Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
securelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
|
unknown | confirmed | 2 pirated movie/TV streaming and digi... | 4 {domain}.strangled.net | 3 urush1bar4.online | 9 malicious DLL side-loaded by HLS In... | 8 5d14vnfb.space | 26e / 33r | 2026-05-28 19:43:28 |
wiz.2026.jinx-0164-audiofix-fake-driver-macos
JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain
|
JINX-0164 | confirmed | 2 LinkedIn recruiter / business-partn... | — | 3 https://apple.driver-update.io/trou... | 6 https://apple.driver-store.com/mac/... | 5 datahub.ink | 16e / 16r | 2026-05-28 13:44:27 |
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
|
MB-0001 | confirmed | 2 6aa9741f8b8629d0398049fa91dc5e7c28f... | 5 hxxps://www.telegram[.]me/s/natural_blood | 3 %APPDATA%\Microsoft\Windows\Start M... | 1 Pteranodon Stage-2 loader | 2 194.67.71.75 | 13e / 13r | 2026-05-27 12:22:36 |
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
|
UAT-8302 | confirmed | — | 2 github[.]com / public dead-drop resolver | — | 1 CloudSorcerer v3 side-loaded DLL triad | 3 www.drivelivelime[.]com | 6e / 7r | 2026-05-26 13:35:13 |
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
|
UAC-0057 | likely | 1 PDF lure with active link to ZIP archive | — | 2 ZIP archive containing OYSTERFRESH ... | 3 OYSTERBLUES registry-staged payload | 1 Cloudflare-fronted .icu C2 domain cluster | 7e / 7r | 2026-05-26 13:31:49 |
iim.chain.apt.2026.05.003
FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz
|
UAC-0057 | confirmed | — | — | 1 EdgeTaskMachine.js | 1 EdgeSystemConfig.dll | 2 best-seller.lavanille[.]buzz | 4e / 3r | 2026-05-26 13:31:09 |
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
|
UAC-0057 | confirmed | 1 53_7.03.2026_R.pdf | — | 3 53_7.03.2026_R.rar | 3 Update.js / PicassoLoader | 2 hxxps://book-happy.needbinding[.]ic... | 9e / 8r | 2026-05-26 13:26:34 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionsecurelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.
wiz.2026.jinx-0164-audiofix-fake-driver-macos
JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain
IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.
iim.chain.apt.2026.05.003
FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz
FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.