Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2 GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool GREYVIBE likely 1 office.cip.ua.gov@gmail.com / offic... 1 Google Drive-hosted malicious RAR a... 3 bd3f35b91bf83427e953d4cf531a0ee4b5e... 2 PhantomRelayV2 watchdog / RzUpdateM... 6 nycpartnersenterprise.com 13e / 13r 2026-05-31 19:17:43
anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access unknown likely 1 <Outlook phishing email link> 1 <fake Word Online / OneDrive page> 1 <multi-stage software installer> 1 <ScreenConnect relay endpoint> 4e / 3r 2026-05-30 21:28:41
godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control unknown confirmed 1 compromised WordPress plugin/theme ... 4 hxxps://steamcommunity[.]com/profil... 3 commentthread_comment_text invisibl... 3 hxxps://hello-mywordl[.]info/js/lod... 2 <compromised WordPress site> POST /... 13e / 17r 2026-05-30 11:26:11
k7.2026.rvtools-signed-msi-python-rat Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool unknown confirmed 1 Signed fake RVTools MSI installer /... 4 Binary.MyScript.vbs embedded MSI cu... 3 Portable WinPython support layer / ... 5 45.61.136.94 13e / 15r 2026-05-30 11:07:46
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2 Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2 unknown confirmed 3 spearphishing ZIP attachment contai... 7 data\empty.vbs 2 UnityPlayer.dll / RUSTCLOAK Rust loader 2 note1ggbbhggdwa1.blob.core.windows.net 14e / 20r 2026-05-29 20:05:53
jumpsec.2026.blacktoad-autoit-remcos-network-blackout BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain BlackToad confirmed 1 Thai-language image-based financial... 7 MediaFire-hosted malware download l... 1 payload.bin / decoded Remcos Pro implant 7 pmitm.ddns.net 16e / 25r 2026-05-28 16:12:38
wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain JINX-0164 confirmed 2 https://www.npmjs.com/package/@velo... 5 http://89.36.224.5/troubleshoot/mac... 3 0a8ab3d16b12d3a453ee5a3208fe04744ad... 5 datahub.ink 15e / 17r 2026-05-28 13:43:20
ox.2026.malware-slop-npm-github-exfil Malware-Slop npm package to GitHub Contents API exfiltration chain unknown confirmed 1 https://www.npmjs.com/package/mouse... 1 github.com 3 /mnt/user-data 1 npm postinstall script disguised as... 2 https://api.github.com/repos/<actor... 8e / 7r 2026-05-28 13:32:24
glassworm.2026.developer-supply-chain.multi-resolver-c2 Glassworm developer supply-chain infection to redundant multi-resolver C2 Glassworm confirmed 4 Trojanized VS Code / OpenVSX extens... 3 solana://transaction-memo/c2-server... 1 Glassworm downloader / installer stage 1 GlasswormRAT Node.js remote access tool 2 commercial VPS-hosted direct C2 inf... 11e / 13r 2026-05-27 13:04:07
gamaredon.2025.zero-click-rar.pteranodon Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure MB-0001 confirmed 2 6aa9741f8b8629d0398049fa91dc5e7c28f... 5 hxxps://www.telegram[.]me/s/natural_blood 3 %APPDATA%\Microsoft\Windows\Start M... 1 Pteranodon Stage-2 loader 2 194.67.71.75 13e / 13r 2026-05-27 12:22:36
Showing 110 of 15 matching chains
Reset
Page 1 of 2. Showing 110 of 15 matching chains, 39 total.

withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2

GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool

likely

WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.

entry redirector staging staging payload payload staging
GREYVIBE 13 entities 13 relations 2026-05-31 19:17:43
IIM-T006 IIM-T011 IIM-T024
Open chain analysis

anyrun.2026.fake-wordonline-onedrive-multistage-screenconnect

Outlook lure to fake Word Online / OneDrive page leading through multi-stage software install to ScreenConnect remote access

likely

IIM chain for a May 2026 attack summarised in ANY.RUN's monthly roundup. An Outlook email redirects the user to a fake Word Online / OneDrive-style page. Instead of an obvious malware download, the chain proceeds through software-installation stages and ultimately establishes remote access through ScreenConnect, with additional activity used to conceal the installed tools. The roundup emphasises campaign-level detection because the operation relies on reusable templates and rotating infrastructure rather than a single blockable domain.

entry redirector staging c2
unknown 4 entities 3 relations 2026-05-30 21:28:41
IIM-T006
Open chain analysis

godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor

Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control

confirmed

IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.

entry redirector redirector redirector redirector staging staging
unknown 13 entities 17 relations 2026-05-30 11:26:11
IIM-T004 IIM-T006 IIM-T013 IIM-T018
Open chain analysis

k7.2026.rvtools-signed-msi-python-rat

Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool

confirmed

IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.

entry staging staging staging payload payload staging
unknown 13 entities 15 relations 2026-05-30 11:07:46
IIM-T006 IIM-T024
Open chain analysis

seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

confirmed

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entry entry entry staging staging staging staging
unknown 14 entities 20 relations 2026-05-29 20:05:53
IIM-T002 IIM-T006 IIM-T013 IIM-T018 IIM-T024
Open chain analysis

jumpsec.2026.blacktoad-autoit-remcos-network-blackout

BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain

confirmed

IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.

entry staging staging staging staging staging staging
BlackToad 16 entities 25 relations 2026-05-28 16:12:38
IIM-T003 IIM-T006 IIM-T008 IIM-T011 IIM-T024
Open chain analysis

wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

confirmed

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

entry entry staging staging staging staging payload
JINX-0164 15 entities 17 relations 2026-05-28 13:43:20
IIM-T002 IIM-T006 IIM-T011
Open chain analysis

ox.2026.malware-slop-npm-github-exfil

Malware-Slop npm package to GitHub Contents API exfiltration chain

confirmed

IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.

entry payload staging redirector c2 c2 staging
unknown 8 entities 7 relations 2026-05-28 13:32:24
IIM-T006 IIM-T018
Open chain analysis

glassworm.2026.developer-supply-chain.multi-resolver-c2

Glassworm developer supply-chain infection to redundant multi-resolver C2

confirmed

IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.

entry entry entry entry staging payload redirector
Glassworm 11 entities 13 relations 2026-05-27 13:04:07
IIM-T002 IIM-T006 IIM-T013
Open chain analysis

gamaredon.2025.zero-click-rar.pteranodon

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

confirmed

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entry entry staging staging payload redirector redirector
MB-0001 13 entities 13 relations 2026-05-27 12:22:36
IIM-T002 IIM-T003 IIM-T006 IIM-T007 IIM-T008 IIM-T010 IIM-T011 IIM-T013 +4
Open chain analysis