Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Tracked actors Open feed API

confirmed13

likely5

tentative0

needs review6

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`gamaredon.2025.zero-click-rar.pteranodon` Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure	MB-0001	confirmed	2 6aa9741f8b8629d0398049fa91dc5e7c28f...	5 hxxps://www.telegram[.]me/s/natural_blood	3 %APPDATA%\Microsoft\Windows\Start M...	1 Pteranodon Stage-2 loader	2 194.67.71.75	13e / 13r	2026-05-27 12:22:36
`iim.chain.apt.2026.05.006` UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2	UAT-8302	confirmed	—	2 github[.]com / public dead-drop resolver	—	1 CloudSorcerer v3 side-loaded DLL triad	3 www.drivelivelime[.]com	6e / 7r	2026-05-26 13:35:13
`iim.chain.apt.2026.05.004` UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2	UAC-0057	likely	1 PDF lure with active link to ZIP archive	—	2 ZIP archive containing OYSTERFRESH ...	3 OYSTERBLUES registry-staged payload	1 Cloudflare-fronted .icu C2 domain cluster	7e / 7r	2026-05-26 13:31:49
`iim.chain.apt.2026.05.003` FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz	UAC-0057	confirmed	—	—	1 EdgeTaskMachine.js	1 EdgeSystemConfig.dll	2 best-seller.lavanille[.]buzz	4e / 3r	2026-05-26 13:31:09
`frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike` FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike	UAC-0057	confirmed	1 53_7.03.2026_R.pdf	—	3 53_7.03.2026_R.rar	3 Update.js / PicassoLoader	2 hxxps://book-happy.needbinding[.]ic...	9e / 8r	2026-05-26 13:26:34

Showing 1–5 of 5 matching chains

Page 1 of 1. Showing 1–5 of 5 matching chains, 18 total.

Technique pressure

top observed IIM techniques

IIM-T024

9 IIM-T011

8 IIM-T002

7 IIM-T006

7 IIM-T019

6 IIM-T010

5 IIM-T021

4 IIM-T013

3 IIM-T020

3 IIM-T001

3 IIM-T018

3 IIM-T008

Actor surface

published chain attribution

UAT-83024 UAC-00573 unknown2 Webworm2 Glassworm1 MB-00011 UAT-100271 UAT-103621 Silver Fox1 MB-00061 MB-00051

gamaredon.2025.zero-click-rar.pteranodon

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

confirmed

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entry → entry → staging → staging → payload → redirector → redirector

MB-0001 13 entities 13 relations 2026-05-27 12:22:36

IIM-T002 IIM-T003 IIM-T006 IIM-T007 IIM-T008 IIM-T010 IIM-T011 IIM-T013 +4

Open chain analysis↗

iim.chain.apt.2026.05.006

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

confirmed

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payload → redirector → redirector → c2 → c2 → c2

UAT-8302 6 entities 7 relations 2026-05-26 13:35:13

IIM-T006 IIM-T010 IIM-T011 IIM-T013

Open chain analysis↗

iim.chain.apt.2026.05.004

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

likely

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entry → staging → staging → payload → payload → c2 → payload

UAC-0057 7 entities 7 relations 2026-05-26 13:31:49

IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T024

Open chain analysis↗

iim.chain.apt.2026.05.003

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

confirmed

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

staging → payload → c2 → c2

UAC-0057 4 entities 3 relations 2026-05-26 13:31:09

IIM-T010 IIM-T011

Open chain analysis↗

frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

confirmed

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entry → staging → staging → staging → payload → c2 → payload

UAC-0057 9 entities 8 relations 2026-05-26 13:26:34

IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T020 IIM-T021 IIM-T024

Open chain analysis↗