Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
|
unknown | confirmed | 3 spearphishing ZIP attachment contai... | — | 7 data\empty.vbs | 2 UnityPlayer.dll / RUSTCLOAK Rust loader | 2 note1ggbbhggdwa1.blob.core.windows.net | 14e / 20r | 2026-05-29 20:05:53 |
wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain
JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain
|
JINX-0164 | confirmed | 2 https://www.npmjs.com/package/@velo... | — | 5 http://89.36.224.5/troubleshoot/mac... | 3 0a8ab3d16b12d3a453ee5a3208fe04744ad... | 5 datahub.ink | 15e / 17r | 2026-05-28 13:43:20 |
glassworm.2026.developer-supply-chain.multi-resolver-c2
Glassworm developer supply-chain infection to redundant multi-resolver C2
|
Glassworm | confirmed | 4 Trojanized VS Code / OpenVSX extens... | 3 solana://transaction-memo/c2-server... | 1 Glassworm downloader / installer stage | 1 GlasswormRAT Node.js remote access tool | 2 commercial VPS-hosted direct C2 inf... | 11e / 13r | 2026-05-27 13:04:07 |
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
|
MB-0001 | confirmed | 2 6aa9741f8b8629d0398049fa91dc5e7c28f... | 5 hxxps://www.telegram[.]me/s/natural_blood | 3 %APPDATA%\Microsoft\Windows\Start M... | 1 Pteranodon Stage-2 loader | 2 194.67.71.75 | 13e / 13r | 2026-05-27 12:22:36 |
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
|
unknown | likely | 1 malicious ZIP archive with complian... | — | 3 Windows shortcut file inside ZIP | 1 PowMix PowerShell botnet payload | 3 herokuapp.com based C2 endpoint | 8e / 8r | 2026-05-27 12:05:45 |
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
|
Webworm | confirmed | — | — | 1 wamanharipethe.s3.ap-south-1.amazon... | 2 GraphWorm payload | 2 graph.microsoft.com / Microsoft Graph API | 5e / 4r | 2026-05-26 14:05:46 |
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
|
Webworm | confirmed | — | 1 64[.]176[.]85[.]158 | 1 github[.]com/anjsdgasdf/WordPress | 1 EchoCreep DLL | 1 discord[.]com / Discord API | 4e / 3r | 2026-05-26 14:05:20 |
uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100
UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100
|
UAT-8302 | confirmed | — | 2 85[.]209[.]156[.]3:56456 | 2 hxxp[://]85[.]209[.]156[.]3:8080/wa... | 1 wagent.exe / Stowaway proxy component | — | 5e / 4r | 2026-05-26 14:02:22 |
uac-0247-ukrvarta-fpv-dopomoga-2026-03
UAC-0247 - UKRVARTA FPV
|
MB-0006 | confirmed | 2 UkrVarta humanitarian-aid themed ZI... | 1 search-ms:query=lnk&crumb=location:... | 4 ukrvarta.online | 6 https://ukrvarta.online/dopomoga/up... | 1 109.237.97.4 | 14e / 13r | 2026-05-20 17:04:53 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionseqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.
wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain
JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain
IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.
glassworm.2026.developer-supply-chain.multi-resolver-c2
Glassworm developer supply-chain infection to redundant multi-resolver C2
IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.
uat-8302-stowaway-proxy-lane-through-85.209.156.3-and-45.135.135.100
UAT-8302 Stowaway proxy lane through 85.209.156.3 and 45.135.135.100
Post-compromise UAT-8302 proxy infrastructure lane using Stowaway and public IP/port C2 or tunnel endpoints from Talos IoCs
uac-0247-ukrvarta-fpv-dopomoga-2026-03
UAC-0247 - UKRVARTA FPV
Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.