Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
securelist.2026.pirated-content-silentcryptominer-rat Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure unknown confirmed 2 pirated movie/TV streaming and digi... 4 {domain}.strangled.net 3 urush1bar4.online 9 malicious DLL side-loaded by HLS In... 8 5d14vnfb.space 26e / 33r 2026-05-28 19:43:28
wiz.2026.jinx-0164-audiofix-fake-driver-macos JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain JINX-0164 confirmed 2 LinkedIn recruiter / business-partn... 3 https://apple.driver-update.io/trou... 6 https://apple.driver-store.com/mac/... 5 datahub.ink 16e / 16r 2026-05-28 13:44:27
gamaredon.2025.zero-click-rar.pteranodon Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure MB-0001 confirmed 2 6aa9741f8b8629d0398049fa91dc5e7c28f... 5 hxxps://www.telegram[.]me/s/natural_blood 3 %APPDATA%\Microsoft\Windows\Start M... 1 Pteranodon Stage-2 loader 2 194.67.71.75 13e / 13r 2026-05-27 12:22:36
iim.chain.apt.2026.05.006 UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2 UAT-8302 confirmed 2 github[.]com / public dead-drop resolver 1 CloudSorcerer v3 side-loaded DLL triad 3 www.drivelivelime[.]com 6e / 7r 2026-05-26 13:35:13
iim.chain.apt.2026.05.004 UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2 UAC-0057 likely 1 PDF lure with active link to ZIP archive 2 ZIP archive containing OYSTERFRESH ... 3 OYSTERBLUES registry-staged payload 1 Cloudflare-fronted .icu C2 domain cluster 7e / 7r 2026-05-26 13:31:49
iim.chain.apt.2026.05.003 FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz UAC-0057 confirmed 1 EdgeTaskMachine.js 1 EdgeSystemConfig.dll 2 best-seller.lavanille[.]buzz 4e / 3r 2026-05-26 13:31:09
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike UAC-0057 confirmed 1 53_7.03.2026_R.pdf 3 53_7.03.2026_R.rar 3 Update.js / PicassoLoader 2 hxxps://book-happy.needbinding[.]ic... 9e / 8r 2026-05-26 13:26:34
Showing 17 of 7 matching chains
Reset
Page 1 of 1. Showing 17 of 7 matching chains, 39 total.

securelist.2026.pirated-content-silentcryptominer-rat

Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure

confirmed

IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.

entry entry staging staging staging payload payload
unknown 26 entities 33 relations 2026-05-28 19:43:28
IIM-T009 IIM-T010 IIM-T011 IIM-T024
Open chain analysis

wiz.2026.jinx-0164-audiofix-fake-driver-macos

JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain

confirmed

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.

entry entry staging payload payload payload payload
JINX-0164 16 entities 16 relations 2026-05-28 13:44:27
IIM-T010 IIM-T011 IIM-T020
Open chain analysis

gamaredon.2025.zero-click-rar.pteranodon

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

confirmed

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entry entry staging staging payload redirector redirector
MB-0001 13 entities 13 relations 2026-05-27 12:22:36
IIM-T002 IIM-T003 IIM-T006 IIM-T007 IIM-T008 IIM-T010 IIM-T011 IIM-T013 +4
Open chain analysis

iim.chain.apt.2026.05.006

UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2

confirmed

CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.

payload redirector redirector c2 c2 c2
UAT-8302 6 entities 7 relations 2026-05-26 13:35:13
IIM-T006 IIM-T010 IIM-T011 IIM-T013
Open chain analysis

iim.chain.apt.2026.05.004

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

likely

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entry staging staging payload payload c2 payload
UAC-0057 7 entities 7 relations 2026-05-26 13:31:49
IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T024
Open chain analysis

iim.chain.apt.2026.05.003

FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz

confirmed

FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.

staging payload c2 c2
UAC-0057 4 entities 3 relations 2026-05-26 13:31:09
IIM-T010 IIM-T011
Open chain analysis

frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

confirmed

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entry staging staging staging payload c2 payload
UAC-0057 9 entities 8 relations 2026-05-26 13:26:34
IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T020 IIM-T021 IIM-T024
Open chain analysis