Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
securelist.2026.pirated-content-silentcryptominer-rat Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure unknown confirmed 2 pirated movie/TV streaming and digi... 4 {domain}.strangled.net 3 urush1bar4.online 9 malicious DLL side-loaded by HLS In... 8 5d14vnfb.space 26e / 33r 2026-05-28 19:43:28
ox.2026.malware-slop-npm-github-exfil Malware-Slop npm package to GitHub Contents API exfiltration chain unknown confirmed 1 https://www.npmjs.com/package/mouse... 1 github.com 3 /mnt/user-data 1 npm postinstall script disguised as... 2 https://api.github.com/repos/<actor... 8e / 7r 2026-05-28 13:32:24
microsoft.2026.poisoned-search-screenconnect-gpu-miner Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2 unknown confirmed 1 attacker-controlled lookalike utili... 5 direct-download.gleeze.com 7 autorun.dll variant set loaded by l... 7 directdownload.icu 20e / 23r 2026-05-27 17:02:04
powmix-czech-workforce-2026-04-16 PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce unknown likely 1 malicious ZIP archive with complian... 3 Windows shortcut file inside ZIP 1 PowMix PowerShell botnet payload 3 herokuapp.com based C2 endpoint 8e / 8r 2026-05-27 12:05:45
Showing 1114 of 14 matching chains
Reset
Page 2 of 2. Showing 1114 of 14 matching chains, 39 total.

securelist.2026.pirated-content-silentcryptominer-rat

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

confirmed

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

entry entry staging staging staging payload payload
unknown 26 entities 33 relations 2026-05-28 19:43:28
IIM-T009 IIM-T010 IIM-T011 IIM-T024
Open chain analysis

ox.2026.malware-slop-npm-github-exfil

Malware-Slop npm package to GitHub Contents API exfiltration chain

confirmed

IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.

entry payload staging redirector c2 c2 staging
unknown 8 entities 7 relations 2026-05-28 13:32:24
IIM-T006 IIM-T018
Open chain analysis

microsoft.2026.poisoned-search-screenconnect-gpu-miner

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

confirmed

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime

entry staging staging staging staging staging payload
unknown 20 entities 23 relations 2026-05-27 17:02:04
IIM-T008 IIM-T011 IIM-T012 IIM-T021 IIM-T024
Open chain analysis

powmix-czech-workforce-2026-04-16

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

likely

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entry staging staging staging payload c2 c2
unknown 8 entities 8 relations 2026-05-27 12:05:45
IIM-T002 IIM-T011 IIM-T024
Open chain analysis