Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery
Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN
|
unknown | confirmed | 2 government-project-themed Word docu... | — | 1 hxxps://<subdomain>.b-cdn[.]net/<path> | 1 <second-stage payload> | 1 <campaign C2 endpoint> | 5e / 4r | 2026-05-30 21:33:26 |
uat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
|
UAT-10027 | likely | 1 suspected phishing-delivered PowerS... | 1 cloudflare-dns.com DoH resolver ove... | 3 remote staging URL serving .bat or ... | 2 Dohdoor malicious DLL disguised as ... | 2 http://GppiwoGwNdiakkDU.pnuiSckMHwa... | 9e / 11r | 2026-05-27 12:09:14 |
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
|
UAC-0057 | likely | 1 PDF lure with active link to ZIP archive | — | 2 ZIP archive containing OYSTERFRESH ... | 3 OYSTERBLUES registry-staged payload | 1 Cloudflare-fronted .icu C2 domain cluster | 7e / 7r | 2026-05-26 13:31:49 |
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
|
UAC-0057 | confirmed | 1 53_7.03.2026_R.pdf | — | 3 53_7.03.2026_R.rar | 3 Update.js / PicassoLoader | 2 hxxps://book-happy.needbinding[.]ic... | 9e / 8r | 2026-05-26 13:26:34 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionjoesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery
Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN
IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.
uat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.