Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Submit chain Tracked actors Open feed API

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

Submit chain Contribution board

source link required 1000/day global cap duplicate filter captcha local

confirmed32

likely7

tentative0

needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`jumpsec.2026.blacktoad-autoit-remcos-network-blackout` BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain	BlackToad	confirmed	1 Thai-language image-based financial...	—	7 MediaFire-hosted malware download l...	1 payload.bin / decoded Remcos Pro implant	7 pmitm.ddns.net	16e / 25r	2026-05-28 16:12:38

Showing 1–1 of 1 matching chains

Page 1 of 1. Showing 1–1 of 1 matching chains, 39 total.

Technique pressure

top observed IIM techniques

IIM-T024

18 IIM-T006

15 IIM-T011

14 IIM-T002

9 IIM-T010

7 IIM-T018

6 IIM-T019

6 IIM-T004

5 IIM-T013

5 IIM-T021

5 IIM-T001

4 IIM-T020

Actor surface

published chain attribution

unknown14 UAT-83024 UAC-00573 JINX-01642 Webworm2 APT431 GREYVIBE1 ClearFake1 BlueNoroff1 SideCopy1 MB-00041 BlackToad1

jumpsec.2026.blacktoad-autoit-remcos-network-blackout

BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain

confirmed

IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.

entry → staging → staging → staging → staging → staging → staging

BlackToad 16 entities 25 relations 2026-05-28 16:12:38

IIM-T003 IIM-T006 IIM-T008 IIM-T011 IIM-T024

Open chain analysis↗