Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2 GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool GREYVIBE likely 1 office.cip.ua.gov@gmail.com / offic... 1 Google Drive-hosted malicious RAR a... 3 bd3f35b91bf83427e953d4cf531a0ee4b5e... 2 PhantomRelayV2 watchdog / RzUpdateM... 6 nycpartnersenterprise.com 13e / 13r 2026-05-31 19:17:43
levelblue.2026.sapphire-sleet-macos-fake-zoom-update Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure BlueNoroff confirmed 1 Zoom SDK Update.scpt 2 /Library/LaunchDaemons/com.google.w... 4 com.apple.cli profiling component 14 check02id.com 21e / 21r 2026-05-30 11:17:36
securelist.2026.pirated-content-silentcryptominer-rat Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure unknown confirmed 2 pirated movie/TV streaming and digi... 4 {domain}.strangled.net 3 urush1bar4.online 9 malicious DLL side-loaded by HLS In... 8 5d14vnfb.space 26e / 33r 2026-05-28 19:43:28
jumpsec.2026.blacktoad-autoit-remcos-network-blackout BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain BlackToad confirmed 1 Thai-language image-based financial... 7 MediaFire-hosted malware download l... 1 payload.bin / decoded Remcos Pro implant 7 pmitm.ddns.net 16e / 25r 2026-05-28 16:12:38
wiz.2026.jinx-0164-audiofix-fake-driver-macos JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain JINX-0164 confirmed 2 LinkedIn recruiter / business-partn... 3 https://apple.driver-update.io/trou... 6 https://apple.driver-store.com/mac/... 5 datahub.ink 16e / 16r 2026-05-28 13:44:27
wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain JINX-0164 confirmed 2 https://www.npmjs.com/package/@velo... 5 http://89.36.224.5/troubleshoot/mac... 3 0a8ab3d16b12d3a453ee5a3208fe04744ad... 5 datahub.ink 15e / 17r 2026-05-28 13:43:20
microsoft.2026.poisoned-search-screenconnect-gpu-miner Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2 unknown confirmed 1 attacker-controlled lookalike utili... 5 direct-download.gleeze.com 7 autorun.dll variant set loaded by l... 7 directdownload.icu 20e / 23r 2026-05-27 17:02:04
gamaredon.2025.zero-click-rar.pteranodon Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure MB-0001 confirmed 2 6aa9741f8b8629d0398049fa91dc5e7c28f... 5 hxxps://www.telegram[.]me/s/natural_blood 3 %APPDATA%\Microsoft\Windows\Start M... 1 Pteranodon Stage-2 loader 2 194.67.71.75 13e / 13r 2026-05-27 12:22:36
uat-10027-dohdoor-education-healthcare-2026-02-26 UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care UAT-10027 likely 1 suspected phishing-delivered PowerS... 1 cloudflare-dns.com DoH resolver ove... 3 remote staging URL serving .bat or ... 2 Dohdoor malicious DLL disguised as ... 2 http://GppiwoGwNdiakkDU.pnuiSckMHwa... 9e / 11r 2026-05-27 12:09:14
powmix-czech-workforce-2026-04-16 PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce unknown likely 1 malicious ZIP archive with complian... 3 Windows shortcut file inside ZIP 1 PowMix PowerShell botnet payload 3 herokuapp.com based C2 endpoint 8e / 8r 2026-05-27 12:05:45
Showing 110 of 14 matching chains
Reset
Page 1 of 2. Showing 110 of 14 matching chains, 39 total.

withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2

GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool

likely

WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.

entry redirector staging staging payload payload staging
GREYVIBE 13 entities 13 relations 2026-05-31 19:17:43
IIM-T006 IIM-T011 IIM-T024
Open chain analysis

levelblue.2026.sapphire-sleet-macos-fake-zoom-update

Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure

confirmed

IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.

entry payload payload staging payload payload staging
BlueNoroff 21 entities 21 relations 2026-05-30 11:17:36
IIM-T011
Open chain analysis

securelist.2026.pirated-content-silentcryptominer-rat

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

confirmed

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

entry entry staging staging staging payload payload
unknown 26 entities 33 relations 2026-05-28 19:43:28
IIM-T009 IIM-T010 IIM-T011 IIM-T024
Open chain analysis

jumpsec.2026.blacktoad-autoit-remcos-network-blackout

BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain

confirmed

IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.

entry staging staging staging staging staging staging
BlackToad 16 entities 25 relations 2026-05-28 16:12:38
IIM-T003 IIM-T006 IIM-T008 IIM-T011 IIM-T024
Open chain analysis

wiz.2026.jinx-0164-audiofix-fake-driver-macos

JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain

confirmed

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.

entry entry staging payload payload payload payload
JINX-0164 16 entities 16 relations 2026-05-28 13:44:27
IIM-T010 IIM-T011 IIM-T020
Open chain analysis

wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

confirmed

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

entry entry staging staging staging staging payload
JINX-0164 15 entities 17 relations 2026-05-28 13:43:20
IIM-T002 IIM-T006 IIM-T011
Open chain analysis

microsoft.2026.poisoned-search-screenconnect-gpu-miner

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

confirmed

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime

entry staging staging staging staging staging payload
unknown 20 entities 23 relations 2026-05-27 17:02:04
IIM-T008 IIM-T011 IIM-T012 IIM-T021 IIM-T024
Open chain analysis

gamaredon.2025.zero-click-rar.pteranodon

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

confirmed

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entry entry staging staging payload redirector redirector
MB-0001 13 entities 13 relations 2026-05-27 12:22:36
IIM-T002 IIM-T003 IIM-T006 IIM-T007 IIM-T008 IIM-T010 IIM-T011 IIM-T013 +4
Open chain analysis

uat-10027-dohdoor-education-healthcare-2026-02-26

UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care

likely

Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval

entry staging staging staging payload c2 redirector
UAT-10027 9 entities 11 relations 2026-05-27 12:09:14
IIM-T001 IIM-T011
Open chain analysis

powmix-czech-workforce-2026-04-16

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

likely

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entry staging staging staging payload c2 c2
unknown 8 entities 8 relations 2026-05-27 12:05:45
IIM-T002 IIM-T011 IIM-T024
Open chain analysis