Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Tracked actors Open feed API

confirmed12

likely5

tentative0

needs review6

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`uat-10362-lucidrook-taiwan-2026-04-08` UAT-10362 LucidRook LNK archive chain against Taiwanese organizations	UAT-10362	likely	1 spear-phishing email targeting Taiw...	1 shortened URL leading to password-p...	5 password-protected encrypted RAR ar...	2 LucidRook DLL stager written as Dis...	3 1.34.253.131	12e / 13r	2026-05-27 12:07:54

Showing 1–1 of 1 matching chains

Page 1 of 1. Showing 1–1 of 1 matching chains, 17 total.

Technique pressure

top observed IIM techniques

IIM-T024

8 IIM-T002

7 IIM-T006

7 IIM-T011

7 IIM-T019

6 IIM-T010

5 IIM-T013

3 IIM-T020

3 IIM-T021

3 IIM-T001

3 IIM-T018

3 IIM-T026

Actor surface

published chain attribution

UAT-83024 UAC-00573 Webworm2 Glassworm1 MB-00011 UAT-100271 UAT-103621 unknown1 Silver Fox1 MB-00061 MB-00051

uat-10362-lucidrook-taiwan-2026-04-08

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

likely

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set

entry → redirector → staging → staging → staging → staging → payload

UAT-10362 12 entities 13 relations 2026-05-27 12:07:54

IIM-T004 IIM-T016 IIM-T024

Open chain analysis↗