{
  "iim_version": "1.1",
  "chain_id": "securelist.2026.pirated-content-silentcryptominer-rat",
  "title": "Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure",
  "description": "IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.",
  "actor_id": "unknown",
  "observed_at": "2026-04-30T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "domain",
      "value": "pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the malware was distributed via illegal movie and TV show streaming sites and that the infection risk was associated with two pirated video sites in the .ru and .top TLDs.",
        "Kaspersky also states the broader campaign uses both online digital libraries and movie/TV streaming sites.",
        "The exact victim-facing site domains are not published, so this entity intentionally represents the confirmed infrastructure class rather than invented domains."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_exact_domains_published": false,
      "x_infrastructure_class": "pirated_content_distribution"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "fake video player plugin update prompt on pirated content site (exact URL not published)",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky describes a fake video player plugin update shown when a user attempted to watch a video.",
        "Clicking the update link downloaded a ZIP archive.",
        "No exact URL for the fake prompt is published."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_exact_url_published": false,
      "x_lure_type": "fake_player_plugin_update"
    },
    {
      "id": "e003",
      "type": "domain",
      "value": "urush1bar4.online",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky states that the current delivery mechanism used a new website, urush1bar4[.]online, after the previous file[.]ipfs[.]us[.]69[.]mu domain was unavailable.",
        "Kaspersky lists urush1bar4[.]online in the IOC section as the malicious archive download URL."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_defanged": "urush1bar4[.]online",
      "x_ioc_role": "malicious_archive_download_url"
    },
    {
      "id": "e004",
      "type": "file",
      "value": "ZIP archive containing HLS Installer.874.exe and malicious DLL",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says clicking the fake update link downloaded a ZIP archive.",
        "The current downloadable malware version is described as a ZIP archive containing a legitimate EXE file and a malicious DLL.",
        "The archive structure is preserved from previous campaign activity: legitimate executable plus large malicious DLL."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_container_type": "ZIP",
      "x_exact_archive_filename_published": false
    },
    {
      "id": "e005",
      "type": "file",
      "value": "HLS Installer.874.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky identifies HLS Installer.874.exe as the legitimate executable inside the ZIP archive.",
        "Launching the EXE triggers DLL side-loading and executes malicious code through the loaded library.",
        "The executable is modeled as a staging/execution carrier rather than the malicious payload itself."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_legitimate_executable": true,
      "x_execution_carrier": true
    },
    {
      "id": "e006",
      "type": "file",
      "value": "malicious DLL side-loaded by HLS Installer.874.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky states the ZIP contains a malicious DLL alongside HLS Installer.874.exe.",
        "Launching the executable triggers a DLL side-loading mechanism and injects the malicious module into a legitimate process context.",
        "Kaspersky lists three malicious DLL library hashes: 6A0FE6065D76715FEEBC1526D456DB73, 7F624407AE489324E96A708A09C17E6F, and 02A43B3423367B9DDDC24CC7DFC070DF."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5",
      "x_hashes": [
        "6A0FE6065D76715FEEBC1526D456DB73",
        "7F624407AE489324E96A708A09C17E6F",
        "02A43B3423367B9DDDC24CC7DFC070DF"
      ]
    },
    {
      "id": "e007",
      "type": "hash",
      "value": "6A0FE6065D76715FEEBC1526D456DB73",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky IOC: malicious DLL library hash 6A0FE6065D76715FEEBC1526D456DB73."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5"
    },
    {
      "id": "e008",
      "type": "hash",
      "value": "7F624407AE489324E96A708A09C17E6F",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky IOC: malicious DLL library hash 7F624407AE489324E96A708A09C17E6F."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5"
    },
    {
      "id": "e009",
      "type": "hash",
      "value": "02A43B3423367B9DDDC24CC7DFC070DF",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky IOC: malicious DLL library hash 02A43B3423367B9DDDC24CC7DFC070DF."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5"
    },
    {
      "id": "e010",
      "type": "file",
      "value": "decrypted main module / modified SilentCryptoMiner fork",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the malicious DLL triggers a stack overflow that constructs a ROP chain and decrypts the next stage.",
        "Kaspersky refers to the decrypted PE file as the main module.",
        "The main module is described as a modified fork of the SilentCryptoMiner project."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_malware_family": "modified SilentCryptoMiner fork"
    },
    {
      "id": "e011",
      "type": "file",
      "value": "RAT agent module injected into conhost.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the main module reflectively loads four implants and injects the RAT agent into conhost.exe.",
        "The RAT agent provides remote control capabilities through commands for arbitrary command execution, reflective PE execution, shellcode execution, and exit.",
        "The RAT agent receives commands from date-derived C2 addresses."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "RAT agent"
    },
    {
      "id": "e012",
      "type": "file",
      "value": "watchdog module injected into explorer.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the watchdog is injected into explorer.exe.",
        "The watchdog preserves encrypted copies of installed files in memory and checks the GoogleUpdateTaskMachineQC service every five seconds.",
        "This is host-side resilience context, not a separate infrastructure node."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "watchdog"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "CPU miner module based on XMRig",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the CPU miner is based on XMRig.",
        "The miner attempts to retrieve startup configuration from a remote server before launch.",
        "Configuration is passed as an encrypted base64 command-line parameter to the miner launched inside explorer.exe through process hollowing."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "CPU miner",
      "x_malware_family": "XMRig-based"
    },
    {
      "id": "e014",
      "type": "file",
      "value": "GPU miner module",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the GPU miner is launched only if a discrete GPU is present.",
        "The GPU miner supports multiple algorithms and retrieves startup configuration from the same weekly generated configuration retrieval infrastructure.",
        "It is injected into explorer.exe when the discrete-GPU condition is met."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "GPU miner"
    },
    {
      "id": "e015",
      "type": "domain",
      "value": "5d14vnfb.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists 5d14vnfb[.]space as a registered RAT C&C domain for 2025 April-July.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2025 April-July",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e016",
      "type": "domain",
      "value": "r7mvjl67.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists r7mvjl67[.]space as a registered RAT C&C domain for 2025 August-November.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2025 August-November",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e017",
      "type": "domain",
      "value": "zgj1tam9.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists zgj1tam9[.]space as a registered RAT C&C domain for 2025 December.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2025 December",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e018",
      "type": "domain",
      "value": "jeaw520i.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists jeaw520i[.]space as a registered RAT C&C domain for 2026 January-March.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2026 January-March",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e019",
      "type": "domain",
      "value": "qdmagva5.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists qdmagva5[.]space as a registered RAT C&C domain for 2026 April-July.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2026 April-July",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e020",
      "type": "domain",
      "value": "{domain}.strangled.net",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.strangled.net as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e021",
      "type": "domain",
      "value": "{domain}.ignorelist.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.ignorelist.com as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e022",
      "type": "domain",
      "value": "{domain}.ftp.sh",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.ftp.sh as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e023",
      "type": "domain",
      "value": "{domain}.zanity.net",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.zanity.net as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e024",
      "type": "ip",
      "value": "107.172.212.235",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists 107[.]172[.]212[.]235 as the configuration retrieval address.",
        "Kaspersky states all generated miner configuration retrieval domains point to this IP address.",
        "This IP is modeled as terminal C2/config infrastructure for miner startup configuration retrieval."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_ioc_role": "configuration_retrieval_address"
    },
    {
      "id": "e025",
      "type": "domain",
      "value": "m4yuri.online",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists m4yuri[.]online as a UnamWebPanel control panel address.",
        "The report lists the domain as an IOC but does not explicitly state direct victim-to-panel traffic.",
        "This entity is therefore included as operator/control infrastructure with cautious relation confidence."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_ioc_role": "UnamWebPanel control panel"
    },
    {
      "id": "e026",
      "type": "domain",
      "value": "kristina.quest",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists kristina[.]quest as a UnamWebPanel control panel address.",
        "The report lists the domain as an IOC but does not explicitly state direct victim-to-panel traffic.",
        "This entity is therefore included as operator/control infrastructure with cautious relation confidence."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_ioc_role": "UnamWebPanel control panel"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Confirmed delivery class; exact victim-facing domains not published."
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Confirmed fake update prompt; exact URL not published."
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T010"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Confirmed archive download host; disposable/single-campaign role inferred from replacement of previous delivery domain."
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e010",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e011",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e012",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e013",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e014",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e015",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e016",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e017",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e018",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e019",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e020",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e021",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e022",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e023",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e024",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e025",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Control-panel IOC; not asserted as direct victim-to-panel C2."
    },
    {
      "entity_id": "e026",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Control-panel IOC; not asserted as direct victim-to-panel C2."
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Pirated content sites display the fake video player plugin update prompt."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Clicking the fake update link downloads the ZIP archive; Kaspersky names urush1bar4.online as the current malicious archive download host."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "download",
      "sequence_order": 3,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "urush1bar4.online is listed as the malicious archive download URL."
      ]
    },
    {
      "from": "e004",
      "to": "e005",
      "type": "drops",
      "sequence_order": 4,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The ZIP archive contains HLS Installer.874.exe."
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "drops",
      "sequence_order": 5,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The ZIP archive contains a malicious DLL alongside the legitimate executable."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "references",
      "sequence_order": 6,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL library hash 6A0FE6065D76715FEEBC1526D456DB73 is published by Kaspersky."
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "references",
      "sequence_order": 7,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL library hash 7F624407AE489324E96A708A09C17E6F is published by Kaspersky."
      ]
    },
    {
      "from": "e006",
      "to": "e009",
      "type": "references",
      "sequence_order": 8,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL library hash 02A43B3423367B9DDDC24CC7DFC070DF is published by Kaspersky."
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "execute",
      "sequence_order": 9,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Launching HLS Installer.874.exe triggers DLL side-loading of the malicious library."
      ]
    },
    {
      "from": "e006",
      "to": "e010",
      "type": "execute",
      "sequence_order": 10,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL constructs a ROP chain, decrypts the next stage, and transfers execution to the decrypted PE main module."
      ]
    },
    {
      "from": "e010",
      "to": "e011",
      "type": "drops",
      "sequence_order": 11,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the RAT agent into conhost.exe."
      ]
    },
    {
      "from": "e010",
      "to": "e012",
      "type": "drops",
      "sequence_order": 12,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the watchdog into explorer.exe."
      ]
    },
    {
      "from": "e010",
      "to": "e013",
      "type": "drops",
      "sequence_order": 13,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the CPU miner into explorer.exe."
      ]
    },
    {
      "from": "e010",
      "to": "e014",
      "type": "drops",
      "sequence_order": 14,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the GPU miner into explorer.exe when a discrete GPU is present."
      ]
    },
    {
      "from": "e011",
      "to": "e015",
      "type": "connect",
      "sequence_order": 15,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e016",
      "type": "connect",
      "sequence_order": 16,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e017",
      "type": "connect",
      "sequence_order": 17,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e018",
      "type": "connect",
      "sequence_order": 18,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e019",
      "type": "connect",
      "sequence_order": 19,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e013",
      "to": "e020",
      "type": "connect",
      "sequence_order": 20,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e020",
      "type": "connect",
      "sequence_order": 21,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e020",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 22,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e013",
      "to": "e021",
      "type": "connect",
      "sequence_order": 23,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e021",
      "type": "connect",
      "sequence_order": 24,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e021",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 25,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e013",
      "to": "e022",
      "type": "connect",
      "sequence_order": 26,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e022",
      "type": "connect",
      "sequence_order": 27,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e022",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 28,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e013",
      "to": "e023",
      "type": "connect",
      "sequence_order": 29,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e023",
      "type": "connect",
      "sequence_order": 30,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e023",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 31,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e011",
      "to": "e025",
      "type": "communicates-with",
      "sequence_order": 32,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "tentative",
      "x_evidence": [
        "m4yuri.online is listed as a UnamWebPanel control panel address; direct victim-to-panel traffic is not explicitly asserted in the public report, so this is a cautious operator-infrastructure association."
      ]
    },
    {
      "from": "e011",
      "to": "e026",
      "type": "communicates-with",
      "sequence_order": 33,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "tentative",
      "x_evidence": [
        "kristina.quest is listed as a UnamWebPanel control panel address; direct victim-to-panel traffic is not explicitly asserted in the public report, so this is a cautious operator-infrastructure association."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1189",
      "name": "Drive-by Compromise",
      "tactic": "Initial Access",
      "comment": "User reaches malicious delivery through popular pirated content sites and a fake update flow."
    },
    {
      "technique_id": "T1204.002",
      "name": "User Execution: Malicious File",
      "tactic": "Execution",
      "comment": "Victim executes the downloaded archive contents / installer."
    },
    {
      "technique_id": "T1574.002",
      "name": "Hijack Execution Flow: DLL Side-Loading",
      "tactic": "Persistence/Privilege Escalation/Defense Evasion",
      "comment": "Legitimate executable loads malicious DLL."
    },
    {
      "technique_id": "T1071.004",
      "name": "Application Layer Protocol: DNS",
      "tactic": "Command and Control",
      "comment": "Main module performs a large crafted DNS query as a pre-execution permission check."
    },
    {
      "technique_id": "T1496",
      "name": "Resource Hijacking",
      "tactic": "Impact",
      "comment": "CPU/GPU miners are launched after configuration retrieval."
    }
  ],
  "x_source_links": [
    "https://securelist.com/video-books-pirates-miners-rat/119943/"
  ],
  "x_source_title": "Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years",
  "x_source_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
  "x_published_at": "2026-05-28",
  "x_modeling_notes": [
    "The two pirated video sites are not named by Kaspersky; no concrete .ru or .top domains are invented.",
    "urush1bar4.online is modeled as the confirmed malicious archive download host from the IOC section.",
    "The RAT C2 domain-generation logic is modeled as IIM-T009 plus IIM-T011 because Kaspersky describes current-date based host generation and a registered sequence over time.",
    "The UnamWebPanel addresses are included as operator/control infrastructure IOCs. Direct victim-to-panel communication is not asserted beyond a tentative relation from the RAT-agent infrastructure layer.",
    "Host-internal behaviors are captured in evidence, not as IIM techniques, to respect the IIM boundary between infrastructure and endpoint behavior."
  ]
}