Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
microsoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
|
unknown | confirmed | 1 attacker-controlled lookalike utili... | — | 5 direct-download.gleeze.com | 7 autorun.dll variant set loaded by l... | 7 directdownload.icu | 20e / 23r | 2026-05-27 17:02:04 |
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
|
MB-0001 | confirmed | 2 6aa9741f8b8629d0398049fa91dc5e7c28f... | 5 hxxps://www.telegram[.]me/s/natural_blood | 3 %APPDATA%\Microsoft\Windows\Start M... | 1 Pteranodon Stage-2 loader | 2 194.67.71.75 | 13e / 13r | 2026-05-27 12:22:36 |
uat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
|
UAT-10027 | likely | 1 suspected phishing-delivered PowerS... | 1 cloudflare-dns.com DoH resolver ove... | 3 remote staging URL serving .bat or ... | 2 Dohdoor malicious DLL disguised as ... | 2 http://GppiwoGwNdiakkDU.pnuiSckMHwa... | 9e / 11r | 2026-05-27 12:09:14 |
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
|
unknown | likely | 1 malicious ZIP archive with complian... | — | 3 Windows shortcut file inside ZIP | 1 PowMix PowerShell botnet payload | 3 herokuapp.com based C2 endpoint | 8e / 8r | 2026-05-27 12:05:45 |
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
|
UAT-8302 | confirmed | — | 2 github[.]com / public dead-drop resolver | — | 1 CloudSorcerer v3 side-loaded DLL triad | 3 www.drivelivelime[.]com | 6e / 7r | 2026-05-26 13:35:13 |
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
|
UAC-0057 | likely | 1 PDF lure with active link to ZIP archive | — | 2 ZIP archive containing OYSTERFRESH ... | 3 OYSTERBLUES registry-staged payload | 1 Cloudflare-fronted .icu C2 domain cluster | 7e / 7r | 2026-05-26 13:31:49 |
iim.chain.apt.2026.05.003
FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz
|
UAC-0057 | confirmed | — | — | 1 EdgeTaskMachine.js | 1 EdgeSystemConfig.dll | 2 best-seller.lavanille[.]buzz | 4e / 3r | 2026-05-26 13:31:09 |
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
|
UAC-0057 | confirmed | 1 53_7.03.2026_R.pdf | — | 3 53_7.03.2026_R.rar | 3 Update.js / PicassoLoader | 2 hxxps://book-happy.needbinding[.]ic... | 9e / 8r | 2026-05-26 13:26:34 |
Page 1 of 1. Showing 1–8 of 8 matching chains, 18 total.
Technique pressure
top observed IIM techniquesActor surface
published chain attributionmicrosoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime
entry
→
staging
→
staging
→
staging
→
staging
→
staging
→
payload
IIM-T008
IIM-T011
IIM-T012
IIM-T021
IIM-T024
Open chain analysis↗
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
entry
→
entry
→
staging
→
staging
→
payload
→
redirector
→
redirector
IIM-T002
IIM-T003
IIM-T006
IIM-T007
IIM-T008
IIM-T010
IIM-T011
IIM-T013
+4
Open chain analysis↗
uat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval
entry
→
staging
→
staging
→
staging
→
payload
→
c2
→
redirector
IIM-T001
IIM-T011
Open chain analysis↗
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.
entry
→
staging
→
staging
→
staging
→
payload
→
c2
→
c2
IIM-T002
IIM-T011
IIM-T024
Open chain analysis↗
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.
payload
→
redirector
→
redirector
→
c2
→
c2
→
c2
IIM-T006
IIM-T010
IIM-T011
IIM-T013
Open chain analysis↗
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.
entry
→
staging
→
staging
→
payload
→
payload
→
c2
→
payload
IIM-T001
IIM-T010
IIM-T011
IIM-T019
IIM-T024
Open chain analysis↗
iim.chain.apt.2026.05.003
FrostyNeighbor Cobalt Strike lane via best-seller.lavanille.buzz
FrostyNeighbor Cobalt Strike infrastructure lane based on ESET-published Beacon/dropper artifacts and Cobalt Strike C&C domains.
staging
→
payload
→
c2
→
c2
IIM-T010
IIM-T011
Open chain analysis↗
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.
entry
→
staging
→
staging
→
staging
→
payload
→
c2
→
payload
IIM-T001
IIM-T010
IIM-T011
IIM-T019
IIM-T020
IIM-T021
IIM-T024
Open chain analysis↗