Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
securelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
|
unknown | confirmed | 2 pirated movie/TV streaming and digi... | 4 {domain}.strangled.net | 3 urush1bar4.online | 9 malicious DLL side-loaded by HLS In... | 8 5d14vnfb.space | 26e / 33r | 2026-05-28 19:43:28 |
ox.2026.malware-slop-npm-github-exfil
Malware-Slop npm package to GitHub Contents API exfiltration chain
|
unknown | confirmed | 1 https://www.npmjs.com/package/mouse... | 1 github.com | 3 /mnt/user-data | 1 npm postinstall script disguised as... | 2 https://api.github.com/repos/<actor... | 8e / 7r | 2026-05-28 13:32:24 |
microsoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
|
unknown | confirmed | 1 attacker-controlled lookalike utili... | — | 5 direct-download.gleeze.com | 7 autorun.dll variant set loaded by l... | 7 directdownload.icu | 20e / 23r | 2026-05-27 17:02:04 |
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
|
unknown | likely | 1 malicious ZIP archive with complian... | — | 3 Windows shortcut file inside ZIP | 1 PowMix PowerShell botnet payload | 3 herokuapp.com based C2 endpoint | 8e / 8r | 2026-05-27 12:05:45 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionsecurelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.
ox.2026.malware-slop-npm-github-exfil
Malware-Slop npm package to GitHub Contents API exfiltration chain
IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.
microsoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.