Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse
CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access
|
unknown | confirmed | 4 104.207.144.154 | 1 /ssl-vpn/login.esp on affected Glob... | 1 Reused certificate/public key from ... | 2 Forged GlobalProtect authentication... | 1 VPN-assigned internal-network acces... | 9e / 9r | 2026-05-31 19:08:44 |
medium.2026.atomic-macos-stealer-amos-http-c2
Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints
|
unknown | confirmed | 1 Atomic macOS Stealer (AMOS) Mach-O ... | — | 1 XOR-obfuscated AMOS behavioral/conf... | 1 AMOS collection and evasion runtime... | 2 http://85.217.222.185/static.php | 5e / 4r | 2026-05-31 19:04:58 |
joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery
Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN
|
unknown | confirmed | 2 government-project-themed Word docu... | — | 1 hxxps://<subdomain>.b-cdn[.]net/<path> | 1 <second-stage payload> | 1 <campaign C2 endpoint> | 5e / 4r | 2026-05-30 21:33:26 |
anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect
Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access
|
unknown | likely | 1 <Outlook phishing email link> | 1 <fake Word Online / OneDrive page> | 1 <multi-stage software installer> | — | 1 <ScreenConnect relay endpoint> | 4e / 3r | 2026-05-30 21:28:41 |
microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa
HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends
|
unknown | confirmed | 1 phishing HTML attachment | 2 <initial visitor-screening phishing page> | — | 1 <Tycoon 2FA AiTM credential endpoint> | — | 4e / 3r | 2026-05-30 21:27:18 |
securonix.2026.venomous-helper-ssa-rmm-double-compromised-host
SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access
|
unknown | confirmed | 1 <SSA-themed phishing email link> | 1 gruta.com[.]mx | 1 server.cubatiendaalimentos.com[.]mx | 1 SSA_Statement.exe (JWrapper-package... | 1 <SimpleHelp/ScreenConnect RMM relay... | 5e / 4r | 2026-05-30 21:24:57 |
godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor
Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control
|
unknown | confirmed | 1 compromised WordPress plugin/theme ... | 4 hxxps://steamcommunity[.]com/profil... | 3 commentthread_comment_text invisibl... | 3 hxxps://hello-mywordl[.]info/js/lod... | 2 <compromised WordPress site> POST /... | 13e / 17r | 2026-05-30 11:26:11 |
k7.2026.rvtools-signed-msi-python-rat
Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool
|
unknown | confirmed | 1 Signed fake RVTools MSI installer /... | — | 4 Binary.MyScript.vbs embedded MSI cu... | 3 Portable WinPython support layer / ... | 5 45.61.136.94 | 13e / 15r | 2026-05-30 11:07:46 |
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
|
unknown | confirmed | 3 spearphishing ZIP attachment contai... | — | 7 data\empty.vbs | 2 UnityPlayer.dll / RUSTCLOAK Rust loader | 2 note1ggbbhggdwa1.blob.core.windows.net | 14e / 20r | 2026-05-29 20:05:53 |
malwarebytes.2026.fake-chatgpt-dual-platform-stealers
Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer
|
unknown | confirmed | 2 search ads / SEO / YouTube / Discor... | — | 1 trojanized Ledger/Trezor wallet rep... | 6 Chat_GPT.exe | 4 http://188.137.246.189/laravel.php?... | 13e / 14r | 2026-05-28 19:45:38 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionrapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse
CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access
IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.
medium.2026.atomic-macos-stealer-amos-http-c2
Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints
IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.
joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery
Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN
IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.
anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect
Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access
IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.
microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa
HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends
IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.
securonix.2026.venomous-helper-ssa-rmm-double-compromised-host
SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access
IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.
godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor
Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control
IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.
k7.2026.rvtools-signed-msi-python-rat
Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool
IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.
malwarebytes.2026.fake-chatgpt-dual-platform-stealers
Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer
IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.