Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access unknown confirmed 4 104.207.144.154 1 /ssl-vpn/login.esp on affected Glob... 1 Reused certificate/public key from ... 2 Forged GlobalProtect authentication... 1 VPN-assigned internal-network acces... 9e / 9r 2026-05-31 19:08:44
medium.2026.atomic-macos-stealer-amos-http-c2 Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints unknown confirmed 1 Atomic macOS Stealer (AMOS) Mach-O ... 1 XOR-obfuscated AMOS behavioral/conf... 1 AMOS collection and evasion runtime... 2 http://85.217.222.185/static.php 5e / 4r 2026-05-31 19:04:58
joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN unknown confirmed 2 government-project-themed Word docu... 1 hxxps://<subdomain>.b-cdn[.]net/<path> 1 <second-stage payload> 1 <campaign C2 endpoint> 5e / 4r 2026-05-30 21:33:26
anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access unknown likely 1 <Outlook phishing email link> 1 <fake Word Online / OneDrive page> 1 <multi-stage software installer> 1 <ScreenConnect relay endpoint> 4e / 3r 2026-05-30 21:28:41
microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends unknown confirmed 1 phishing HTML attachment 2 <initial visitor-screening phishing page> 1 <Tycoon 2FA AiTM credential endpoint> 4e / 3r 2026-05-30 21:27:18
securonix.2026.venomous-helper-ssa-rmm-double-compromised-host SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access unknown confirmed 1 <SSA-themed phishing email link> 1 gruta.com[.]mx 1 server.cubatiendaalimentos.com[.]mx 1 SSA_Statement.exe (JWrapper-package... 1 <SimpleHelp/ScreenConnect RMM relay... 5e / 4r 2026-05-30 21:24:57
godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control unknown confirmed 1 compromised WordPress plugin/theme ... 4 hxxps://steamcommunity[.]com/profil... 3 commentthread_comment_text invisibl... 3 hxxps://hello-mywordl[.]info/js/lod... 2 <compromised WordPress site> POST /... 13e / 17r 2026-05-30 11:26:11
k7.2026.rvtools-signed-msi-python-rat Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool unknown confirmed 1 Signed fake RVTools MSI installer /... 4 Binary.MyScript.vbs embedded MSI cu... 3 Portable WinPython support layer / ... 5 45.61.136.94 13e / 15r 2026-05-30 11:07:46
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2 Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2 unknown confirmed 3 spearphishing ZIP attachment contai... 7 data\empty.vbs 2 UnityPlayer.dll / RUSTCLOAK Rust loader 2 note1ggbbhggdwa1.blob.core.windows.net 14e / 20r 2026-05-29 20:05:53
malwarebytes.2026.fake-chatgpt-dual-platform-stealers Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer unknown confirmed 2 search ads / SEO / YouTube / Discor... 1 trojanized Ledger/Trezor wallet rep... 6 Chat_GPT.exe 4 http://188.137.246.189/laravel.php?... 13e / 14r 2026-05-28 19:45:38
Showing 110 of 14 matching chains
Reset
Page 1 of 2. Showing 110 of 14 matching chains, 39 total.

rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse

CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access

confirmed

IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.

entry entry entry entry redirector staging payload
unknown 9 entities 9 relations 2026-05-31 19:08:44
Open chain analysis

medium.2026.atomic-macos-stealer-amos-http-c2

Atomic macOS Stealer (AMOS): Mach-O universal binary with XOR-obfuscated behavioral layer and dual HTTP C2 endpoints

confirmed

IIM chain built from an original reverse-engineering report published on 2026-05-31. The report analyzes a Mach-O universal binary associated with Atomic macOS Stealer (AMOS). The sample uses a rolling XOR routine keyed by 7M43mJx9I0GwjslSA2oKSgkqsUo to hide runtime strings, decrypts AppleScript- and shell-based operational commands, performs theft of browser, wallet, keychain, Telegram, Discord, FileZilla, Steam, Notes, and shell-history data, and sends stolen data over plain HTTP to 85.217.222.185 using /static.php and /index.php endpoints. No trustworthy initial-delivery URL, package source, or landing page is published, so the chain starts at the analyzed sample rather than inventing a pre-delivery stage.

entry staging payload c2 c2
unknown 5 entities 4 relations 2026-05-31 19:04:58
Open chain analysis

joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery

Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN

confirmed

IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.

entry entry staging payload c2
unknown 5 entities 4 relations 2026-05-30 21:33:26
IIM-T001
Open chain analysis

anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect

Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access

likely

IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.

entry redirector staging c2
unknown 4 entities 3 relations 2026-05-30 21:28:41
IIM-T006
Open chain analysis

microsoft.2026.html-attachment-tds-captcha-aitm-tycoon2fa

HTML-attachment phishing with visitor-screening TDS and CAPTCHA gate fronting AiTM credential harvesting on multiple PhaaS backends

confirmed

IIM chain for the large credential-harvesting campaign described in Microsoft's Q1 2026 email threat analysis. A campaign on 2026-03-17 sent over 1.5 million malicious messages to 179,000+ organisations across 43 countries. Opening the HTML attachment redirected the victim to an initial phishing page that screened the visitor before routing them to a CAPTCHA-gated page and finally a fraudulent sign-in page. Microsoft notes that while the campaign shared common tooling and structure, the final phishing payload was hosted across multiple Phishing-as-a-Service providers: mostly Tycoon 2FA, with additional activity linked to Kratos (formerly Sneaky 2FA) and EvilTokens.

entry redirector redirector payload
unknown 4 entities 3 relations 2026-05-30 21:27:18
IIM-T017
Open chain analysis

securonix.2026.venomous-helper-ssa-rmm-double-compromised-host

SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access

confirmed

IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.

entry redirector staging payload c2
unknown 5 entities 4 relations 2026-05-30 21:24:57
IIM-T004
Open chain analysis

godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor

Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control

confirmed

IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.

entry redirector redirector redirector redirector staging staging
unknown 13 entities 17 relations 2026-05-30 11:26:11
IIM-T004 IIM-T006 IIM-T013 IIM-T018
Open chain analysis

k7.2026.rvtools-signed-msi-python-rat

Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool

confirmed

IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.

entry staging staging staging payload payload staging
unknown 13 entities 15 relations 2026-05-30 11:07:46
IIM-T006 IIM-T024
Open chain analysis

seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

confirmed

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entry entry entry staging staging staging staging
unknown 14 entities 20 relations 2026-05-29 20:05:53
IIM-T002 IIM-T006 IIM-T013 IIM-T018 IIM-T024
Open chain analysis

malwarebytes.2026.fake-chatgpt-dual-platform-stealers

Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer

confirmed

IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.

entry entry payload payload payload c2 c2
unknown 13 entities 14 relations 2026-05-28 19:45:38
IIM-T024
Open chain analysis