Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Tracked actors Open feed API

confirmed13

likely5

tentative0

needs review6

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`glassworm.2026.developer-supply-chain.multi-resolver-c2` Glassworm developer supply-chain infection to redundant multi-resolver C2	Glassworm	confirmed	4 Trojanized VS Code / OpenVSX extens...	3 solana://transaction-memo/c2-server...	1 Glassworm downloader / installer stage	1 GlasswormRAT Node.js remote access tool	2 commercial VPS-hosted direct C2 inf...	11e / 13r	2026-05-27 13:04:07
`gamaredon.2025.zero-click-rar.pteranodon` Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure	MB-0001	confirmed	2 6aa9741f8b8629d0398049fa91dc5e7c28f...	5 hxxps://www.telegram[.]me/s/natural_blood	3 %APPDATA%\Microsoft\Windows\Start M...	1 Pteranodon Stage-2 loader	2 194.67.71.75	13e / 13r	2026-05-27 12:22:36
`powmix-czech-workforce-2026-04-16` PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce	unknown	likely	1 malicious ZIP archive with complian...	—	3 Windows shortcut file inside ZIP	1 PowMix PowerShell botnet payload	3 herokuapp.com based C2 endpoint	8e / 8r	2026-05-27 12:05:45
`webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane` Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane	Webworm	confirmed	—	—	1 wamanharipethe.s3.ap-south-1.amazon...	2 GraphWorm payload	2 graph.microsoft.com / Microsoft Graph API	5e / 4r	2026-05-26 14:05:46
`iim.chain.apt.2026.05.009` Webworm GitHub staging to EchoCreep Discord C2	Webworm	confirmed	—	1 64[.]176[.]85[.]158	1 github[.]com/anjsdgasdf/WordPress	1 EchoCreep DLL	1 discord[.]com / Discord API	4e / 3r	2026-05-26 14:05:20
`uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100` UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100	UAT-8302	confirmed	—	2 85[.]209[.]156[.]3:56456	2 hxxp[://]85[.]209[.]156[.]3:8080/wa...	1 wagent.exe / Stowaway proxy component	—	5e / 4r	2026-05-26 14:02:22
`uac-0247-ukrvarta-fpv-dopomoga-2026-03` UAC-0247 - UKRVARTA FPV	MB-0006	confirmed	2 UkrVarta humanitarian-aid themed ZI...	1 search-ms:query=lnk&crumb=location:...	4 ukrvarta.online	6 https://ukrvarta.online/dopomoga/up...	1 109.237.97.4	14e / 13r	2026-05-20 17:04:53

Showing 1–7 of 7 matching chains

Page 1 of 1. Showing 1–7 of 7 matching chains, 18 total.

Technique pressure

top observed IIM techniques

IIM-T024

9 IIM-T011

8 IIM-T002

7 IIM-T006

7 IIM-T019

6 IIM-T010

5 IIM-T021

4 IIM-T013

3 IIM-T020

3 IIM-T001

3 IIM-T018

3 IIM-T008

Actor surface

published chain attribution

UAT-83024 UAC-00573 unknown2 Webworm2 Glassworm1 MB-00011 UAT-100271 UAT-103621 Silver Fox1 MB-00061 MB-00051

glassworm.2026.developer-supply-chain.multi-resolver-c2

Glassworm developer supply-chain infection to redundant multi-resolver C2

confirmed

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entry → entry → entry → entry → staging → payload → redirector

Glassworm 11 entities 13 relations 2026-05-27 13:04:07

IIM-T002 IIM-T006 IIM-T013

Open chain analysis↗

gamaredon.2025.zero-click-rar.pteranodon

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

confirmed

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entry → entry → staging → staging → payload → redirector → redirector

MB-0001 13 entities 13 relations 2026-05-27 12:22:36

IIM-T002 IIM-T003 IIM-T006 IIM-T007 IIM-T008 IIM-T010 IIM-T011 IIM-T013 +4

Open chain analysis↗

powmix-czech-workforce-2026-04-16

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

likely

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entry → staging → staging → staging → payload → c2 → c2

unknown 8 entities 8 relations 2026-05-27 12:05:45

IIM-T002 IIM-T011 IIM-T024

Open chain analysis↗

webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

confirmed

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payload → c2 → c2 → payload → staging

Webworm 5 entities 4 relations 2026-05-26 14:05:46

IIM-T002 IIM-T006 IIM-T018

Open chain analysis↗

iim.chain.apt.2026.05.009

Webworm GitHub staging to EchoCreep Discord C2

confirmed

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

staging → payload → c2 → redirector

Webworm 4 entities 3 relations 2026-05-26 14:05:20

IIM-T002 IIM-T006 IIM-T018 IIM-T026

Open chain analysis↗

uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100

UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100

confirmed

Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs

staging → payload → redirector → redirector → staging

UAT-8302 5 entities 4 relations 2026-05-26 14:02:22

IIM-T002 IIM-T014

Open chain analysis↗

uac-0247-ukrvarta-fpv-dopomoga-2026-03

UAC-0247 - UKRVARTA FPV

confirmed

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entry → entry → staging → staging → staging → payload → payload

MB-0006 14 entities 13 relations 2026-05-20 17:04:53

IIM-T002 IIM-T015 IIM-T019 IIM-T024 IIM-T026

Open chain analysis↗