MALWAREBOX::IIM FEEDS published infrastructure chains

Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Submit chain Tracked actors Open feed API

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

Submit chain Contribution board
source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100 UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100 UAT-8302 confirmed 2 85[.]209[.]156[.]3:56456 2 hxxp[://]85[.]209[.]156[.]3:8080/wa... 1 wagent.exe / Stowaway proxy component 5e / 4r 2026-05-26 14:02:22
uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev UAT-8302 confirmed 1 benign executable loading wininet.dll 1 SNOWLIGHT / SNOWRUST stager 1 VSHELL payload 2 image.update-kaspersky.workers[.]dev 5e / 4r 2026-05-26 14:00:43
iim.chain.apt.2026.05.006 UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2 UAT-8302 confirmed 2 github[.]com / public dead-drop resolver 1 CloudSorcerer v3 side-loaded DLL triad 3 www.drivelivelime[.]com 6e / 7r 2026-05-26 13:35:13
iim.chain.apt.2026.05.005 UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2 UAT-8302 confirmed 1 benign executable used for DLL side-loading 1 NetDraft / FringePorch backdoor 2 graph.microsoft.com / Microsoft Graph API 4e / 3r 2026-05-26 13:33:29
iim.chain.apt.2026.05.004 UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2 UAC-0057 likely 1 PDF lure with active link to ZIP archive 2 ZIP archive containing OYSTERFRESH ... 3 OYSTERBLUES registry-staged payload 1 Cloudflare-fronted .icu C2 domain cluster 7e / 7r 2026-05-26 13:31:49
iim.chain.apt.2026.05.003 FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz UAC-0057 confirmed 1 EdgeTaskMachine.js 1 EdgeSystemConfig.dll 2 best-seller.lavanille[.]buzz 4e / 3r 2026-05-26 13:31:09
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike UAC-0057 confirmed 1 53_7.03.2026_R.pdf 3 53_7.03.2026_R.rar 3 Update.js / PicassoLoader 2 hxxps://book-happy.needbinding[.]ic... 9e / 8r 2026-05-26 13:26:34
uac-0247-ukrvarta-fpv-dopomoga-2026-03 UAC-0247 - UKRVARTA FPV MB-0006 confirmed 2 UkrVarta humanitarian-aid themed ZI... 1 search-ms:query=lnk&crumb=location:... 4 ukrvarta.online 6 https://ukrvarta.online/dopomoga/up... 1 109.237.97.4 14e / 13r 2026-05-20 17:04:53
uac-0184-pseudo-png-passmark-2026-05 UAC-0184: Pseudo PNG Passmark MB-0005 confirmed 2 Ukraine-themed LNK lure 8 169.40.135.35 3 filter.bin decoded LZNT1 payload bundle 2 224.0.0.255 15e / 20r 2026-05-19 15:15:42
Showing 3139 of 39 matching chains
Reset
Page 4 of 4. Showing 3139 of 39 matching chains, 39 total.

uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100

UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100

confirmed

Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs

staging payload redirector redirector staging
UAT-8302 5 entities 4 relations 2026-05-26 14:02:22
IIM-T002 IIM-T014
Open chain analysis

uat-8302-snowlight-vshell-via-update-kaspersky.workers.dev

UAT-8302 SNOWLIGHT / VSHELL via update-kaspersky.workers.dev

confirmed

UAT-8302 side-load chain in which a SNOWLIGHT/SNOWRUST stager downloads or launches a VSHELL payload and communicates with Cloudflare Workers infrastructure.

entry staging payload c2 c2
UAT-8302 5 entities 4 relations 2026-05-26 14:00:43
IIM-T005 IIM-T006
Open chain analysis

iim.chain.apt.2026.05.006

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

confirmed

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payload redirector redirector c2 c2 c2
UAT-8302 6 entities 7 relations 2026-05-26 13:35:13
IIM-T006 IIM-T010 IIM-T011 IIM-T013
Open chain analysis

iim.chain.apt.2026.05.005

UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2

confirmed

Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.

entry payload c2 c2
UAT-8302 4 entities 3 relations 2026-05-26 13:33:29
IIM-T006 IIM-T018
Open chain analysis

iim.chain.apt.2026.05.004

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

likely

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entry staging staging payload payload c2 payload
UAC-0057 7 entities 7 relations 2026-05-26 13:31:49
IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T024
Open chain analysis

iim.chain.apt.2026.05.003

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

confirmed

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

staging payload c2 c2
UAC-0057 4 entities 3 relations 2026-05-26 13:31:09
IIM-T010 IIM-T011
Open chain analysis

frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

confirmed

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entry staging staging staging payload c2 payload
UAC-0057 9 entities 8 relations 2026-05-26 13:26:34
IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T020 IIM-T021 IIM-T024
Open chain analysis

uac-0247-ukrvarta-fpv-dopomoga-2026-03

UAC-0247 - UKRVARTA FPV

confirmed

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entry entry staging staging staging payload payload
MB-0006 14 entities 13 relations 2026-05-20 17:04:53
IIM-T002 IIM-T015 IIM-T019 IIM-T024 IIM-T026
Open chain analysis

uac-0184-pseudo-png-passmark-2026-05

UAC-0184: Pseudo PNG Passmark

confirmed

Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.

entry entry staging staging staging staging staging
MB-0005 15 entities 20 relations 2026-05-19 15:15:42
IIM-T019 IIM-T020 IIM-T021 IIM-T024 IIM-T025
Open chain analysis