uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100
UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100
Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs
confirmed
IIM v1.1
UAT-8302
Infrastructure map
Role-based chain map
entryredirectorstagingpayloadc2
Chain storyline
ordered IIM positions1
staging
url
hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe
IIM-T002
2
payload
file
wagent.exe / Stowaway proxy component
3
redirector
ip
85[.]209[.]156[.]3:56456
IIM-T014IIM-T002
4
redirector
ip
45[.]135[.]135[.]100:443
IIM-T014IIM-T002
5
staging
ip
38[.]54[.]32[.]244
IIM-T002
Relations
directed infrastructure edgese001downloade002
confirmed
e002connecte003
confirmed
e002connecte004
confirmed
e005referencese002
likely
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
url | hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe |
Network IOC for wagent.exe download |
e002 |
file | wagent.exe / Stowaway proxy component |
Stowaway SHA256 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001; F859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea |
e003 |
ip | 85[.]209[.]156[.]3:56456 |
Network IOC: Stowaway/proxy endpoint with port 56456 |
e004 |
ip | 45[.]135[.]135[.]100:443 |
Network IOC: proxy/tunnel endpoint |
e005 |
ip | 38[.]54[.]32[.]244 |
Network IOC: hxxp[://]38[.]54[.]32[.]244/Rar[.]exe for SoftEther-related tooling |
ATT&CK annotations
optional complementary mappingNo ATT&CK annotations included.
Raw IIM JSON canonical body from MANTIS expand
{
"actor_id": "UAT-8302",
"chain": [
{
"entity_id": "e001",
"needs_review": false,
"role": "staging",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T002"
]
},
{
"entity_id": "e002",
"needs_review": false,
"role": "payload",
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e003",
"needs_review": false,
"role": "redirector",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T014",
"IIM-T002"
]
},
{
"entity_id": "e004",
"needs_review": false,
"role": "redirector",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T014",
"IIM-T002"
]
},
{
"entity_id": "e005",
"needs_review": false,
"role": "staging",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T002"
]
}
],
"chain_id": "uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100",
"confidence": "confirmed",
"description": "Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs.",
"entities": [
{
"evidence": [
"Network IOC for wagent.exe download"
],
"id": "e001",
"source": "Cisco Talos IOC file",
"type": "url",
"value": "hxxp[://]85[.]209[.]156[.]3:8080/wagent[.]exe"
},
{
"evidence": [
"Stowaway SHA256 7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c0153001; F859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea"
],
"id": "e002",
"source": "Cisco Talos report and IOC file",
"type": "file",
"value": "wagent.exe / Stowaway proxy component"
},
{
"evidence": [
"Network IOC: Stowaway/proxy endpoint with port 56456"
],
"id": "e003",
"source": "Cisco Talos IOC file",
"type": "ip",
"value": "85[.]209[.]156[.]3:56456"
},
{
"evidence": [
"Network IOC: proxy/tunnel endpoint"
],
"id": "e004",
"source": "Cisco Talos report / IOC file",
"type": "ip",
"value": "45[.]135[.]135[.]100:443"
},
{
"evidence": [
"Network IOC: hxxp[://]38[.]54[.]32[.]244/Rar[.]exe for SoftEther-related tooling"
],
"id": "e005",
"source": "Cisco Talos IOC file",
"type": "ip",
"value": "38[.]54[.]32[.]244"
}
],
"iim_version": "1.1",
"import_source": "manual-osint-report-to-iim-conversion",
"needs_review": false,
"observed_at": "2026-05-05T00:00:00Z",
"relations": [
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 1,
"to": "e002",
"type": "download"
},
{
"confidence": "confirmed",
"from": "e002",
"sequence_order": 2,
"to": "e003",
"type": "connect"
},
{
"confidence": "confirmed",
"from": "e002",
"sequence_order": 3,
"to": "e004",
"type": "connect"
},
{
"confidence": "likely",
"from": "e005",
"sequence_order": 4,
"to": "e002",
"type": "references",
"x_note": "Same UAT-8302 proxy/tooling set; modeled as related staging infrastructure rather than a proven direct download path."
}
],
"title": "UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100",
"x_limitations": "The SoftEther/Rar.exe host is related UAT-8302 tooling infrastructure; the Stowaway relation is direct from Talos IOC grouping but not a full initial-access chain.",
"x_report_published_month": "2026-05",
"x_selection_reason": "Included because the May 2026 report exposes enough infrastructure or malware-to-service relations to model an IIM chain without inventing indicators.",
"x_source_reports": [
"Cisco Talos UAT-8302 report",
"Cisco Talos IOC file"
],
"x_source_urls": [
"https://blog.talosintelligence.com/uat-8302/",
"https://github.com/Cisco-Talos/IOCs/blob/main/2026/05/uat-8302.txt"
]
}