Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
|
Webworm | confirmed | — | — | 1 wamanharipethe.s3.ap-south-1.amazon... | 2 GraphWorm payload | 2 graph.microsoft.com / Microsoft Graph API | 5e / 4r | 2026-05-26 14:05:46 |
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
|
Webworm | confirmed | — | 1 64[.]176[.]85[.]158 | 1 github[.]com/anjsdgasdf/WordPress | 1 EchoCreep DLL | 1 discord[.]com / Discord API | 4e / 3r | 2026-05-26 14:05:20 |
Page 1 of 1. Showing 1–2 of 2 matching chains, 17 total.
Technique pressure
top observed IIM techniquesActor surface
published chain attributionwebworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.
payload
→
c2
→
c2
→
payload
→
staging
IIM-T002
IIM-T006
IIM-T018
Open chain analysis↗
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.
staging
→
payload
→
c2
→
redirector
IIM-T002
IIM-T006
IIM-T018
IIM-T026
Open chain analysis↗