Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Submit chain Tracked actors Open feed API

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

Submit chain Contribution board

source link required 1000/day global cap duplicate filter captcha local

confirmed32

likely7

tentative0

needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28` Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2	MB-0004	confirmed	1 Ukraine-themed CVE-2025-8088 archiv...	—	3 1070_26782818.pdf	2 C:\ProgramData\Zhg	3 https://151.158.1.229:11861/AHH_bY/	9e / 11r	2026-05-28 17:37:25

Showing 1–1 of 1 matching chains

Page 1 of 1. Showing 1–1 of 1 matching chains, 39 total.

Technique pressure

top observed IIM techniques

IIM-T024

18 IIM-T006

15 IIM-T011

14 IIM-T002

9 IIM-T010

7 IIM-T018

6 IIM-T019

6 IIM-T004

5 IIM-T013

5 IIM-T021

5 IIM-T001

4 IIM-T020

Actor surface

published chain attribution

unknown14 UAT-83024 UAC-00573 JINX-01642 Webworm2 APT431 GREYVIBE1 ClearFake1 BlueNoroff1 SideCopy1 MB-00041 BlackToad1

ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28

Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2

confirmed

Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\ProgramData\\cv4. cv4 reads C:\\ProgramData\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.

entry → staging → staging → staging → payload → payload → c2

MB-0004 9 entities 11 relations 2026-05-28 17:37:25

IIM-T024

Open chain analysis↗