Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
iim.chain.apt.2026.05.006 UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2 UAT-8302 confirmed 2 github[.]com / public dead-drop resolver 1 CloudSorcerer v3 side-loaded DLL triad 3 www.drivelivelime[.]com 6e / 7r 2026-05-26 13:35:13
iim.chain.apt.2026.05.004 UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2 UAC-0057 likely 1 PDF lure with active link to ZIP archive 2 ZIP archive containing OYSTERFRESH ... 3 OYSTERBLUES registry-staged payload 1 Cloudflare-fronted .icu C2 domain cluster 7e / 7r 2026-05-26 13:31:49
iim.chain.apt.2026.05.003 FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz UAC-0057 confirmed 1 EdgeTaskMachine.js 1 EdgeSystemConfig.dll 2 best-seller.lavanille[.]buzz 4e / 3r 2026-05-26 13:31:09
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike UAC-0057 confirmed 1 53_7.03.2026_R.pdf 3 53_7.03.2026_R.rar 3 Update.js / PicassoLoader 2 hxxps://book-happy.needbinding[.]ic... 9e / 8r 2026-05-26 13:26:34
Showing 1114 of 14 matching chains
Reset
Page 2 of 2. Showing 1114 of 14 matching chains, 39 total.

iim.chain.apt.2026.05.006

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

confirmed

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payload redirector redirector c2 c2 c2
UAT-8302 6 entities 7 relations 2026-05-26 13:35:13
IIM-T006 IIM-T010 IIM-T011 IIM-T013
Open chain analysis

iim.chain.apt.2026.05.004

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

likely

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entry staging staging payload payload c2 payload
UAC-0057 7 entities 7 relations 2026-05-26 13:31:49
IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T024
Open chain analysis

iim.chain.apt.2026.05.003

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

confirmed

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

staging payload c2 c2
UAC-0057 4 entities 3 relations 2026-05-26 13:31:09
IIM-T010 IIM-T011
Open chain analysis

frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

confirmed

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entry staging staging staging payload c2 payload
UAC-0057 9 entities 8 relations 2026-05-26 13:26:34
IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T020 IIM-T021 IIM-T024
Open chain analysis