Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
|
MB-0001 | confirmed | 2 6aa9741f8b8629d0398049fa91dc5e7c28f... | 5 hxxps://www.telegram[.]me/s/natural_blood | 3 %APPDATA%\Microsoft\Windows\Start M... | 1 Pteranodon Stage-2 loader | 2 194.67.71.75 | 13e / 13r | 2026-05-27 12:22:36 |
Page 1 of 1. Showing 1–1 of 1 matching chains, 17 total.
Technique pressure
top observed IIM techniquesActor surface
published chain attributiongamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
entry
→
entry
→
staging
→
staging
→
payload
→
redirector
→
redirector
IIM-T002
IIM-T003
IIM-T006
IIM-T007
IIM-T008
IIM-T010
IIM-T011
IIM-T013
+4
Open chain analysis↗