uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev
UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev
UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.
confirmed
IIM v1.1
UAT-8302
Infrastructure map
Role-based chain map
entryredirectorstagingpayloadc2
Chain storyline
ordered IIM positions1
entry
file
benign executable loading wininet.dll
2
staging
file
SNOWLIGHT / SNOWRUST stager
3
payload
file
VSHELL payload
4
c2
domain
image.update-kaspersky.workers[.]dev
IIM-T005IIM-T006
5
c2
domain
update-kaspersky.workers[.]dev
IIM-T005IIM-T006
Relations
directed infrastructure edgese001executee002
confirmed
e002downloade003
confirmed
e003connecte004
confirmed
e003connecte005
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | benign executable loading wininet.dll |
Talos describes a side-loaded wininet.dll stage that reads an encrypted BIN file and injects into explorer.exe |
e002 |
file | SNOWLIGHT / SNOWRUST stager |
Stager component that downloads XOR-encoded final payload |
e003 |
file | VSHELL payload |
SHA256 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b; 199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab |
e004 |
domain | image.update-kaspersky.workers[.]dev |
Network IOC: image[.]update-kaspersky[.]workers[.]dev |
e005 |
domain | update-kaspersky.workers[.]dev |
Network IOC: update-kaspersky[.]workers[.]dev |
ATT&CK annotations
optional complementary mappingNo ATT&CK annotations included.
Raw IIM JSON canonical body from MANTIS expand
{
"actor_id": "UAT-8302",
"chain": [
{
"entity_id": "e001",
"needs_review": false,
"role": "entry",
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e002",
"needs_review": false,
"role": "staging",
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e003",
"needs_review": false,
"role": "payload",
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e004",
"needs_review": false,
"role": "c2",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T005",
"IIM-T006"
]
},
{
"entity_id": "e005",
"needs_review": false,
"role": "c2",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T005",
"IIM-T006"
]
}
],
"chain_id": "uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev",
"confidence": "confirmed",
"description": "UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.",
"entities": [
{
"evidence": [
"Talos describes a side-loaded wininet.dll stage that reads an encrypted BIN file and injects into explorer.exe"
],
"id": "e001",
"source": "Cisco Talos UAT-8302 report",
"type": "file",
"value": "benign executable loading wininet.dll"
},
{
"evidence": [
"Stager component that downloads XOR-encoded final payload"
],
"id": "e002",
"source": "Cisco Talos UAT-8302 report",
"type": "file",
"value": "SNOWLIGHT / SNOWRUST stager"
},
{
"evidence": [
"SHA256 35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614b; 199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dab"
],
"id": "e003",
"source": "Cisco Talos UAT-8302 IOC file",
"type": "file",
"value": "VSHELL payload"
},
{
"evidence": [
"Network IOC: image[.]update-kaspersky[.]workers[.]dev"
],
"id": "e004",
"source": "Cisco Talos IOC file",
"type": "domain",
"value": "image.update-kaspersky.workers[.]dev"
},
{
"evidence": [
"Network IOC: update-kaspersky[.]workers[.]dev"
],
"id": "e005",
"source": "Cisco Talos IOC file",
"type": "domain",
"value": "update-kaspersky.workers[.]dev"
}
],
"iim_version": "1.1",
"import_source": "manual-osint-report-to-iim-conversion",
"needs_review": false,
"observed_at": "2026-05-05T00:00:00Z",
"relations": [
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 1,
"to": "e002",
"type": "execute"
},
{
"confidence": "confirmed",
"from": "e002",
"sequence_order": 2,
"to": "e003",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e003",
"sequence_order": 3,
"to": "e004",
"type": "connect"
},
{
"confidence": "confirmed",
"from": "e003",
"sequence_order": 4,
"to": "e005",
"type": "connect"
}
],
"title": "UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev",
"x_limitations": "Talos publishes the infrastructure and malware families; exact victim-specific staging URL path is not public.",
"x_report_published_month": "2026-05",
"x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
"x_source_reports": [
"Cisco Talos UAT-8302 report",
"Cisco Talos IOC file"
],
"x_source_urls": [
"https://blog.talosintelligence.com/uat-8302/",
"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"
]
}