← feed

securelist.2026.pirated-content-silentcryptominer-rat

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

confirmed IIM v1.1 unknown
Raw JSON
entities26
relations33
techniques4
published2026-05-28 19:43:28

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

domain

pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)

2
entry

url

fake video player plugin update prompt on pirated content site (exact URL not published)

3
staging

domain

urush1bar4.online

IIM-T010
4
staging

file

ZIP archive containing HLS Installer.874.exe and malicious DLL

IIM-T024
5
staging

file

HLS Installer.874.exe

6
payload

file

malicious DLL side-loaded by HLS Installer.874.exe

7
payload

hash

6A0FE6065D76715FEEBC1526D456DB73

8
payload

hash

7F624407AE489324E96A708A09C17E6F

9
payload

hash

02A43B3423367B9DDDC24CC7DFC070DF

10
payload

file

decrypted main module / modified SilentCryptoMiner fork

11
payload

file

RAT agent module injected into conhost.exe

12
payload

file

watchdog module injected into explorer.exe

13
payload

file

CPU miner module based on XMRig

14
payload

file

GPU miner module

15
c2

domain

5d14vnfb.space

IIM-T009IIM-T011
16
c2

domain

r7mvjl67.space

IIM-T009IIM-T011
17
c2

domain

zgj1tam9.space

IIM-T009IIM-T011
18
c2

domain

jeaw520i.space

IIM-T009IIM-T011
19
c2

domain

qdmagva5.space

IIM-T009IIM-T011
20
redirector

domain

{domain}.strangled.net

IIM-T009IIM-T011
21
redirector

domain

{domain}.ignorelist.com

IIM-T009IIM-T011
22
redirector

domain

{domain}.ftp.sh

IIM-T009IIM-T011
23
redirector

domain

{domain}.zanity.net

IIM-T009IIM-T011
24
c2

ip

107.172.212.235

25
c2

domain

m4yuri.online

26
c2

domain

kristina.quest

Relations

directed infrastructure edges
e001referencese002 confirmed
e002downloade003 confirmed
e003downloade004 confirmed
e004dropse005 confirmed
e004dropse006 confirmed
e006referencese007 confirmed
e006referencese008 confirmed
e006referencese009 confirmed
e005executee006 confirmed
e006executee010 confirmed
e010dropse011 confirmed
e010dropse012 confirmed
e010dropse013 confirmed
e010dropse014 confirmed
e011connecte015 confirmed
e011connecte016 confirmed
e011connecte017 confirmed
e011connecte018 confirmed
e011connecte019 confirmed
e013connecte020 likely
e014connecte020 likely
e020resolves-toe024 confirmed
e013connecte021 likely
e014connecte021 likely
e021resolves-toe024 confirmed
e013connecte022 likely
e014connecte022 likely
e022resolves-toe024 confirmed
e013connecte023 likely
e014connecte023 likely
e023resolves-toe024 confirmed
e011communicates-withe025 tentative
e011communicates-withe026 tentative

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 domain pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)
Kaspersky says the malware was distributed via illegal movie and TV show streaming sites and that the infection risk was associated with two pirated video sites in the .ru and .top TLDs.
Kaspersky also states the broader campaign uses both online digital libraries and movie/TV streaming sites.
The exact victim-facing site domains are not published, so this entity intentionally represents the confirmed infrastructure class rather than invented domains.
e002 url fake video player plugin update prompt on pirated content site (exact URL not published)
Kaspersky describes a fake video player plugin update shown when a user attempted to watch a video.
Clicking the update link downloaded a ZIP archive.
No exact URL for the fake prompt is published.
e003 domain urush1bar4.online
Kaspersky states that the current delivery mechanism used a new website, urush1bar4[.]online, after the previous file[.]ipfs[.]us[.]69[.]mu domain was unavailable.
Kaspersky lists urush1bar4[.]online in the IOC section as the malicious archive download URL.
e004 file ZIP archive containing HLS Installer.874.exe and malicious DLL
Kaspersky says clicking the fake update link downloaded a ZIP archive.
The current downloadable malware version is described as a ZIP archive containing a legitimate EXE file and a malicious DLL.
The archive structure is preserved from previous campaign activity: legitimate executable plus large malicious DLL.
e005 file HLS Installer.874.exe
Kaspersky identifies HLS Installer.874.exe as the legitimate executable inside the ZIP archive.
Launching the EXE triggers DLL side-loading and executes malicious code through the loaded library.
The executable is modeled as a staging/execution carrier rather than the malicious payload itself.
e006 file malicious DLL side-loaded by HLS Installer.874.exe
Kaspersky states the ZIP contains a malicious DLL alongside HLS Installer.874.exe.
Launching the executable triggers a DLL side-loading mechanism and injects the malicious module into a legitimate process context.
Kaspersky lists three malicious DLL library hashes: 6A0FE6065D76715FEEBC1526D456DB73, 7F624407AE489324E96A708A09C17E6F, and 02A43B3423367B9DDDC24CC7DFC070DF.
e007 hash 6A0FE6065D76715FEEBC1526D456DB73
Kaspersky IOC: malicious DLL library hash 6A0FE6065D76715FEEBC1526D456DB73.
e008 hash 7F624407AE489324E96A708A09C17E6F
Kaspersky IOC: malicious DLL library hash 7F624407AE489324E96A708A09C17E6F.
e009 hash 02A43B3423367B9DDDC24CC7DFC070DF
Kaspersky IOC: malicious DLL library hash 02A43B3423367B9DDDC24CC7DFC070DF.
e010 file decrypted main module / modified SilentCryptoMiner fork
Kaspersky says the malicious DLL triggers a stack overflow that constructs a ROP chain and decrypts the next stage.
Kaspersky refers to the decrypted PE file as the main module.
The main module is described as a modified fork of the SilentCryptoMiner project.
e011 file RAT agent module injected into conhost.exe
Kaspersky says the main module reflectively loads four implants and injects the RAT agent into conhost.exe.
The RAT agent provides remote control capabilities through commands for arbitrary command execution, reflective PE execution, shellcode execution, and exit.
The RAT agent receives commands from date-derived C2 addresses.
e012 file watchdog module injected into explorer.exe
Kaspersky says the watchdog is injected into explorer.exe.
The watchdog preserves encrypted copies of installed files in memory and checks the GoogleUpdateTaskMachineQC service every five seconds.
This is host-side resilience context, not a separate infrastructure node.
e013 file CPU miner module based on XMRig
Kaspersky says the CPU miner is based on XMRig.
The miner attempts to retrieve startup configuration from a remote server before launch.
Configuration is passed as an encrypted base64 command-line parameter to the miner launched inside explorer.exe through process hollowing.
e014 file GPU miner module
Kaspersky says the GPU miner is launched only if a discrete GPU is present.
The GPU miner supports multiple algorithms and retrieves startup configuration from the same weekly generated configuration retrieval infrastructure.
It is injected into explorer.exe when the discrete-GPU condition is met.
e015 domain 5d14vnfb.space
Kaspersky lists 5d14vnfb[.]space as a registered RAT C&C domain for 2025 April-July.
Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.
The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern.
e016 domain r7mvjl67.space
Kaspersky lists r7mvjl67[.]space as a registered RAT C&C domain for 2025 August-November.
Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.
The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern.
e017 domain zgj1tam9.space
Kaspersky lists zgj1tam9[.]space as a registered RAT C&C domain for 2025 December.
Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.
The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern.
e018 domain jeaw520i.space
Kaspersky lists jeaw520i[.]space as a registered RAT C&C domain for 2026 January-March.
Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.
The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern.
e019 domain qdmagva5.space
Kaspersky lists qdmagva5[.]space as a registered RAT C&C domain for 2026 April-July.
Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.
The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern.
e020 domain {domain}.strangled.net
Kaspersky lists {domain}.strangled.net as one of four possible miner startup-configuration retrieval address templates.
Kaspersky states the miner configuration server address is generated from the current date and changes weekly.
Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235.
e021 domain {domain}.ignorelist.com
Kaspersky lists {domain}.ignorelist.com as one of four possible miner startup-configuration retrieval address templates.
Kaspersky states the miner configuration server address is generated from the current date and changes weekly.
Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235.
e022 domain {domain}.ftp.sh
Kaspersky lists {domain}.ftp.sh as one of four possible miner startup-configuration retrieval address templates.
Kaspersky states the miner configuration server address is generated from the current date and changes weekly.
Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235.
e023 domain {domain}.zanity.net
Kaspersky lists {domain}.zanity.net as one of four possible miner startup-configuration retrieval address templates.
Kaspersky states the miner configuration server address is generated from the current date and changes weekly.
Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235.
e024 ip 107.172.212.235
Kaspersky lists 107[.]172[.]212[.]235 as the configuration retrieval address.
Kaspersky states all generated miner configuration retrieval domains point to this IP address.
This IP is modeled as terminal C2/config infrastructure for miner startup configuration retrieval.
e025 domain m4yuri.online
Kaspersky lists m4yuri[.]online as a UnamWebPanel control panel address.
The report lists the domain as an IOC but does not explicitly state direct victim-to-panel traffic.
This entity is therefore included as operator/control infrastructure with cautious relation confidence.
e026 domain kristina.quest
Kaspersky lists kristina[.]quest as a UnamWebPanel control panel address.
The report lists the domain as an IOC but does not explicitly state direct victim-to-panel traffic.
This entity is therefore included as operator/control infrastructure with cautious relation confidence.

ATT&CK annotations

optional complementary mapping
T1189Drive-by Compromise

User reaches malicious delivery through popular pirated content sites and a fake update flow.

T1204.002User Execution: Malicious File

Victim executes the downloaded archive contents / installer.

T1574.002Hijack Execution Flow: DLL Side-Loading

Legitimate executable loads malicious DLL.

T1071.004Application Layer Protocol: DNS

Main module performs a large crafted DNS query as a pre-execution permission check.

T1496Resource Hijacking

CPU/GPU miners are launched after configuration retrieval.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "securelist.2026.pirated-content-silentcryptominer-rat",
  "title": "Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure",
  "description": "IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.",
  "actor_id": "unknown",
  "observed_at": "2026-04-30T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "domain",
      "value": "pirated movie/TV streaming and digital-library sites (.ru/.top, exact domains not published)",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the malware was distributed via illegal movie and TV show streaming sites and that the infection risk was associated with two pirated video sites in the .ru and .top TLDs.",
        "Kaspersky also states the broader campaign uses both online digital libraries and movie/TV streaming sites.",
        "The exact victim-facing site domains are not published, so this entity intentionally represents the confirmed infrastructure class rather than invented domains."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_exact_domains_published": false,
      "x_infrastructure_class": "pirated_content_distribution"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "fake video player plugin update prompt on pirated content site (exact URL not published)",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky describes a fake video player plugin update shown when a user attempted to watch a video.",
        "Clicking the update link downloaded a ZIP archive.",
        "No exact URL for the fake prompt is published."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_exact_url_published": false,
      "x_lure_type": "fake_player_plugin_update"
    },
    {
      "id": "e003",
      "type": "domain",
      "value": "urush1bar4.online",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky states that the current delivery mechanism used a new website, urush1bar4[.]online, after the previous file[.]ipfs[.]us[.]69[.]mu domain was unavailable.",
        "Kaspersky lists urush1bar4[.]online in the IOC section as the malicious archive download URL."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_defanged": "urush1bar4[.]online",
      "x_ioc_role": "malicious_archive_download_url"
    },
    {
      "id": "e004",
      "type": "file",
      "value": "ZIP archive containing HLS Installer.874.exe and malicious DLL",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says clicking the fake update link downloaded a ZIP archive.",
        "The current downloadable malware version is described as a ZIP archive containing a legitimate EXE file and a malicious DLL.",
        "The archive structure is preserved from previous campaign activity: legitimate executable plus large malicious DLL."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_container_type": "ZIP",
      "x_exact_archive_filename_published": false
    },
    {
      "id": "e005",
      "type": "file",
      "value": "HLS Installer.874.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky identifies HLS Installer.874.exe as the legitimate executable inside the ZIP archive.",
        "Launching the EXE triggers DLL side-loading and executes malicious code through the loaded library.",
        "The executable is modeled as a staging/execution carrier rather than the malicious payload itself."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_legitimate_executable": true,
      "x_execution_carrier": true
    },
    {
      "id": "e006",
      "type": "file",
      "value": "malicious DLL side-loaded by HLS Installer.874.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky states the ZIP contains a malicious DLL alongside HLS Installer.874.exe.",
        "Launching the executable triggers a DLL side-loading mechanism and injects the malicious module into a legitimate process context.",
        "Kaspersky lists three malicious DLL library hashes: 6A0FE6065D76715FEEBC1526D456DB73, 7F624407AE489324E96A708A09C17E6F, and 02A43B3423367B9DDDC24CC7DFC070DF."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5",
      "x_hashes": [
        "6A0FE6065D76715FEEBC1526D456DB73",
        "7F624407AE489324E96A708A09C17E6F",
        "02A43B3423367B9DDDC24CC7DFC070DF"
      ]
    },
    {
      "id": "e007",
      "type": "hash",
      "value": "6A0FE6065D76715FEEBC1526D456DB73",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky IOC: malicious DLL library hash 6A0FE6065D76715FEEBC1526D456DB73."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5"
    },
    {
      "id": "e008",
      "type": "hash",
      "value": "7F624407AE489324E96A708A09C17E6F",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky IOC: malicious DLL library hash 7F624407AE489324E96A708A09C17E6F."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5"
    },
    {
      "id": "e009",
      "type": "hash",
      "value": "02A43B3423367B9DDDC24CC7DFC070DF",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky IOC: malicious DLL library hash 02A43B3423367B9DDDC24CC7DFC070DF."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_hash_algorithm": "MD5"
    },
    {
      "id": "e010",
      "type": "file",
      "value": "decrypted main module / modified SilentCryptoMiner fork",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the malicious DLL triggers a stack overflow that constructs a ROP chain and decrypts the next stage.",
        "Kaspersky refers to the decrypted PE file as the main module.",
        "The main module is described as a modified fork of the SilentCryptoMiner project."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_malware_family": "modified SilentCryptoMiner fork"
    },
    {
      "id": "e011",
      "type": "file",
      "value": "RAT agent module injected into conhost.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the main module reflectively loads four implants and injects the RAT agent into conhost.exe.",
        "The RAT agent provides remote control capabilities through commands for arbitrary command execution, reflective PE execution, shellcode execution, and exit.",
        "The RAT agent receives commands from date-derived C2 addresses."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "RAT agent"
    },
    {
      "id": "e012",
      "type": "file",
      "value": "watchdog module injected into explorer.exe",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the watchdog is injected into explorer.exe.",
        "The watchdog preserves encrypted copies of installed files in memory and checks the GoogleUpdateTaskMachineQC service every five seconds.",
        "This is host-side resilience context, not a separate infrastructure node."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "watchdog"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "CPU miner module based on XMRig",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the CPU miner is based on XMRig.",
        "The miner attempts to retrieve startup configuration from a remote server before launch.",
        "Configuration is passed as an encrypted base64 command-line parameter to the miner launched inside explorer.exe through process hollowing."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "CPU miner",
      "x_malware_family": "XMRig-based"
    },
    {
      "id": "e014",
      "type": "file",
      "value": "GPU miner module",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky says the GPU miner is launched only if a discrete GPU is present.",
        "The GPU miner supports multiple algorithms and retrieves startup configuration from the same weekly generated configuration retrieval infrastructure.",
        "It is injected into explorer.exe when the discrete-GPU condition is met."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_component": "GPU miner"
    },
    {
      "id": "e015",
      "type": "domain",
      "value": "5d14vnfb.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists 5d14vnfb[.]space as a registered RAT C&C domain for 2025 April-July.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2025 April-July",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e016",
      "type": "domain",
      "value": "r7mvjl67.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists r7mvjl67[.]space as a registered RAT C&C domain for 2025 August-November.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2025 August-November",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e017",
      "type": "domain",
      "value": "zgj1tam9.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists zgj1tam9[.]space as a registered RAT C&C domain for 2025 December.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2025 December",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e018",
      "type": "domain",
      "value": "jeaw520i.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists jeaw520i[.]space as a registered RAT C&C domain for 2026 January-March.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2026 January-March",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e019",
      "type": "domain",
      "value": "qdmagva5.space",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists qdmagva5[.]space as a registered RAT C&C domain for 2026 April-July.",
        "Kaspersky describes RAT C2 hostnames generated from the current year/month zone plus the word microsoft, double-hashed with MurmurHash64.",
        "The request format is described as http://{domain}.space/index.php?authorization=1, with a backup .site pattern."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_c2_window": "2026 April-July",
      "x_generation": "date-derived MurmurHash64 domain generation"
    },
    {
      "id": "e020",
      "type": "domain",
      "value": "{domain}.strangled.net",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.strangled.net as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e021",
      "type": "domain",
      "value": "{domain}.ignorelist.com",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.ignorelist.com as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e022",
      "type": "domain",
      "value": "{domain}.ftp.sh",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.ftp.sh as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e023",
      "type": "domain",
      "value": "{domain}.zanity.net",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists {domain}.zanity.net as one of four possible miner startup-configuration retrieval address templates.",
        "Kaspersky states the miner configuration server address is generated from the current date and changes weekly.",
        "Kaspersky states the first available domain out of the four potential domains is used and that all of them point to 107[.]172[.]212[.]235."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_domain_template": true,
      "x_config_retrieval": true,
      "x_exact_weekly_label_not_expanded": true
    },
    {
      "id": "e024",
      "type": "ip",
      "value": "107.172.212.235",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists 107[.]172[.]212[.]235 as the configuration retrieval address.",
        "Kaspersky states all generated miner configuration retrieval domains point to this IP address.",
        "This IP is modeled as terminal C2/config infrastructure for miner startup configuration retrieval."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_ioc_role": "configuration_retrieval_address"
    },
    {
      "id": "e025",
      "type": "domain",
      "value": "m4yuri.online",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists m4yuri[.]online as a UnamWebPanel control panel address.",
        "The report lists the domain as an IOC but does not explicitly state direct victim-to-panel traffic.",
        "This entity is therefore included as operator/control infrastructure with cautious relation confidence."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_ioc_role": "UnamWebPanel control panel"
    },
    {
      "id": "e026",
      "type": "domain",
      "value": "kristina.quest",
      "observed_at": "2026-04-30T00:00:00Z",
      "source": "Kaspersky Securelist: Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (published 2026-05-28)",
      "evidence": [
        "Kaspersky lists kristina[.]quest as a UnamWebPanel control panel address.",
        "The report lists the domain as an IOC but does not explicitly state direct victim-to-panel traffic.",
        "This entity is therefore included as operator/control infrastructure with cautious relation confidence."
      ],
      "x_reference_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
      "x_ioc_role": "UnamWebPanel control panel"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Confirmed delivery class; exact victim-facing domains not published."
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Confirmed fake update prompt; exact URL not published."
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T010"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Confirmed archive download host; disposable/single-campaign role inferred from replacement of previous delivery domain."
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e010",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e011",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e012",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e013",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e014",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e015",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e016",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e017",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e018",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e019",
      "role": "c2",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e020",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e021",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e022",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e023",
      "role": "redirector",
      "techniques": [
        "IIM-T009",
        "IIM-T011"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Template domain for weekly config retrieval; Kaspersky describes generated weekly hostnames and rotation. Dynamic-DNS abuse is not assigned because the report does not explicitly classify the providers that way."
    },
    {
      "entity_id": "e024",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e025",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Control-panel IOC; not asserted as direct victim-to-panel C2."
    },
    {
      "entity_id": "e026",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false,
      "review_notes": "Control-panel IOC; not asserted as direct victim-to-panel C2."
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Pirated content sites display the fake video player plugin update prompt."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Clicking the fake update link downloads the ZIP archive; Kaspersky names urush1bar4.online as the current malicious archive download host."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "download",
      "sequence_order": 3,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "urush1bar4.online is listed as the malicious archive download URL."
      ]
    },
    {
      "from": "e004",
      "to": "e005",
      "type": "drops",
      "sequence_order": 4,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The ZIP archive contains HLS Installer.874.exe."
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "drops",
      "sequence_order": 5,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The ZIP archive contains a malicious DLL alongside the legitimate executable."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "references",
      "sequence_order": 6,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL library hash 6A0FE6065D76715FEEBC1526D456DB73 is published by Kaspersky."
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "references",
      "sequence_order": 7,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL library hash 7F624407AE489324E96A708A09C17E6F is published by Kaspersky."
      ]
    },
    {
      "from": "e006",
      "to": "e009",
      "type": "references",
      "sequence_order": 8,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL library hash 02A43B3423367B9DDDC24CC7DFC070DF is published by Kaspersky."
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "execute",
      "sequence_order": 9,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Launching HLS Installer.874.exe triggers DLL side-loading of the malicious library."
      ]
    },
    {
      "from": "e006",
      "to": "e010",
      "type": "execute",
      "sequence_order": 10,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malicious DLL constructs a ROP chain, decrypts the next stage, and transfers execution to the decrypted PE main module."
      ]
    },
    {
      "from": "e010",
      "to": "e011",
      "type": "drops",
      "sequence_order": 11,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the RAT agent into conhost.exe."
      ]
    },
    {
      "from": "e010",
      "to": "e012",
      "type": "drops",
      "sequence_order": 12,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the watchdog into explorer.exe."
      ]
    },
    {
      "from": "e010",
      "to": "e013",
      "type": "drops",
      "sequence_order": 13,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the CPU miner into explorer.exe."
      ]
    },
    {
      "from": "e010",
      "to": "e014",
      "type": "drops",
      "sequence_order": 14,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The main module reflectively loads the GPU miner into explorer.exe when a discrete GPU is present."
      ]
    },
    {
      "from": "e011",
      "to": "e015",
      "type": "connect",
      "sequence_order": 15,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e016",
      "type": "connect",
      "sequence_order": 16,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e017",
      "type": "connect",
      "sequence_order": 17,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e018",
      "type": "connect",
      "sequence_order": 18,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e011",
      "to": "e019",
      "type": "connect",
      "sequence_order": 19,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The RAT agent command-and-control addresses follow date-derived .space/.site domain-generation logic, and Kaspersky lists registered RAT C&C domains."
      ]
    },
    {
      "from": "e013",
      "to": "e020",
      "type": "connect",
      "sequence_order": 20,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e020",
      "type": "connect",
      "sequence_order": 21,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e020",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 22,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e013",
      "to": "e021",
      "type": "connect",
      "sequence_order": 23,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e021",
      "type": "connect",
      "sequence_order": 24,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e021",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 25,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e013",
      "to": "e022",
      "type": "connect",
      "sequence_order": 26,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e022",
      "type": "connect",
      "sequence_order": 27,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e022",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 28,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e013",
      "to": "e023",
      "type": "connect",
      "sequence_order": 29,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; the first available domain is used."
      ]
    },
    {
      "from": "e014",
      "to": "e023",
      "type": "connect",
      "sequence_order": 30,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Kaspersky states miners retrieve startup configuration from generated weekly domains using the listed template suffixes; GPU miner does so when present."
      ]
    },
    {
      "from": "e023",
      "to": "e024",
      "type": "resolves-to",
      "sequence_order": 31,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Kaspersky states all generated miner configuration retrieval domains point to 107.172.212.235."
      ]
    },
    {
      "from": "e011",
      "to": "e025",
      "type": "communicates-with",
      "sequence_order": 32,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "tentative",
      "x_evidence": [
        "m4yuri.online is listed as a UnamWebPanel control panel address; direct victim-to-panel traffic is not explicitly asserted in the public report, so this is a cautious operator-infrastructure association."
      ]
    },
    {
      "from": "e011",
      "to": "e026",
      "type": "communicates-with",
      "sequence_order": 33,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "tentative",
      "x_evidence": [
        "kristina.quest is listed as a UnamWebPanel control panel address; direct victim-to-panel traffic is not explicitly asserted in the public report, so this is a cautious operator-infrastructure association."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1189",
      "name": "Drive-by Compromise",
      "tactic": "Initial Access",
      "comment": "User reaches malicious delivery through popular pirated content sites and a fake update flow."
    },
    {
      "technique_id": "T1204.002",
      "name": "User Execution: Malicious File",
      "tactic": "Execution",
      "comment": "Victim executes the downloaded archive contents / installer."
    },
    {
      "technique_id": "T1574.002",
      "name": "Hijack Execution Flow: DLL Side-Loading",
      "tactic": "Persistence/Privilege Escalation/Defense Evasion",
      "comment": "Legitimate executable loads malicious DLL."
    },
    {
      "technique_id": "T1071.004",
      "name": "Application Layer Protocol: DNS",
      "tactic": "Command and Control",
      "comment": "Main module performs a large crafted DNS query as a pre-execution permission check."
    },
    {
      "technique_id": "T1496",
      "name": "Resource Hijacking",
      "tactic": "Impact",
      "comment": "CPU/GPU miners are launched after configuration retrieval."
    }
  ],
  "x_source_links": [
    "https://securelist.com/video-books-pirates-miners-rat/119943/"
  ],
  "x_source_title": "Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years",
  "x_source_url": "https://securelist.com/video-books-pirates-miners-rat/119943/",
  "x_published_at": "2026-05-28",
  "x_modeling_notes": [
    "The two pirated video sites are not named by Kaspersky; no concrete .ru or .top domains are invented.",
    "urush1bar4.online is modeled as the confirmed malicious archive download host from the IOC section.",
    "The RAT C2 domain-generation logic is modeled as IIM-T009 plus IIM-T011 because Kaspersky describes current-date based host generation and a registered sequence over time.",
    "The UnamWebPanel addresses are included as operator/control infrastructure IOCs. Direct victim-to-panel communication is not asserted beyond a tentative relation from the RAT-agent infrastructure layer.",
    "Host-internal behaviors are captured in evidence, not as IIM techniques, to respect the IIM boundary between infrastructure and endpoint behavior."
  ]
}