Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Tracked actors Open feed API

confirmed13

likely5

tentative0

needs review6

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`microsoft.2026.poisoned-search-screenconnect-gpu-miner` Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2	unknown	confirmed	1 attacker-controlled lookalike utili...	—	5 direct-download.gleeze.com	7 autorun.dll variant set loaded by l...	7 directdownload.icu	20e / 23r	2026-05-27 17:02:04
`powmix-czech-workforce-2026-04-16` PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce	unknown	likely	1 malicious ZIP archive with complian...	—	3 Windows shortcut file inside ZIP	1 PowMix PowerShell botnet payload	3 herokuapp.com based C2 endpoint	8e / 8r	2026-05-27 12:05:45

Showing 1–2 of 2 matching chains

Page 1 of 1. Showing 1–2 of 2 matching chains, 18 total.

Technique pressure

top observed IIM techniques

IIM-T024

9 IIM-T011

8 IIM-T002

7 IIM-T006

7 IIM-T019

6 IIM-T010

5 IIM-T021

4 IIM-T013

3 IIM-T020

3 IIM-T001

3 IIM-T018

3 IIM-T008

Actor surface

published chain attribution

UAT-83024 UAC-00573 unknown2 Webworm2 Glassworm1 MB-00011 UAT-100271 UAT-103621 Silver Fox1 MB-00061 MB-00051

microsoft.2026.poisoned-search-screenconnect-gpu-miner

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

confirmed

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime

entry → staging → staging → staging → staging → staging → payload

unknown 20 entities 23 relations 2026-05-27 17:02:04

IIM-T008 IIM-T011 IIM-T012 IIM-T021 IIM-T024

Open chain analysis↗

powmix-czech-workforce-2026-04-16

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

likely

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entry → staging → staging → staging → payload → c2 → c2

unknown 8 entities 8 relations 2026-05-27 12:05:45

IIM-T002 IIM-T011 IIM-T024

Open chain analysis↗