MALWAREBOX::IIM FEEDS published infrastructure chains
← feed

iim.chain.apt.2026.05.005

UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2

Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.

confirmed IIM v1.1 UAT-8302
source Cisco Talos UAT-8302 report Cisco Talos IOC file
Raw JSON
entities4
relations3
techniques2
published2026-05-26 13:33:29

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

file

benign executable used for DLL side-loading

2
payload

file

NetDraft / FringePorch backdoor

3
c2

domain

graph.microsoft.com / Microsoft Graph API

IIM-T006IIM-T018
4
c2

domain

onedrive.live.com / OneDrive-backed C2 storage

IIM-T006IIM-T018

Relations

directed infrastructure edges
e001executee002 confirmed
e002communicates-withe003 confirmed
e002communicates-withe004 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 file benign executable used for DLL side-loading
Cisco Talos UAT-8302 report Cisco Talos IOC file
Talos describes side-loading as the deployment method for several UAT-8302 tools
e002 file NetDraft / FringePorch backdoor
Cisco Talos UAT-8302 report Cisco Talos IOC file
SHA256 1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca; Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b; 51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2
e003 domain graph.microsoft.com / Microsoft Graph API
Cisco Talos UAT-8302 report Cisco Talos IOC file
NetDraft uses Microsoft Graph / OneDrive for C2
e004 domain onedrive.live.com / OneDrive-backed C2 storage
Cisco Talos UAT-8302 report Cisco Talos IOC file
Cloud storage C2 channel described by Talos

ATT&CK annotations

optional complementary mapping

No ATT&CK annotations included.

Raw IIM JSON canonical body from MANTIS expand 
{
  "actor_id": "UAT-8302",
  "chain": [
    {
      "entity_id": "e001",
      "needs_review": false,
      "role": "entry",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "needs_review": false,
      "role": "payload",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e004",
      "needs_review": false,
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T006",
        "IIM-T018"
      ]
    }
  ],
  "chain_id": "iim.chain.apt.2026.05.005",
  "confidence": "confirmed",
  "description": "Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.",
  "entities": [
    {
      "evidence": [
        "Talos describes side-loading as the deployment method for several UAT-8302 tools"
      ],
      "id": "e001",
      "source": "Cisco Talos UAT-8302 report",
      "type": "file",
      "value": "benign executable used for DLL side-loading"
    },
    {
      "evidence": [
        "SHA256 1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca; Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4b; 51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f2"
      ],
      "id": "e002",
      "source": "Cisco Talos UAT-8302 report and IOC repo",
      "type": "file",
      "value": "NetDraft / FringePorch backdoor"
    },
    {
      "evidence": [
        "NetDraft uses Microsoft Graph / OneDrive for C2"
      ],
      "id": "e003",
      "source": "Cisco Talos UAT-8302 report",
      "type": "domain",
      "value": "graph.microsoft.com / Microsoft Graph API"
    },
    {
      "evidence": [
        "Cloud storage C2 channel described by Talos"
      ],
      "id": "e004",
      "source": "Cisco Talos UAT-8302 report",
      "type": "domain",
      "value": "onedrive.live.com / OneDrive-backed C2 storage"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-05T00:00:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "execute"
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 2,
      "to": "e003",
      "type": "communicates-with"
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 3,
      "to": "e004",
      "type": "communicates-with"
    }
  ],
  "title": "UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2",
  "x_limitations": "The exact OneDrive tenant/object path is not public in the report; the C2 service relation is explicitly documented.",
  "x_report_published_month": "2026-05",
  "x_scope_note": "Talos report was published in May 2026 and covers government targeting in southeastern Europe among other regions.",
  "x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
  "x_source_reports": [
    "Cisco Talos UAT-8302 report",
    "Cisco Talos IOC file"
  ],
  "x_source_urls": [
    "https://blog.talosintelligence.com/uat-8302/",
    "https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"
  ]
}