Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
enki.2026.kimsuky-webex-httpSpy-jsonping Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2 APT43 confirmed 1 https://conference.birdriver.org/ 1 C:\ProgramData\meeting.html decoy r... 5 https://download.birdriver.org/down... 3 engine.dat / spyInster.dll 1 http://hdrgdrfes.chickenkiller.com/... 11e / 13r 2026-05-31 19:22:26
withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2 GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool GREYVIBE likely 1 office.cip.ua.gov@gmail.com / offic... 1 Google Drive-hosted malicious RAR a... 3 bd3f35b91bf83427e953d4cf531a0ee4b5e... 2 PhantomRelayV2 watchdog / RzUpdateM... 6 nycpartnersenterprise.com 13e / 13r 2026-05-31 19:17:43
k7.2026.rvtools-signed-msi-python-rat Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool unknown confirmed 1 Signed fake RVTools MSI installer /... 4 Binary.MyScript.vbs embedded MSI cu... 3 Portable WinPython support layer / ... 5 45.61.136.94 13e / 15r 2026-05-30 11:07:46
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2 Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2 unknown confirmed 3 spearphishing ZIP attachment contai... 7 data\empty.vbs 2 UnityPlayer.dll / RUSTCLOAK Rust loader 2 note1ggbbhggdwa1.blob.core.windows.net 14e / 20r 2026-05-29 20:05:53
seqrite.2026.operation-xenofiscal-sidecopy-xenorat Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2 SideCopy confirmed 2 spearphishing ZIP archive targeting... 13 mshta.exe LOLBIN execution of remot... 3 ayhui.vmxx reconstructed shellcode ... 1 185.235.137.106 19e / 18r 2026-05-29 20:01:27
malwarebytes.2026.fake-chatgpt-dual-platform-stealers Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer unknown confirmed 2 search ads / SEO / YouTube / Discor... 1 trojanized Ledger/Trezor wallet rep... 6 Chat_GPT.exe 4 http://188.137.246.189/laravel.php?... 13e / 14r 2026-05-28 19:45:38
securelist.2026.pirated-content-silentcryptominer-rat Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure unknown confirmed 2 pirated movie/TV streaming and digi... 4 {domain}.strangled.net 3 urush1bar4.online 9 malicious DLL side-loaded by HLS In... 8 5d14vnfb.space 26e / 33r 2026-05-28 19:43:28
ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28 Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2 MB-0004 confirmed 1 Ukraine-themed CVE-2025-8088 archiv... 3 1070_26782818.pdf 2 C:\ProgramData\Zhg 3 https://151.158.1.229:11861/AHH_bY/ 9e / 11r 2026-05-28 17:37:25
jumpsec.2026.blacktoad-autoit-remcos-network-blackout BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain BlackToad confirmed 1 Thai-language image-based financial... 7 MediaFire-hosted malware download l... 1 payload.bin / decoded Remcos Pro implant 7 pmitm.ddns.net 16e / 25r 2026-05-28 16:12:38
microsoft.2026.poisoned-search-screenconnect-gpu-miner Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2 unknown confirmed 1 attacker-controlled lookalike utili... 5 direct-download.gleeze.com 7 autorun.dll variant set loaded by l... 7 directdownload.icu 20e / 23r 2026-05-27 17:02:04
Showing 110 of 18 matching chains
Reset
Page 1 of 2. Showing 110 of 18 matching chains, 39 total.

enki.2026.kimsuky-webex-httpSpy-jsonping

Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2

confirmed

ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2

entry staging staging redirector staging staging payload
APT43 11 entities 13 relations 2026-05-31 19:22:26
IIM-T015 IIM-T024
Open chain analysis

withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2

GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool

likely

WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.

entry redirector staging staging payload payload staging
GREYVIBE 13 entities 13 relations 2026-05-31 19:17:43
IIM-T006 IIM-T011 IIM-T024
Open chain analysis

k7.2026.rvtools-signed-msi-python-rat

Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool

confirmed

IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.

entry staging staging staging payload payload staging
unknown 13 entities 15 relations 2026-05-30 11:07:46
IIM-T006 IIM-T024
Open chain analysis

seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

confirmed

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entry entry entry staging staging staging staging
unknown 14 entities 20 relations 2026-05-29 20:05:53
IIM-T002 IIM-T006 IIM-T013 IIM-T018 IIM-T024
Open chain analysis

seqrite.2026.operation-xenofiscal-sidecopy-xenorat

Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2

confirmed

IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.

entry entry staging staging staging staging staging
SideCopy 19 entities 18 relations 2026-05-29 20:01:27
IIM-T003 IIM-T004 IIM-T021 IIM-T024
Open chain analysis

malwarebytes.2026.fake-chatgpt-dual-platform-stealers

Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer

confirmed

IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.

entry entry payload payload payload c2 c2
unknown 13 entities 14 relations 2026-05-28 19:45:38
IIM-T024
Open chain analysis

securelist.2026.pirated-content-silentcryptominer-rat

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

confirmed

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

entry entry staging staging staging payload payload
unknown 26 entities 33 relations 2026-05-28 19:43:28
IIM-T009 IIM-T010 IIM-T011 IIM-T024
Open chain analysis

ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28

Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2

confirmed

Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\ProgramData\\cv4. cv4 reads C:\\ProgramData\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.

entry staging staging staging payload payload c2
MB-0004 9 entities 11 relations 2026-05-28 17:37:25
IIM-T024
Open chain analysis

jumpsec.2026.blacktoad-autoit-remcos-network-blackout

BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain

confirmed

IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.

entry staging staging staging staging staging staging
BlackToad 16 entities 25 relations 2026-05-28 16:12:38
IIM-T003 IIM-T006 IIM-T008 IIM-T011 IIM-T024
Open chain analysis

microsoft.2026.poisoned-search-screenconnect-gpu-miner

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

confirmed

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime

entry staging staging staging staging staging payload
unknown 20 entities 23 relations 2026-05-27 17:02:04
IIM-T008 IIM-T011 IIM-T012 IIM-T021 IIM-T024
Open chain analysis