iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.
confirmed
IIM v1.1
UAT-8302
Infrastructure map
Role-based chain map
entryredirectorstagingpayloadc2
Chain storyline
ordered IIM positions1
payload
file
CloudSorcerer v3 side-loaded DLL triad
2
redirector
domain
github[.]com / public dead-drop resolver
IIM-T006IIM-T013
3
redirector
domain
gamespot[.]com / public dead-drop resolver
IIM-T006IIM-T013
4
c2
domain
www.drivelivelime[.]com
IIM-T010IIM-T011
5
c2
domain
msiidentity[.]com
IIM-T010IIM-T011
6
c2
url
hxxp[://]trafficmanagerupdate[.]com/index[.]php
IIM-T010IIM-T011
Relations
directed infrastructure edgese001referencese002
confirmed
e001referencese003
confirmed
e002referencese004
confirmed
e003referencese005
confirmed
e001connecte004
confirmed
e001connecte005
confirmed
e001connecte006
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | CloudSorcerer v3 side-loaded DLL triad |
Talos describes a legitimate executable plus DLL plus encrypted BIN staging arrangement |
e002 |
domain | github[.]com / public dead-drop resolver |
CloudSorcerer v3 contacts GitHub to obtain C2 information |
e003 |
domain | gamespot[.]com / public dead-drop resolver |
CloudSorcerer v3 contacts GameSpot to obtain C2 information |
e004 |
domain | www.drivelivelime[.]com |
Network IOC: hxxps[://]www[.]drivelivelime[.]com, /x, /pw |
e005 |
domain | msiidentity[.]com |
Network IOC: hxxps[://]msiidentity[.]com and /pw |
e006 |
url | hxxp[://]trafficmanagerupdate[.]com/index[.]php |
Network IOC: trafficmanagerupdate.com/index.php |
ATT&CK annotations
optional complementary mappingNo ATT&CK annotations included.
Raw IIM JSON canonical body from MANTIS expand
{
"actor_id": "UAT-8302",
"chain": [
{
"entity_id": "e001",
"needs_review": false,
"role": "payload",
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e002",
"needs_review": false,
"role": "redirector",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T006",
"IIM-T013"
]
},
{
"entity_id": "e003",
"needs_review": false,
"role": "redirector",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T006",
"IIM-T013"
]
},
{
"entity_id": "e004",
"needs_review": false,
"role": "c2",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T010",
"IIM-T011"
]
},
{
"entity_id": "e005",
"needs_review": false,
"role": "c2",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T010",
"IIM-T011"
]
},
{
"entity_id": "e006",
"needs_review": false,
"role": "c2",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T010",
"IIM-T011"
]
}
],
"chain_id": "iim.chain.apt.2026.05.006",
"confidence": "confirmed",
"description": "CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.",
"entities": [
{
"evidence": [
"Talos describes a legitimate executable plus DLL plus encrypted BIN staging arrangement"
],
"id": "e001",
"source": "Cisco Talos UAT-8302 report",
"type": "file",
"value": "CloudSorcerer v3 side-loaded DLL triad"
},
{
"evidence": [
"CloudSorcerer v3 contacts GitHub to obtain C2 information"
],
"id": "e002",
"source": "Cisco Talos UAT-8302 report",
"type": "domain",
"value": "github[.]com / public dead-drop resolver"
},
{
"evidence": [
"CloudSorcerer v3 contacts GameSpot to obtain C2 information"
],
"id": "e003",
"source": "Cisco Talos UAT-8302 report",
"type": "domain",
"value": "gamespot[.]com / public dead-drop resolver"
},
{
"evidence": [
"Network IOC: hxxps[://]www[.]drivelivelime[.]com, /x, /pw"
],
"id": "e004",
"source": "Cisco Talos IOC file",
"type": "domain",
"value": "www.drivelivelime[.]com"
},
{
"evidence": [
"Network IOC: hxxps[://]msiidentity[.]com and /pw"
],
"id": "e005",
"source": "Cisco Talos IOC file",
"type": "domain",
"value": "msiidentity[.]com"
},
{
"evidence": [
"Network IOC: trafficmanagerupdate.com/index.php"
],
"id": "e006",
"source": "Cisco Talos IOC file",
"type": "url",
"value": "hxxp[://]trafficmanagerupdate[.]com/index[.]php"
}
],
"iim_version": "1.1",
"import_source": "manual-osint-report-to-iim-conversion",
"needs_review": false,
"observed_at": "2026-05-05T00:00:00Z",
"relations": [
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 1,
"to": "e002",
"type": "references"
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 2,
"to": "e003",
"type": "references"
},
{
"confidence": "confirmed",
"from": "e002",
"sequence_order": 3,
"to": "e004",
"type": "references"
},
{
"confidence": "confirmed",
"from": "e003",
"sequence_order": 4,
"to": "e005",
"type": "references"
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 5,
"to": "e004",
"type": "connect"
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 6,
"to": "e005",
"type": "connect"
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 7,
"to": "e006",
"type": "connect"
}
],
"title": "UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2",
"x_limitations": "Dead-drop service object IDs are not public; Talos documents the service class and publishes decoded C2 network IoCs.",
"x_report_published_month": "2026-05",
"x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
"x_source_reports": [
"Cisco Talos UAT-8302 report",
"Cisco Talos IOC file"
],
"x_source_urls": [
"https://blog.talosintelligence.com/uat-8302/",
"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"
]
}