Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2 Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2 unknown confirmed 3 spearphishing ZIP attachment contai... 7 data\empty.vbs 2 UnityPlayer.dll / RUSTCLOAK Rust loader 2 note1ggbbhggdwa1.blob.core.windows.net 14e / 20r 2026-05-29 20:05:53
wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain JINX-0164 confirmed 2 https://www.npmjs.com/package/@velo... 5 http://89.36.224.5/troubleshoot/mac... 3 0a8ab3d16b12d3a453ee5a3208fe04744ad... 5 datahub.ink 15e / 17r 2026-05-28 13:43:20
glassworm.2026.developer-supply-chain.multi-resolver-c2 Glassworm developer supply-chain infection to redundant multi-resolver C2 Glassworm confirmed 4 Trojanized VS Code / OpenVSX extens... 3 solana://transaction-memo/c2-server... 1 Glassworm downloader / installer stage 1 GlasswormRAT Node.js remote access tool 2 commercial VPS-hosted direct C2 inf... 11e / 13r 2026-05-27 13:04:07
gamaredon.2025.zero-click-rar.pteranodon Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure MB-0001 confirmed 2 6aa9741f8b8629d0398049fa91dc5e7c28f... 5 hxxps://www.telegram[.]me/s/natural_blood 3 %APPDATA%\Microsoft\Windows\Start M... 1 Pteranodon Stage-2 loader 2 194.67.71.75 13e / 13r 2026-05-27 12:22:36
powmix-czech-workforce-2026-04-16 PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce unknown likely 1 malicious ZIP archive with complian... 3 Windows shortcut file inside ZIP 1 PowMix PowerShell botnet payload 3 herokuapp.com based C2 endpoint 8e / 8r 2026-05-27 12:05:45
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane Webworm confirmed 1 wamanharipethe.s3.ap-south-1.amazon... 2 GraphWorm payload 2 graph.microsoft.com / Microsoft Graph API 5e / 4r 2026-05-26 14:05:46
iim.chain.apt.2026.05.009 Webworm GitHub staging to EchoCreep Discord C2 Webworm confirmed 1 64[.]176[.]85[.]158 1 github[.]com/anjsdgasdf/WordPress 1 EchoCreep DLL 1 discord[.]com / Discord API 4e / 3r 2026-05-26 14:05:20
uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100 UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100 UAT-8302 confirmed 2 85[.]209[.]156[.]3:56456 2 hxxp[://]85[.]209[.]156[.]3:8080/wa... 1 wagent.exe / Stowaway proxy component 5e / 4r 2026-05-26 14:02:22
uac-0247-ukrvarta-fpv-dopomoga-2026-03 UAC-0247 - UKRVARTA FPV MB-0006 confirmed 2 UkrVarta humanitarian-aid themed ZI... 1 search-ms:query=lnk&crumb=location:... 4 ukrvarta.online 6 https://ukrvarta.online/dopomoga/up... 1 109.237.97.4 14e / 13r 2026-05-20 17:04:53
Showing 19 of 9 matching chains
Reset
Page 1 of 1. Showing 19 of 9 matching chains, 39 total.

seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

confirmed

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entry entry entry staging staging staging staging
unknown 14 entities 20 relations 2026-05-29 20:05:53
IIM-T002 IIM-T006 IIM-T013 IIM-T018 IIM-T024
Open chain analysis

wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

confirmed

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

entry entry staging staging staging staging payload
JINX-0164 15 entities 17 relations 2026-05-28 13:43:20
IIM-T002 IIM-T006 IIM-T011
Open chain analysis

glassworm.2026.developer-supply-chain.multi-resolver-c2

Glassworm developer supply-chain infection to redundant multi-resolver C2

confirmed

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entry entry entry entry staging payload redirector
Glassworm 11 entities 13 relations 2026-05-27 13:04:07
IIM-T002 IIM-T006 IIM-T013
Open chain analysis

gamaredon.2025.zero-click-rar.pteranodon

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

confirmed

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entry entry staging staging payload redirector redirector
MB-0001 13 entities 13 relations 2026-05-27 12:22:36
IIM-T002 IIM-T003 IIM-T006 IIM-T007 IIM-T008 IIM-T010 IIM-T011 IIM-T013 +4
Open chain analysis

powmix-czech-workforce-2026-04-16

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

likely

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entry staging staging staging payload c2 c2
unknown 8 entities 8 relations 2026-05-27 12:05:45
IIM-T002 IIM-T011 IIM-T024
Open chain analysis

webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

confirmed

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payload c2 c2 payload staging
Webworm 5 entities 4 relations 2026-05-26 14:05:46
IIM-T002 IIM-T006 IIM-T018
Open chain analysis

iim.chain.apt.2026.05.009

Webworm GitHub staging to EchoCreep Discord C2

confirmed

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

staging payload c2 redirector
Webworm 4 entities 3 relations 2026-05-26 14:05:20
IIM-T002 IIM-T006 IIM-T018 IIM-T026
Open chain analysis

uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100

UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100

confirmed

Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs

staging payload redirector redirector staging
UAT-8302 5 entities 4 relations 2026-05-26 14:02:22
IIM-T002 IIM-T014
Open chain analysis

uac-0247-ukrvarta-fpv-dopomoga-2026-03

UAC-0247 - UKRVARTA FPV

confirmed

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entry entry staging staging staging payload payload
MB-0006 14 entities 13 relations 2026-05-20 17:04:53
IIM-T002 IIM-T015 IIM-T019 IIM-T024 IIM-T026
Open chain analysis