Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
uat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
|
UAT-10027 | likely | 1 suspected phishing-delivered PowerS... | 1 cloudflare-dns.com DoH resolver ove... | 3 remote staging URL serving .bat or ... | 2 Dohdoor malicious DLL disguised as ... | 2 http://GppiwoGwNdiakkDU.pnuiSckMHwa... | 9e / 11r | 2026-05-27 12:09:14 |
Page 1 of 1. Showing 1–1 of 1 matching chains, 17 total.
Technique pressure
top observed IIM techniquesActor surface
published chain attributionuat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval
entry
→
staging
→
staging
→
staging
→
payload
→
c2
→
redirector
IIM-T001
IIM-T011
Open chain analysis↗