Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
glassworm.2026.developer-supply-chain.multi-resolver-c2
Glassworm developer supply-chain infection to redundant multi-resolver C2
|
Glassworm | confirmed | 4 Trojanized VS Code / OpenVSX extens... | 3 solana://transaction-memo/c2-server... | 1 Glassworm downloader / installer stage | 1 GlasswormRAT Node.js remote access tool | 2 commercial VPS-hosted direct C2 inf... | 11e / 13r | 2026-05-27 13:04:07 |
Page 1 of 1. Showing 1–1 of 1 matching chains, 17 total.
Technique pressure
top observed IIM techniquesActor surface
published chain attributionglassworm.2026.developer-supply-chain.multi-resolver-c2
Glassworm developer supply-chain infection to redundant multi-resolver C2
IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.
entry
→
entry
→
entry
→
entry
→
staging
→
payload
→
redirector
IIM-T002
IIM-T006
IIM-T013
Open chain analysis↗