Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Submit chain Tracked actors Open feed API

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

Submit chain Contribution board

source link required 1000/day global cap duplicate filter captcha local

confirmed32

likely7

tentative0

needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`wiz.2026.jinx-0164-audiofix-fake-driver-macos` JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain	JINX-0164	confirmed	2 LinkedIn recruiter / business-partn...	—	3 https://apple.driver-update.io/trou...	6 https://apple.driver-store.com/mac/...	5 datahub.ink	16e / 16r	2026-05-28 13:44:27
`wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain` JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain	JINX-0164	confirmed	2 https://www.npmjs.com/package/@velo...	—	5 http://89.36.224.5/troubleshoot/mac...	3 0a8ab3d16b12d3a453ee5a3208fe04744ad...	5 datahub.ink	15e / 17r	2026-05-28 13:43:20

Showing 1–2 of 2 matching chains

Page 1 of 1. Showing 1–2 of 2 matching chains, 39 total.

Technique pressure

top observed IIM techniques

IIM-T024

18 IIM-T006

15 IIM-T011

14 IIM-T002

9 IIM-T010

7 IIM-T018

6 IIM-T019

6 IIM-T004

5 IIM-T013

5 IIM-T021

5 IIM-T001

4 IIM-T020

Actor surface

published chain attribution

unknown14 UAT-83024 UAC-00573 JINX-01642 Webworm2 APT431 GREYVIBE1 ClearFake1 BlueNoroff1 SideCopy1 MB-00041 BlackToad1

wiz.2026.jinx-0164-audiofix-fake-driver-macos

JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain

confirmed

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.

entry → entry → staging → payload → payload → payload → payload

JINX-0164 16 entities 16 relations 2026-05-28 13:44:27

IIM-T010 IIM-T011 IIM-T020

Open chain analysis↗

wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

confirmed

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

entry → entry → staging → staging → staging → staging → payload

JINX-0164 15 entities 17 relations 2026-05-28 13:43:20

IIM-T002 IIM-T006 IIM-T011

Open chain analysis↗