediaFire is a trusted third-party hosting service used for initial malware delivery; exact URL was not published.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006"
      ]
    },
    {
      "entity_id": "e003",
      "needs_review": false,
      "review_notes": "The delivered file is a WinRAR SFX self-extracting archive. Extension masquerading itself is endpoint/social-engineering context, not an IIM technique.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T024"
      ]
    },
    {
      "entity_id": "e004",
      "needs_review": false,
      "review_notes": "VBS loader; retained as staging node because it bridges container extraction and AutoIt execution, but no infrastructure technique applies.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e005",
      "needs_review": false,
      "review_notes": "Renamed AutoIt3 interpreter used by the chain; no IIM infrastructure technique assigned.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e006",
      "needs_review": false,
      "review_notes": "Bloated AutoIt script used as crypter/loader; kept for chain readability.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e007",
      "needs_review": false,
      "review_notes": "INI-like local config that wires payload decoding and persistence; not a network infrastructure technique.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e008",
      "needs_review": false,
      "review_notes": "Encoded PE file decoded by the AutoIt script.",
      "role": "staging",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e009",
      "needs_review": false,
      "review_notes": "Decoded Remcos Pro payload; its decrypted config provides terminal C2 infrastructure.",
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e010",
      "needs_review": false,
      "review_notes": "No-IP Dynamic-DNS Remcos C2 hostname, one of three redundant domains.",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T008",
        "IIM-T011"
      ]
    },
    {
      "entity_id": "e011",
      "needs_review": false,
      "review_notes": "DuckDNS Dynamic-DNS Remcos C2 hostname, one of three redundant domains.",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T008",
        "IIM-T011"
      ]
    },
    {
      "entity_id": "e012",
      "needs_review": false,
      "review_notes": "ddnsfree Dynamic-DNS Remcos C2 hostname, one of three redundant domains.",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T008",
        "IIM-T011"
      ]
    },
    {
      "entity_id": "e013",
      "needs_review": false,
      "review_notes": "Current IPv4 terminal endpoint for the three C2 hostnames.",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e014",
      "needs_review": false,
      "review_notes": "Historical passive-DNS / campaign-pivot IP from the same rotation pattern, not the current configured C2 at report publication.",
      "role": "c2",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "techniques": [
        "IIM-T011"
      ]
    },
    {
      "entity_id": "e015",
      "needs_review": false,
      "review_notes": "Historical passive-DNS / campaign-pivot IP from the same rotation pattern, not the current configured C2 at report publication.",
      "role": "c2",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "techniques": [
        "IIM-T011"
      ]
    },
    {
      "entity_id": "e016",
      "needs_review": false,
      "review_notes": "Historical Pfcloud bulletproof-hosting pivot connected by passive DNS and shared-hosting context in the report.",
      "role": "c2",
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "techniques": [
        "IIM-T003",
        "IIM-T011"
      ]
    }
  ],
  "chain_id": "jumpsec.2026.blacktoad-autoit-remcos-network-blackout",
  "confidence": "confirmed",
  "description": "IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.",
  "entities": [
    {
      "evidence": [
        "JUMPSEC states DART detected a phishing email targeting a client environment.",
        "The report says the email was written in Thai and used a financial payment-slip theme.",
        "JUMPSEC describes the lure as image-based, with the image itself containing a malicious link to an external file-hosting service."
      ],
      "id": "e001",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "email",
      "value": "Thai-language image-based financial payment-slip phishing email",
      "x_chain_stage": "initial_access_lure",
      "x_exact_recipient_not_published": true,
      "x_published_at": "2026-05-27",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
    },
    {
      "evidence": [
        "JUMPSEC states the phishing email contained a MediaFire download link.",
        "The report does not publish the exact MediaFire URL, so this entity represents the confirmed hosting class rather than an invented concrete URL.",
        "The external file-hosting service is the public download/staging layer before the .pdf.scr sample."
      ],
      "id": "e002",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "url",
      "value": "MediaFire-hosted malware download link (exact URL not published)",
      "x_exact_url_published": false,
      "x_infrastructure_class": "public_file_hosting",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_service": "MediaFire"
    },
    {
      "evidence": [
        "JUMPSEC identifies the original sample filename as SLIP0202E0309029.pdf.scr.",
        "JUMPSEC describes the file as using .pdf.scr double-extension masquerading where .scr remains executable.",
        "JUMPSEC says the binary is a WinRAR SFX self-extracting archive that extracts and executes embedded files.",
        "SHA-256: 83d7c4217cbf6eccca944f07b56ada85e51262a34b55e1c649eca0cf46b0db48."
      ],
      "id": "e003",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "file",
      "value": "SLIP0202E0309029.pdf.scr",
      "x_container_type": "WinRAR SFX",
      "x_masquerade_extension": ".pdf.scr",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_sha256": "83d7c4217cbf6eccca944f07b56ada85e51262a34b55e1c649eca0cf46b0db48"
    },
    {
      "evidence": [
        "JUMPSEC states the WinRAR SFX binary loads the flvs.vbe script.",
        "The report identifies flvs.vbe as a VBS loader whose useful code collapses to roughly forty lines after NOP-like obfuscation is removed.",
        "JUMPSEC states the loader builds cmd.exe character-by-character and uses XCoX.Run to execute the next stage.",
        "SHA-256: ad18efbb84ef7a0cc68c7bc60f4cc3582ecdea1742699c7c2337222250c7b098."
      ],
      "id": "e004",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "file",
      "value": "flvs.vbe",
      "x_execution_context": "cmd.exe via XCoX.Run",
      "x_loader_type": "VBS loader",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_sha256": "ad18efbb84ef7a0cc68c7bc60f4cc3582ecdea1742699c7c2337222250c7b098"
    },
    {
      "evidence": [
        "JUMPSEC states xbkjm.xls is the AutoIt3 interpreter renamed to a .xls extension.",
        "The report says the SHA-256 hash matches the legitimate AutoIt3 interpreter.",
        "The renamed interpreter is used to execute the AutoIt script stage.",
        "SHA-256: 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b."
      ],
      "id": "e005",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "file",
      "value": "xbkjm.xls (renamed AutoIt3.exe interpreter)",
      "x_legitimate_tool_reuse": true,
      "x_original_tool": "AutoIt3.exe",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_sha256": "98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b"
    },
    {
      "evidence": [
        "JUMPSEC identifies wnkfmvql.das as the actual AutoIt script that runs.",
        "The report says the file is heavily pumped to 88 MB and can be reduced to about 65 KB of real code by removing block-comment padding.",
        "The script performs AV and sandbox checks, reads the oquhestmf.mp3 configuration, and decodes the embedded payload file.",
        "SHA-256: b8bed1ec1854116c3f399468b622ef8cf317ec9ca70eb6d42f030f4b3cbd3495."
      ],
      "id": "e006",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "file",
      "value": "wnkfmvql.das",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_reported_size": "88 MB bloated / approximately 65 KB cleaned",
      "x_script_type": "AutoIt",
      "x_sha256": "b8bed1ec1854116c3f399468b622ef8cf317ec9ca70eb6d42f030f4b3cbd3495"
    },
    {
      "evidence": [
        "JUMPSEC states oquhestmf.mp3 is the script configuration file despite its .mp3 extension.",
        "The report says AutoIt IniRead parses the file and a buried INI section wires the chain together.",
        "JUMPSEC states RP points to diniuvw.ikp, stpths points to %userprofile%, Dir3ctory is sorq, and Key is WindowsUpdate.",
        "SHA-256: fb47b92e98576d728cb30a887ecc7531ff444833a748aef4d5f821327059baab."
      ],
      "id": "e007",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "file",
      "value": "oquhestmf.mp3",
      "x_config_section": "[S3tt!ng]",
      "x_persistence_directory": "%userprofile%\\sorq\\",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_run_key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
      "x_sha256": "fb47b92e98576d728cb30a887ecc7531ff444833a748aef4d5f821327059baab"
    },
    {
      "evidence": [
        "JUMPSEC identifies diniuvw.ikp as the file referenced by RP in the AutoIt configuration.",
        "The report states diniuvw.ikp contains invalid-looking hex that is repaired through string replacement in the AutoIt MainPE function.",
        "JUMPSEC says decoding this file produces a native PE payload.",
        "SHA-256: dd9fd02e79468e68e9d4bba0ba71194d9bb0ccc33d2aac612e6e2f59dbfc5529."
      ],
      "id": "e008",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "file",
      "value": "diniuvw.ikp",
      "x_decoded_by": "AutoIt MainPE function",
      "x_encoding": "substitution-hex encoded PE",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_sha256": "dd9fd02e79468e68e9d4bba0ba71194d9bb0ccc33d2aac612e6e2f59dbfc5529"
    },
    {
      "evidence": [
        "JUMPSEC states the decoded binary is a 509 KB native file and identifies it as Remcos Pro from strings and config analysis.",
        "The report says the Remcos configuration is stored in the resources section and decrypted using RC4 with a fixed key from the SETTINGS resource.",
        "JUMPSEC states the decrypted config shows the C2 domains, mutex, and Remcos references.",
        "SHA-256: 67d29c06ecb9d1a359723a5c97d6f0c826b53536520e17011c1ec93c8a2919b1."
      ],
      "id": "e009",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "file",
      "value": "payload.bin / decoded Remcos Pro implant",
      "x_bot_group": "selfish",
      "x_config_separator": "|\\x1e\\x1e\\x1f|",
      "x_family": "Remcos Pro",
      "x_license_hash": "2F75D72508E3FD4D49F8C91EF10CFBF9",
      "x_mutex": "Rmc-QDZ9C5",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_sha256": "67d29c06ecb9d1a359723a5c97d6f0c826b53536520e17011c1ec93c8a2919b1"
    },
    {
      "evidence": [
        "JUMPSEC lists pmitm.ddns.net as one of three C2 domains in the decrypted Remcos configuration.",
        "The report identifies No-IP as the provider and port 50240 as the shared C2 port.",
        "JUMPSEC states all three C2 domains resolve to the same IPv4 address as a redundancy measure."
      ],
      "id": "e010",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "domain",
      "value": "pmitm.ddns.net",
      "x_c2_protocol": "Remcos TLS C2",
      "x_port": 50240,
      "x_provider": "No-IP",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
    },
    {
      "evidence": [
        "JUMPSEC lists lordtoad.duckdns.org as one of three C2 domains in the decrypted Remcos configuration.",
        "The report identifies DuckDNS as the provider and port 50240 as the shared C2 port.",
        "JUMPSEC states all three C2 domains resolve to the same IPv4 address as a redundancy measure."
      ],
      "id": "e011",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "domain",
      "value": "lordtoad.duckdns.org",
      "x_c2_protocol": "Remcos TLS C2",
      "x_port": 50240,
      "x_provider": "DuckDNS",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
    },
    {
      "evidence": [
        "JUMPSEC lists toadshit.ddnsfree.com as one of three C2 domains in the decrypted Remcos configuration.",
        "The report identifies ddnsfree as the provider and port 50240 as the shared C2 port.",
        "JUMPSEC states all three C2 domains resolve to the same IPv4 address and also lists an IPv6 address for this domain."
      ],
      "id": "e012",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "domain",
      "value": "toadshit.ddnsfree.com",
      "x_c2_protocol": "Remcos TLS C2",
      "x_ipv6": "2605:59c0:e1b:cf10:c521:bb11:8e72:ea02",
      "x_port": 50240,
      "x_provider": "ddnsfree",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
    },
    {
      "evidence": [
        "JUMPSEC lists 197.210.55.170 as the current IPv4 address for all three C2 domains.",
        "The report says the IP belongs to AS29465, MTN Nigeria Communication Limited, with rough geolocation in Onitsha, Anambra State, Nigeria.",
        "JUMPSEC assesses the actor is likely running the C2 behind their own mobile internet connection with port forwarding."
      ],
      "id": "e013",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "ip",
      "value": "197.210.55.170",
      "x_asn": "AS29465",
      "x_asn_name": "MTN Nigeria Communication Limited",
      "x_location_rough": "Onitsha, Anambra State, Nigeria",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_role_context": "current shared C2 IPv4 for all three Dynamic-DNS hostnames"
    },
    {
      "evidence": [
        "JUMPSEC states VirusTotal passive DNS confirms the infrastructure rotated across MTN Nigeria IP pool while remaining in the same rough geographic area.",
        "The report lists 102.90.43.109 on 2026-05-11 as AS29465 MTN Nigeria in Onitsha, Anambra.",
        "JUMPSEC includes a VirusTotal relations figure tying this 102.* IP to the campaign."
      ],
      "id": "e014",
      "observed_at": "2026-05-11T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "ip",
      "value": "102.90.43.109",
      "x_asn": "AS29465",
      "x_asn_name": "MTN Nigeria",
      "x_location_rough": "Onitsha, Anambra State, Nigeria",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_temporal_role": "historical passive DNS resolution / campaign pivot"
    },
    {
      "evidence": [
        "JUMPSEC lists 105.112.100.79 on 2026-05-08 as AS36873 Airtel Nigeria, Abuja, FCT, in the passive-DNS rotation table.",
        "The report presents this as part of infrastructure rotation connected to the C2 domains."
      ],
      "id": "e015",
      "observed_at": "2026-05-08T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "ip",
      "value": "105.112.100.79",
      "x_asn": "AS36873",
      "x_asn_name": "Airtel Nigeria",
      "x_location_rough": "Abuja, FCT, Nigeria",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_temporal_role": "historical passive DNS resolution / campaign pivot"
    },
    {
      "evidence": [
        "JUMPSEC lists 45.156.87.226 on 2026-05-08 as AS51396 Pfcloud UG in Hopel, Netherlands, in the passive-DNS rotation table.",
        "The report states this Pfcloud hosting IP resolved to the operator domains in early May and was shared with crazydns.bumbleshrimp.com.",
        "JUMPSEC describes Pfcloud as bulletproof hosting in the context of the operator infrastructure."
      ],
      "id": "e016",
      "observed_at": "2026-05-08T00:00:00Z",
      "source": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload (2026-05-27)",
      "type": "ip",
      "value": "45.156.87.226",
      "x_asn": "AS51396",
      "x_asn_name": "Pfcloud UG",
      "x_location_rough": "Hopel, Netherlands",
      "x_reference_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
      "x_temporal_role": "historical passive DNS resolution / bulletproof hosting pivot"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-27T00:00:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "e001",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 1,
      "to": "e002",
      "type": "references",
      "x_evidence": [
        "JUMPSEC states the Thai phishing email contained a MediaFire download link embedded in the image-based lure.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 2,
      "to": "e003",
      "type": "download",
      "x_evidence": [
        "The MediaFire link led to the downloaded malware sample; JUMPSEC names the original sample SLIP0202E0309029.pdf.scr.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 3,
      "to": "e004",
      "type": "drops",
      "x_evidence": [
        "JUMPSEC states the WinRAR SFX executable contains embedded scripts/executables and loads flvs.vbe.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 4,
      "to": "e004",
      "type": "execute",
      "x_evidence": [
        "JUMPSEC states the WinRAR SFX binary loads the flvs.vbe script.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e004",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 5,
      "to": "e005",
      "type": "execute",
      "x_evidence": [
        "JUMPSEC states xbkjm.xls is the renamed AutoIt3 interpreter and is one of the two files executed by the VBS stage.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e004",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 6,
      "to": "e006",
      "type": "execute",
      "x_evidence": [
        "JUMPSEC states XCoX.Run executes the .das file with cmd.exe and later describes wnkfmvql.das as the actual AutoIt script that runs.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e006",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 7,
      "to": "e007",
      "type": "references",
      "x_evidence": [
        "JUMPSEC says the cleaned AutoIt script uses several IniRead calls against oquhestmf.mp3 as its configuration file.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e007",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 8,
      "to": "e008",
      "type": "references",
      "x_evidence": [
        "JUMPSEC states the RP setting in the INI-like config points to diniuvw.ikp.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e006",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 9,
      "to": "e008",
      "type": "execute",
      "x_evidence": [
        "JUMPSEC shows that the AutoIt MainPE function repairs/decodes the invalid-looking hex stored in diniuvw.ikp.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e008",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 10,
      "to": "e009",
      "type": "drops",
      "x_evidence": [
        "JUMPSEC states decoding diniuvw.ikp produces a native PE file identified as the Remcos Pro implant.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e009",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 11,
      "to": "e010",
      "type": "connect",
      "x_evidence": [
        "JUMPSEC states the decrypted Remcos config clearly shows pmitm.ddns.net as a C2 domain using port 50240.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e009",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 12,
      "to": "e011",
      "type": "connect",
      "x_evidence": [
        "JUMPSEC states the decrypted Remcos config clearly shows lordtoad.duckdns.org as a C2 domain using port 50240.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e009",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 13,
      "to": "e012",
      "type": "connect",
      "x_evidence": [
        "JUMPSEC states the decrypted Remcos config clearly shows toadshit.ddnsfree.com as a C2 domain using port 50240.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e010",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 14,
      "to": "e013",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC states all three C2 domains resolve to 197.210.55.170 at report time.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e011",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 15,
      "to": "e013",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC states all three C2 domains resolve to 197.210.55.170 at report time.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "confirmed",
      "from": "e012",
      "observed_at": "2026-05-27T00:00:00Z",
      "sequence_order": 16,
      "to": "e013",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC states all three C2 domains resolve to 197.210.55.170 at report time and lists an IPv6 value for toadshit.ddnsfree.com.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e010",
      "observed_at": "2026-05-11T00:00:00Z",
      "sequence_order": 17,
      "to": "e014",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC lists 102.90.43.109 in the passive-DNS rotation table and says VirusTotal relations connect it to the campaign. The exact domain-to-IP edge is represented as likely because the article summarizes the rotation table rather than publishing raw DNS records per domain.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e011",
      "observed_at": "2026-05-11T00:00:00Z",
      "sequence_order": 18,
      "to": "e014",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC lists 102.90.43.109 in the passive-DNS rotation table and says VirusTotal relations connect it to the campaign. The exact domain-to-IP edge is represented as likely because the article summarizes the rotation table rather than publishing raw DNS records per domain.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e012",
      "observed_at": "2026-05-11T00:00:00Z",
      "sequence_order": 19,
      "to": "e014",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC lists 102.90.43.109 in the passive-DNS rotation table and says VirusTotal relations connect it to the campaign. The exact domain-to-IP edge is represented as likely because the article summarizes the rotation table rather than publishing raw DNS records per domain.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e010",
      "observed_at": "2026-05-08T00:00:00Z",
      "sequence_order": 20,
      "to": "e015",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC lists 105.112.100.79 in the passive-DNS rotation table as part of the infrastructure rotation. Exact raw DNS edge per hostname is not reproduced in the public text, so confidence is likely.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e011",
      "observed_at": "2026-05-08T00:00:00Z",
      "sequence_order": 21,
      "to": "e015",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC lists 105.112.100.79 in the passive-DNS rotation table as part of the infrastructure rotation. Exact raw DNS edge per hostname is not reproduced in the public text, so confidence is likely.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e012",
      "observed_at": "2026-05-08T00:00:00Z",
      "sequence_order": 22,
      "to": "e015",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC lists 105.112.100.79 in the passive-DNS rotation table as part of the infrastructure rotation. Exact raw DNS edge per hostname is not reproduced in the public text, so confidence is likely.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e010",
      "observed_at": "2026-05-08T00:00:00Z",
      "sequence_order": 23,
      "to": "e016",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC states the Pfcloud hosting IP 45.156.87.226 resolved to the operator domains in early May and was shared with crazydns.bumbleshrimp.com. Exact raw DNS edge per hostname is not reproduced in the public text, so confidence is likely.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e011",
      "observed_at": "2026-05-08T00:00:00Z",
      "sequence_order": 24,
      "to": "e016",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC states the Pfcloud hosting IP 45.156.87.226 resolved to the operator domains in early May and was shared with crazydns.bumbleshrimp.com. Exact raw DNS edge per hostname is not reproduced in the public text, so confidence is likely.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    },
    {
      "confidence": "likely",
      "from": "e012",
      "observed_at": "2026-05-08T00:00:00Z",
      "sequence_order": 25,
      "to": "e016",
      "type": "resolves-to",
      "x_evidence": [
        "JUMPSEC states the Pfcloud hosting IP 45.156.87.226 resolved to the operator domains in early May and was shared with crazydns.bumbleshrimp.com. Exact raw DNS edge per hostname is not reproduced in the public text, so confidence is likely.",
        "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
      ]
    }
  ],
  "title": "BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain",
  "x_limitations": [
    "The exact MediaFire download URL was not published by JUMPSEC and is not invented here.",
    "The exact victim organization and recipient details were not published and are not modeled.",
    "Historical passive-DNS edges to 102.90.43.109, 105.112.100.79, and 45.156.87.226 are marked likely because the public report summarizes the rotation table and VirusTotal relations rather than publishing raw per-domain DNS observations.",
    "TLS certificate fingerprints are preserved as evidence/context in source verification, but are not modeled as first-class relation nodes because the report describes embedded Remcos TLS materials rather than distinct infrastructure hops."
  ],
  "x_publication_context": {
    "cluster_name": "BlackToad",
    "initial_lure_language": "Thai",
    "modeling_note": "Network blackout is documented as behavior/evidence, not as IIM infrastructure, because it happens on the victim host.",
    "notable_behavior": "VBS loader brackets AutoIt execution between ipconfig /release and ipconfig /renew to create a short network-observation blind spot.",
    "payload_family": "Remcos Pro",
    "targeting_context": "client environment; financial payment-slip lure"
  },
  "x_related_samples": [
    {
      "context": "Related sample communicating with the same infrastructure according to JUMPSEC.",
      "filename": "IMG00090878900.pdf.scr",
      "sha256": "5f93c41109a00c74366c5e8e698dfb669bad2bfa56db1de95504b337169ff4aa",
      "submitted": "2026-05-07"
    },
    {
      "context": "Related sample communicating with the same infrastructure according to JUMPSEC.",
      "filename": "slip002030002002.JPG.scr",
      "sha256": "dd902a4d8e688b0208a406701dbd92f31d3db306b0c0706f799757783f09dbe7",
      "submitted": "2026-05-07"
    }
  ],
  "x_source_title": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload",
  "x_source_url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/",
  "x_source": {
    "accessed_at": "2026-05-28T16:09:48Z",
    "author": "Jack Lewis",
    "published_at": "2026-05-27",
    "publisher": "JUMPSEC",
    "source_type": "original vendor research report",
    "title": "JUMPSEC: BlackToad: Network Manipulation in an AutoIt Payload",
    "url": "https://www.jumpsec.com/guides/blacktoad-network-manipulation-in-an-autoit-payload/"
  },
  "x_tls_certificate_fingerprints": [
    {
      "type": "server_cert_sha256",
      "value": "968acff969fa24a9e9118595684e23b8f2af070bbdc4b06f42a349ecf4de89e4"
    },
    {
      "type": "alternative_cert_sha256",
      "value": "881c16c2867fb5080aa48ffb6cad1abb78d441f2760915b0c1545b73de97e2bd"
    }
  ]
}