Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
|
Webworm | confirmed | — | — | 1 wamanharipethe.s3.ap-south-1.amazon... | 2 GraphWorm payload | 2 graph.microsoft.com / Microsoft Graph API | 5e / 4r | 2026-05-26 14:05:46 |
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
|
Webworm | confirmed | — | 1 64[.]176[.]85[.]158 | 1 github[.]com/anjsdgasdf/WordPress | 1 EchoCreep DLL | 1 discord[.]com / Discord API | 4e / 3r | 2026-05-26 14:05:20 |
uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev
UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev
|
UAT-8302 | confirmed | 1 benign executable loading wininet.dll | — | 1 SNOWLIGHT / SNOWRUST stager | 1 VSHELL payload | 2 image.update-kaspersky.workers[.]dev | 5e / 4r | 2026-05-26 14:00:43 |
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
|
UAT-8302 | confirmed | — | 2 github[.]com / public dead-drop resolver | — | 1 CloudSorcerer v3 side-loaded DLL triad | 3 www.drivelivelime[.]com | 6e / 7r | 2026-05-26 13:35:13 |
iim.chain.apt.2026.05.005
UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2
|
UAT-8302 | confirmed | 1 benign executable used for DLL side-loading | — | — | 1 NetDraft / FringePorch backdoor | 2 graph.microsoft.com / Microsoft Graph API | 4e / 3r | 2026-05-26 13:33:29 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionwebworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.
uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev
UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev
UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.
iim.chain.apt.2026.05.005
UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2
Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.