{"chain_count":17,"chains":[{"actor_aliases":[],"actor_id":"Glassworm","actor_name":"Glassworm","chain_id":"glassworm.2026.developer-supply-chain.multi-resolver-c2","confidence":"confirmed","created_at":"2026-05-27T13:03:13.394650","description":"IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"file","value":"Trojanized VS Code / OpenVSX extension package"},{"entity_id":"e002","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"file","value":"Compromised npm package with postinstall hook"},{"entity_id":"e003","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"file","value":"Compromised Python package with setup script"},{"entity_id":"e004","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"url","value":"github://poisoned-default-branches/more-than-300-repositories"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Glassworm downloader / installer stage"},{"entity_id":"e006","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"GlasswormRAT Node.js remote access tool"},{"entity_id":"e007","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T013"],"type":"url","value":"solana://transaction-memo/c2-server-addresses"},{"entity_id":"e008","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T013"],"type":"url","value":"bittorrent-dht://hardcoded-public-keys/configuration-data"},{"entity_id":"e009","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"google-calendar://event-title/base64-encoded-c2-paths"},{"entity_id":"e010","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002"],"type":"domain","value":"commercial VPS-hosted direct C2 infrastructure (exact addresses not published)"},{"entity_id":"e011","needs_review":true,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"164.92.88.210"}],"entity_count":11,"id":18,"iim_version":"1.1","name":"Glassworm developer supply-chain infection to redundant multi-resolver C2","needs_review":true,"observed_at":"2026-05-26T14:00:00Z","pattern_id":null,"pattern_name":null,"position_count":11,"published_at":"2026-05-27T13:04:07.027015","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/glassworm.2026.developer-supply-chain.multi-resolver-c2/raw","relation_count":13,"role_list":["entry","entry","entry","entry","staging","payload","redirector","redirector","redirector","c2","c2"],"role_sequence":"entry > entry > entry > entry > staging > payload > redirector > redirector > redirector > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T006","IIM-T013"],"title":"Glassworm developer supply-chain infection to redundant multi-resolver C2","updated_at":"2026-05-27T13:04:07.027212","url":"https://feeds.iim.malwarebox.eu/chain/glassworm.2026.developer-supply-chain.multi-resolver-c2"},{"actor_aliases":["Gamaredon","UAC-0010","Armageddon","Primitive Bear","Shuckworm","ACTINIUM / Aqua Blizzard","IRON TILDEN","DEV-0157","BlueAlpha","Blue Otso","Hive0051","WINTERFLOUNDER","Trident Ursa","UNC530","NastyShrew"],"actor_id":"UAC-0010","actor_name":"MB-0001","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","created_at":"2026-05-27T12:22:27.839898","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"entity_id":"e002","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"entity_id":"e006","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"entity_id":"e007","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"entity_id":"e008","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"entity_id":"e009","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"entity_id":"e010","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"},{"entity_id":"e011","needs_review":false,"role":"redirector","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T008","IIM-T011"],"type":"domain","value":"document-downloads.ddns.net"},{"entity_id":"e012","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"confirmed","techniques":["IIM-T003","IIM-T007"],"type":"ip","value":"194.67.71.75"},{"entity_id":"e013","needs_review":true,"role":"c2","role_confidence":"tentative","technique_confidence":"tentative","techniques":["IIM-T002"],"type":"ip","value":"45.32.220.217"}],"entity_count":13,"id":17,"iim_version":"1.1","name":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure","needs_review":true,"observed_at":"2025-11-11T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":13,"published_at":"2026-05-27T12:22:36.950024","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"role_list":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"role_sequence":"entry > entry > staging > staging > payload > redirector > redirector > redirector > redirector > staging > redirector > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure","updated_at":"2026-05-27T12:23:23.340783","url":"https://feeds.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon"},{"actor_aliases":[],"actor_id":"UAT-10027","actor_name":"UAT-10027","chain_id":"uat-10027-dohdoor-education-healthcare-2026-02-26","confidence":"likely","created_at":"2026-05-27T12:08:50.170201","description":"Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"file","value":"suspected phishing-delivered PowerShell downloader"},{"entity_id":"e2","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"remote staging URL serving .bat or .cmd batch file"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Windows batch script dropper orchestrating DLL sideloading"},{"entity_id":"e4","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"http://ezQrvkFgEJWCTDNc.pNuiSCKMhwAgZvdyjrlBEFT.softwarE/111111?sub=d"},{"entity_id":"e5","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Dohdoor malicious DLL disguised as propsys.dll or batmeter.dll"},{"entity_id":"e6","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"http://GppiwoGwNdiakkDU.pnuiSckMHwaGzvDYjRLbeFt.SoFTWARe/111111?sub=s"},{"entity_id":"e7","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"domain","value":"cloudflare-dns.com DoH resolver over HTTPS/443"},{"entity_id":"e8","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T001","IIM-T011"],"type":"domain","value":"MswInSofTUpDloAd.deSigN / DEEPinSPeCTioNsyStEM.OnLiNe / PNUIsckmHwAgzVdYJRlbeFT.SoftWarE themed C2 domain pool"},{"entity_id":"e9","needs_review":false,"role":"payload","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"file","value":"potential Cobalt Strike Beacon next-stage payload"}],"entity_count":9,"id":16,"iim_version":"1.1","name":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care","needs_review":false,"observed_at":"2025-12-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":9,"published_at":"2026-05-27T12:09:14.641573","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/uat-10027-dohdoor-education-healthcare-2026-02-26/raw","relation_count":11,"role_list":["entry","staging","staging","staging","payload","c2","redirector","c2","payload"],"role_sequence":"entry > staging > staging > staging > payload > c2 > redirector > c2 > payload","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T001","IIM-T011"],"title":"UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care","updated_at":"2026-05-27T12:09:14.641751","url":"https://feeds.iim.malwarebox.eu/chain/uat-10027-dohdoor-education-healthcare-2026-02-26"},{"actor_aliases":[],"actor_id":"UAT-10362","actor_name":"UAT-10362","chain_id":"uat-10362-lucidrook-taiwan-2026-04-08","confidence":"likely","created_at":"2026-05-27T12:07:35.136019","description":"Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"email","value":"spear-phishing email targeting Taiwanese NGO or suspected university"},{"entity_id":"e2","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T016"],"type":"url","value":"shortened URL leading to password-protected encrypted RAR archive"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"password-protected encrypted RAR archive containing LNK lure and hidden directory"},{"entity_id":"e4","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"malicious LNK file with substituted PDF icon"},{"entity_id":"e5","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"hidden four-level directory containing DismCore.dll, install.exe and decoy file"},{"entity_id":"e6","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"LucidPawn dropper DismCore.dll"},{"entity_id":"e7","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"LucidRook DLL stager written as DismCore.dll"},{"entity_id":"e8","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T004"],"type":"ip","value":"1.34.253.131"},{"entity_id":"e9","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T004"],"type":"ip","value":"59.124.71.242"},{"entity_id":"e10","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"archive1.zip staged Lua bytecode payload from FTP C2"},{"entity_id":"e11","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"archive4.zip encrypted host reconnaissance upload"},{"entity_id":"e12","needs_review":false,"role":"c2","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"domain","value":"d.2fcc7078.digimg.store"}],"entity_count":12,"id":15,"iim_version":"1.1","name":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations","needs_review":false,"observed_at":"2025-10-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":12,"published_at":"2026-05-27T12:07:54.333154","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/uat-10362-lucidrook-taiwan-2026-04-08/raw","relation_count":13,"role_list":["entry","redirector","staging","staging","staging","staging","payload","c2","c2","payload","staging","c2"],"role_sequence":"entry > redirector > staging > staging > staging > staging > payload > c2 > c2 > payload > staging > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T004","IIM-T016","IIM-T024"],"title":"UAT-10362 LucidRook LNK archive chain against Taiwanese organizations","updated_at":"2026-05-27T12:07:54.333344","url":"https://feeds.iim.malwarebox.eu/chain/uat-10362-lucidrook-taiwan-2026-04-08"},{"actor_aliases":[],"actor_id":"unknown","actor_name":"unknown","chain_id":"powmix-czech-workforce-2026-04-16","confidence":"likely","created_at":"2026-05-27T12:05:10.220211","description":"Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"malicious ZIP archive with compliance-themed lure"},{"entity_id":"e2","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Windows shortcut file inside ZIP"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"embedded PowerShell loader script"},{"entity_id":"e4","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"hidden encoded PowMix payload blob inside ZIP"},{"entity_id":"e5","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"PowMix PowerShell botnet payload"},{"entity_id":"e6","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T002"],"type":"domain","value":"herokuapp.com based C2 endpoint"},{"entity_id":"e7","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"REST-like C2 URL path containing Bot ID, configuration hash, encrypted heartbeat, timestamp and random suffix"},{"entity_id":"e8","needs_review":true,"role":"c2","role_confidence":"likely","technique_confidence":"tentative","techniques":["IIM-T011"],"type":"domain","value":"operator-supplied replacement C2 domain from #HOST command"}],"entity_count":8,"id":14,"iim_version":"1.1","name":"PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce","needs_review":true,"observed_at":"2025-12-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":8,"published_at":"2026-05-27T12:05:45.587349","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/powmix-czech-workforce-2026-04-16/raw","relation_count":8,"role_list":["entry","staging","staging","staging","payload","c2","c2","c2"],"role_sequence":"entry > staging > staging > staging > payload > c2 > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T011","IIM-T024"],"title":"PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce","updated_at":"2026-05-27T12:05:45.587529","url":"https://feeds.iim.malwarebox.eu/chain/powmix-czech-workforce-2026-04-16"},{"actor_aliases":[],"actor_id":"Silver Fox","actor_name":"Silver Fox","chain_id":"silver-fox-abcdoor-2026-04-30","confidence":"likely","created_at":"2026-05-27T12:03:10.683479","description":"Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.","digest":[{"entity_id":"e1","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"file","value":"tax-themed phishing email attachment or lure PDF"},{"entity_id":"e2","needs_review":true,"role":"redirector","role_confidence":"likely","technique_confidence":"confirmed","techniques":[],"type":"url","value":"attacker-controlled external download website"},{"entity_id":"e3","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"tax-related malicious archive"},{"entity_id":"e4","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"file","value":"Silver Fox RustSL loader executable mimicking a document"},{"entity_id":"e5","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"encrypted RustSL payload file disguised with benign extension"},{"entity_id":"e6","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"ValleyRAT Login module / Winos 4.0 payload"},{"entity_id":"e7","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"ip","value":"207.56.138.28"},{"entity_id":"e8","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"file","value":"custom ValleyRAT module \u4fdd86.dll / \u4fdd86.dll_bin"},{"entity_id":"e9","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"http://154.82.81.205/YD20251001143052.zip"},{"entity_id":"e10","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"ABCDoor appclient Python archive"},{"entity_id":"e11","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"ABCDoor Python backdoor"}],"entity_count":11,"id":13,"iim_version":"1.1","name":"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain","needs_review":true,"observed_at":"2025-12-01T00:00:00Z","pattern_id":null,"pattern_name":null,"position_count":11,"published_at":"2026-05-27T12:03:50.394701","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/silver-fox-abcdoor-2026-04-30/raw","relation_count":11,"role_list":["entry","redirector","staging","staging","staging","payload","c2","payload","staging","staging","payload"],"role_sequence":"entry > redirector > staging > staging > staging > payload > c2 > payload > staging > staging > payload","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T019","IIM-T024"],"title":"Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain","updated_at":"2026-05-27T12:04:20.292252","url":"https://feeds.iim.malwarebox.eu/chain/silver-fox-abcdoor-2026-04-30"},{"actor_aliases":[],"actor_id":"Webworm","actor_name":"Webworm","chain_id":"webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","confidence":"confirmed","created_at":"2026-05-26T14:05:40.150501","description":"ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.","digest":[{"entity_id":"e001","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"GraphWorm payload"},{"entity_id":"e002","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed storage"},{"entity_id":"e004","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"WormFrp reverse proxy / exfiltration component"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002","IIM-T006"],"type":"domain","value":"wamanharipethe.s3.ap-south-1.amazonaws[.]com"}],"entity_count":5,"id":12,"iim_version":"1.1","name":"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane","needs_review":false,"observed_at":"2026-05-20T00:00:00Z","pattern_id":"MB-F-0011","pattern_name":"Pattern from webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane","position_count":5,"published_at":"2026-05-26T14:05:46.910472","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane/raw","relation_count":4,"role_list":["payload","c2","c2","payload","staging"],"role_sequence":"payload > c2 > c2 > payload > staging","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T006","IIM-T018"],"title":"Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane","updated_at":"2026-05-26T16:26:59.100197","url":"https://feeds.iim.malwarebox.eu/chain/webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane"},{"actor_aliases":[],"actor_id":"Webworm","actor_name":"Webworm","chain_id":"iim.chain.apt.2026.05.009","confidence":"confirmed","created_at":"2026-05-26T14:03:09.798318","description":"ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.","digest":[{"entity_id":"e001","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006"],"type":"domain","value":"github[.]com/anjsdgasdf/WordPress"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"EchoCreep DLL"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"discord[.]com / Discord API"},{"entity_id":"e004","needs_review":false,"role":"redirector","role_confidence":"likely","technique_confidence":"confirmed","techniques":["IIM-T002","IIM-T026"],"type":"ip","value":"64[.]176[.]85[.]158"}],"entity_count":4,"id":11,"iim_version":"1.1","name":"Webworm GitHub staging to EchoCreep Discord C2","needs_review":false,"observed_at":"2026-05-20T00:00:00Z","pattern_id":"MB-F-0010","pattern_name":"Pattern from iim.chain.apt.2026.05.009","position_count":4,"published_at":"2026-05-26T14:05:20.204940","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.009/raw","relation_count":3,"role_list":["staging","payload","c2","redirector"],"role_sequence":"staging > payload > c2 > redirector","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T006","IIM-T018","IIM-T026"],"title":"Webworm GitHub staging to EchoCreep Discord C2","updated_at":"2026-05-26T16:27:12.383228","url":"https://feeds.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.009"},{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100","confidence":"confirmed","created_at":"2026-05-26T14:02:16.990824","description":"Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs","digest":[{"entity_id":"e001","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002"],"type":"url","value":"hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"wagent.exe / Stowaway proxy component"},{"entity_id":"e003","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T014","IIM-T002"],"type":"ip","value":"85[.]209[.]156[.]3:56456"},{"entity_id":"e004","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T014","IIM-T002"],"type":"ip","value":"45[.]135[.]135[.]100:443"},{"entity_id":"e005","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002"],"type":"ip","value":"38[.]54[.]32[.]244"}],"entity_count":5,"id":10,"iim_version":"1.1","name":"UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0009","pattern_name":"Pattern from uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100","position_count":5,"published_at":"2026-05-26T14:02:22.556735","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100/raw","relation_count":4,"role_list":["staging","payload","redirector","redirector","staging"],"role_sequence":"staging > payload > redirector > redirector > staging","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T002","IIM-T014"],"title":"UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100","updated_at":"2026-05-26T16:24:34.254453","url":"https://feeds.iim.malwarebox.eu/chain/uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100"},{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","confidence":"confirmed","created_at":"2026-05-26T14:00:38.989957","description":"UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"benign executable loading wininet.dll"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"SNOWLIGHT / SNOWRUST stager"},{"entity_id":"e003","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"VSHELL payload"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"image.update-kaspersky.workers[.]dev"},{"entity_id":"e005","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T005","IIM-T006"],"type":"domain","value":"update-kaspersky.workers[.]dev"}],"entity_count":5,"id":9,"iim_version":"1.1","name":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0008","pattern_name":"Pattern from uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev","position_count":5,"published_at":"2026-05-26T14:00:43.416102","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev/raw","relation_count":4,"role_list":["entry","staging","payload","c2","c2"],"role_sequence":"entry > staging > payload > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T005","IIM-T006"],"title":"UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev","updated_at":"2026-05-26T16:24:07.643987","url":"https://feeds.iim.malwarebox.eu/chain/uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev"},{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"iim.chain.apt.2026.05.006","confidence":"confirmed","created_at":"2026-05-26T13:35:00.548199","description":"CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.","digest":[{"entity_id":"e001","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"CloudSorcerer v3 side-loaded DLL triad"},{"entity_id":"e002","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"github[.]com / public dead-drop resolver"},{"entity_id":"e003","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T013"],"type":"domain","value":"gamespot[.]com / public dead-drop resolver"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"www.drivelivelime[.]com"},{"entity_id":"e005","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"msiidentity[.]com"},{"entity_id":"e006","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"url","value":"hxxp[://]trafficmanagerupdate[.]com/index[.]php"}],"entity_count":6,"id":8,"iim_version":"1.1","name":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0007","pattern_name":"Pattern from iim.chain.apt.2026.05.006","position_count":6,"published_at":"2026-05-26T13:35:13.409443","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.006/raw","relation_count":7,"role_list":["payload","redirector","redirector","c2","c2","c2"],"role_sequence":"payload > redirector > redirector > c2 > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T006","IIM-T010","IIM-T011","IIM-T013"],"title":"UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2","updated_at":"2026-05-26T16:23:42.707258","url":"https://feeds.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.006"},{"actor_aliases":[],"actor_id":"UAT-8302","actor_name":"UAT-8302","chain_id":"iim.chain.apt.2026.05.005","confidence":"confirmed","created_at":"2026-05-26T13:33:13.779957","description":"Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"benign executable used for DLL side-loading"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"NetDraft / FringePorch backdoor"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"graph.microsoft.com / Microsoft Graph API"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T006","IIM-T018"],"type":"domain","value":"onedrive.live.com / OneDrive-backed C2 storage"}],"entity_count":4,"id":7,"iim_version":"1.1","name":"UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2","needs_review":false,"observed_at":"2026-05-05T00:00:00Z","pattern_id":"MB-F-0006","pattern_name":"Pattern from iim.chain.apt.2026.05.005","position_count":4,"published_at":"2026-05-26T13:33:29.759246","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.005/raw","relation_count":3,"role_list":["entry","payload","c2","c2"],"role_sequence":"entry > payload > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T006","IIM-T018"],"title":"UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2","updated_at":"2026-05-26T16:23:02.640093","url":"https://feeds.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.005"},{"actor_aliases":[],"actor_id":"UAC-0057","actor_name":"UAC-0057","chain_id":"iim.chain.apt.2026.05.004","confidence":"likely","created_at":"2026-05-26T13:30:18.523190","description":"CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T019"],"type":"file","value":"PDF lure with active link to ZIP archive"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"ZIP archive containing OYSTERFRESH JavaScript"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"OYSTERFRESH JavaScript"},{"entity_id":"e004","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"OYSTERBLUES registry-staged payload"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"OYSTERSHUCK decoder/loader"},{"entity_id":"e006","needs_review":true,"role":"c2","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"domain","value":"Cloudflare-fronted .icu C2 domain cluster"},{"entity_id":"e007","needs_review":false,"role":"payload","role_confidence":"likely","technique_confidence":"likely","techniques":[],"type":"file","value":"Cobalt Strike follow-on component"}],"entity_count":7,"id":6,"iim_version":"1.1","name":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2","needs_review":true,"observed_at":"2026-05-21T00:00:00Z","pattern_id":"MB-F-0005","pattern_name":"Pattern from iim.chain.apt.2026.05.004","position_count":7,"published_at":"2026-05-26T13:31:49.179479","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.004/raw","relation_count":7,"role_list":["entry","staging","staging","payload","payload","c2","payload"],"role_sequence":"entry > staging > staging > payload > payload > c2 > payload","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T024"],"title":"UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2","updated_at":"2026-05-26T15:46:03.146910","url":"https://feeds.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.004"},{"actor_aliases":[],"actor_id":"UAC-0057","actor_name":"UAC-0057","chain_id":"iim.chain.apt.2026.05.003","confidence":"confirmed","created_at":"2026-05-26T13:29:15.685499","description":"FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.","digest":[{"entity_id":"e001","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"EdgeTaskMachine.js"},{"entity_id":"e002","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"EdgeSystemConfig.dll"},{"entity_id":"e003","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010","IIM-T011"],"type":"domain","value":"best-seller.lavanille[.]buzz"},{"entity_id":"e004","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T010"],"type":"domain","value":"lavanille[.]buzz"}],"entity_count":4,"id":5,"iim_version":"1.1","name":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz","needs_review":false,"observed_at":"2026-04-16T00:00:00Z","pattern_id":"MB-F-0004","pattern_name":"Pattern from iim.chain.apt.2026.05.003","position_count":4,"published_at":"2026-05-26T13:31:09.325636","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/iim.chain.apt.2026.05.003/raw","relation_count":3,"role_list":["staging","payload","c2","c2"],"role_sequence":"staging > payload > c2 > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T010","IIM-T011"],"title":"FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz","updated_at":"2026-05-26T16:26:11.033335","url":"https://feeds.iim.malwarebox.eu/chain/iim.chain.apt.2026.05.003"},{"actor_aliases":[],"actor_id":"UAC-0057","actor_name":"UAC-0057","chain_id":"frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","confidence":"confirmed","created_at":"2026-05-26T13:26:28.337138","description":"ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.","digest":[{"entity_id":"e001","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019","IIM-T021"],"type":"file","value":"53_7.03.2026_R.pdf"},{"entity_id":"e002","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024","IIM-T019"],"type":"file","value":"53_7.03.2026_R.rar"},{"entity_id":"e003","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"53_7.03.2026_R.js"},{"entity_id":"e004","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T001","IIM-T010"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/wp-content/uploads/2023/10/1GreenAM.jpg"},{"entity_id":"e005","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Update.js / PicassoLoader"},{"entity_id":"e006","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T001","IIM-T010","IIM-T020","IIM-T021"],"type":"url","value":"hxxps://book-happy.needbinding[.]icu/employment/documents-and-resources"},{"entity_id":"e007","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"Update.js / Cobalt Strike dropper"},{"entity_id":"e008","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"ViberPC.dll / Cobalt Strike Beacon"},{"entity_id":"e009","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T001","IIM-T010","IIM-T011"],"type":"url","value":"hxxps://nama-belakang.nebao[.]icu/statistics/discover.txt"}],"entity_count":9,"id":4,"iim_version":"1.1","name":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike","needs_review":false,"observed_at":"2026-03-10T00:00:00Z","pattern_id":"MB-F-0003","pattern_name":"Pattern from frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike","position_count":9,"published_at":"2026-05-26T13:26:34.732614","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike/raw","relation_count":8,"role_list":["entry","staging","staging","staging","payload","c2","payload","payload","c2"],"role_sequence":"entry > staging > staging > staging > payload > c2 > payload > payload > c2","share_enabled":true,"share_views":0,"tags":[],"technique_ids":["IIM-T001","IIM-T010","IIM-T011","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike","updated_at":"2026-05-26T15:45:42.500183","url":"https://feeds.iim.malwarebox.eu/chain/frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike"},{"actor_aliases":["UAC-0244","UAC-0247"],"actor_id":"UAC-0247","actor_name":"MB-0006","chain_id":"uac-0247-ukrvarta-fpv-dopomoga-2026-03","confidence":"confirmed","created_at":"2026-05-20T14:11:38.064738","description":"Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.","digest":[{"entity_id":"e01_initial_zip","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"UkrVarta humanitarian-aid themed ZIP archive"},{"entity_id":"e02_lnk_form","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T024"],"type":"file","value":"\u0424\u043e\u0440\u043c\u0430 \u0437\u0430\u044f\u0432\u043a\u0438 \u043d\u0430 \u0433\u0443\u043c\u0430\u043d\u0456\u0442\u0430\u0440\u043d\u0443 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u0443 \u0444\u043e\u043d\u0434 \u0423\u043a\u0440\u0412\u0430\u0440\u0442\u0430.lnk"},{"entity_id":"e03_ukrvarta_domain","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T002","IIM-T019","IIM-T026"],"type":"domain","value":"ukrvarta.online"},{"entity_id":"e04_dopomoga_hta","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/dopomoga.hta"},{"entity_id":"e05_dopomoga_script_js","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://ukrvarta.online/dopomoga/script.js"},{"entity_id":"e06_dopomoga_updater_url","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T019"],"type":"url","value":"https://ukrvarta.online/dopomoga/updater.txt"},{"entity_id":"e07_conference_updater_url","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/updater.txt"},{"entity_id":"e08_conference_hta","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"url","value":"https://ukrvarta.online/conference/conference.hta"},{"entity_id":"e09_webdav_searchms","needs_review":false,"role":"redirector","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":["IIM-T015"],"type":"url","value":"search-ms:query=lnk&crumb=location:\\\\ukrvarta.online@8080\\davwwwroot"},{"entity_id":"e10_updater_sha256","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"hash","value":"c06cc6122b798f88a05a088bfed39594af86ba714da89fec5ca62d7119782df9"},{"entity_id":"e11_runtimebroker_target","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"file","value":"RuntimeBroker.exe"},{"entity_id":"e12_shellcode_sha256","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"hash","value":"c8117fdbc81dfae804ad03eb4c7a38017851c941ecfebb06f129c7923c0d3d8d"},{"entity_id":"e13_final_payload_sha256","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":"confirmed","techniques":[],"type":"hash","value":"b1d765f50f5c53702658b7a59a9bd05cfb042ea6b2d150191a84c53d373b9e4a"},{"entity_id":"e14_c2_ip","needs_review":false,"role":"c2","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T002"],"type":"ip","value":"109.237.97.4"}],"entity_count":14,"id":3,"iim_version":"1.1","name":"UAC-0247 - UKRVARTA FPV","needs_review":false,"observed_at":"2026-03-24T00:00:00Z","pattern_id":"MB-F-0002","pattern_name":"Pattern from uac-0247-ukrvarta-fpv-dopomoga-2026-03","position_count":14,"published_at":"2026-05-20T17:04:53.132609","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/uac-0247-ukrvarta-fpv-dopomoga-2026-03/raw","relation_count":13,"role_list":["entry","entry","staging","staging","staging","payload","payload","staging","redirector","payload","payload","payload","payload","c2"],"role_sequence":"entry > entry > staging > staging > staging > payload > payload > staging > redirector > payload > payload > payload > payload > c2","share_enabled":true,"share_views":74,"tags":[],"technique_ids":["IIM-T002","IIM-T015","IIM-T019","IIM-T024","IIM-T026"],"title":"UAC-0247 - UKRVARTA FPV","updated_at":"2026-05-27T11:02:29.021301","url":"https://feeds.iim.malwarebox.eu/chain/uac-0247-ukrvarta-fpv-dopomoga-2026-03"},{"actor_aliases":["UAC-0184","Hive0156"],"actor_id":"UAC-0184","actor_name":"MB-0005","chain_id":"uac-0184-pseudo-png-passmark-2026-05","confidence":"confirmed","created_at":"2026-05-19T15:12:15.998736","description":"Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.","digest":[{"entity_id":"e_lure_lnk","needs_review":false,"role":"entry","role_confidence":"likely","technique_confidence":null,"techniques":[],"type":"file","value":"Ukraine-themed LNK lure"},{"entity_id":"e_hta_set","needs_review":false,"role":"entry","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://169.40.135.35/dctrpr/*.hta"},{"entity_id":"e_delivery_ip","needs_review":false,"role":"staging","role_confidence":"likely","technique_confidence":"likely","techniques":["IIM-T019","IIM-T020","IIM-T021"],"type":"ip","value":"169.40.135.35"},{"entity_id":"e_zip","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":"likely","techniques":["IIM-T024","IIM-T025"],"type":"file","value":"dctrprraclus.zip"},{"entity_id":"e_cluster","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"Cluster-Overlay64.exe"},{"entity_id":"e_plane9","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"Plane9Engine.dll"},{"entity_id":"e_openvr","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"openvr_api.dll"},{"entity_id":"e_kernel","needs_review":true,"role":"staging","role_confidence":"confirmed","technique_confidence":"tentative","techniques":["IIM-T025"],"type":"file","value":"kernel-diag.lib"},{"entity_id":"e_evr","needs_review":false,"role":"staging","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"evr.dll decoded stage"},{"entity_id":"e_filter","needs_review":true,"role":"staging","role_confidence":"confirmed","technique_confidence":"tentative","techniques":["IIM-T025"],"type":"file","value":"filter.bin"},{"entity_id":"e_bundle","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"filter.bin decoded LZNT1 payload bundle"},{"entity_id":"e_vslauncher","needs_review":false,"role":"payload","role_confidence":"likely","technique_confidence":null,"techniques":[],"type":"file","value":"VSLauncher.exe"},{"entity_id":"e_input","needs_review":false,"role":"payload","role_confidence":"confirmed","technique_confidence":null,"techniques":[],"type":"file","value":"input.dll"},{"entity_id":"e_multicast","needs_review":true,"role":"c2","role_confidence":"tentative","technique_confidence":null,"techniques":[],"type":"ip","value":"224.0.0.255"},{"entity_id":"e_controller","needs_review":true,"role":"c2","role_confidence":"tentative","technique_confidence":null,"techniques":[],"type":"ip","value":"internal peer/controller"}],"entity_count":15,"id":1,"iim_version":"1.1","name":"UAC-0184: Pseudo PNG Passmark","needs_review":true,"observed_at":null,"pattern_id":"MB-F-0001","pattern_name":"Pattern from uac-0184-pseudo-png-passmark-2026-05","position_count":15,"published_at":"2026-05-19T15:15:42.875501","raw_url":"https://feeds.iim.malwarebox.eu/api/chains/uac-0184-pseudo-png-passmark-2026-05/raw","relation_count":20,"role_list":["entry","entry","staging","staging","staging","staging","staging","staging","staging","staging","payload","payload","payload","c2","c2"],"role_sequence":"entry > entry > staging > staging > staging > staging > staging > staging > staging > staging > payload > payload > payload > c2 > c2","share_enabled":true,"share_views":1,"tags":[],"technique_ids":["IIM-T019","IIM-T020","IIM-T021","IIM-T024","IIM-T025"],"title":"UAC-0184: Pseudo PNG Passmark","updated_at":"2026-05-19T15:15:44.468178","url":"https://feeds.iim.malwarebox.eu/chain/uac-0184-pseudo-png-passmark-2026-05"}],"created":"2026-05-27T15:33:38.843577+00:00","feed_id":"malwarebox.iim.published-chains","feed_type":"x_malwarebox_chain_feed","iim_version":"1.1","name":"Malwarebox IIM Feeds","public_mode":"shared_only","publisher":{"name":"Malwarebox","url":"https://malwarebox.eu"},"updated":"2026-05-27T13:04:07.027212"}