Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Submit chain Tracked actors Open feed API

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

Submit chain Contribution board

source link required 1000/day global cap duplicate filter captcha local

confirmed32

likely7

tentative0

needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`levelblue.2026.sapphire-sleet-macos-fake-zoom-update` Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure	BlueNoroff	confirmed	1 Zoom SDK Update.scpt	—	2 /Library/LaunchDaemons/com.google.w...	4 com.apple.cli profiling component	14 check02id.com	21e / 21r	2026-05-30 11:17:36

Showing 1–1 of 1 matching chains

Page 1 of 1. Showing 1–1 of 1 matching chains, 39 total.

Technique pressure

top observed IIM techniques

IIM-T024

18 IIM-T006

15 IIM-T011

14 IIM-T002

9 IIM-T010

7 IIM-T018

6 IIM-T019

6 IIM-T004

5 IIM-T013

5 IIM-T021

5 IIM-T001

4 IIM-T020

Actor surface

published chain attribution

unknown14 UAT-83024 UAC-00573 JINX-01642 Webworm2 APT431 GREYVIBE1 ClearFake1 BlueNoroff1 SideCopy1 MB-00041 BlackToad1

levelblue.2026.sapphire-sleet-macos-fake-zoom-update

Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure

confirmed

IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.

entry → payload → payload → staging → payload → payload → staging

BlueNoroff 21 entities 21 relations 2026-05-30 11:17:36

IIM-T011

Open chain analysis↗